krb5: fix CVE-2025-24528

In MIT krb5 release 1.7 and later with incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash. Reference: https://security-tracker.debian.org/tracker/CVE-2025-24528 Upstream-patch: https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-03-25 10:46:17 +0000
committer: Khem Raj <raj.khem@gmail.com> 2025-03-25 14:57:20 -0700
commit: 2822175ed62ca4b17e41edf62fecd1fb5bd0227d (patch)
tree: 33491d5bcb6f72f6d57983c21ce96a05387e2423
parent: f9951c8a092fcb3f459e5b005d43f968e98e01dd (diff)
download: meta-openembedded-2822175ed62ca4b17e41edf62fecd1fb5bd0227d.tar.gz
2 files changed, 69 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2025-24528.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2025-24528.patch
new file mode 100644
index 0000000000..ac6039edf1
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2025-24528.patch
@@ -0,0 +1,68 @@
+From 78ceba024b64d49612375be4a12d1c066b0bfbd0 Mon Sep 17 00:00:00 2001
+From: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
+Date: Tue, 28 Jan 2025 16:39:25 -0500
+Subject: [PATCH] Prevent overflow when calculating ulog block size
+In kdb_log.c:resize(), log an error and fail if the update size is
+larger than the largest possible block size (2^16-1).
+CVE-2025-24528:
+In MIT krb5 release 1.7 and later with incremental propagation
+enabled, an authenticated attacker can cause kadmind to write beyond
+the end of the mapped region for the iprop log file, likely causing a
+process crash.
+[ghudson@mit.edu: edited commit message and added CVE description]
+ticket: 9159 (new)
+tags: pullup
+target_version: 1.21-next
+CVE: CVE-2025-24528
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/lib/kdb/kdb_log.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
+index 2659a25..68fae91 100644
+--- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c
+@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
+  */
+ static krb5_error_code
+ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+-       unsigned int recsize)
+       unsigned int recsize, const kdb_incr_update_t *upd)
+ {
+     unsigned int new_block, new_size;
+ 
+@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+     new_block *= ULOG_BLOCK;
+     new_size += ulogentries * new_block;
+ 
+    if (new_block > UINT16_MAX) {
+        syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
+               upd->kdb_princ_name.utf8str_t_len,
+               upd->kdb_princ_name.utf8str_t_val);
+        return KRB5_LOG_ERROR;
+    }
+     if (new_size > MAXLOGLEN)
+         return KRB5_LOG_ERROR;
+ 
+@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd)
+     recsize = sizeof(kdb_ent_header_t) + upd_size;
+ 
+     if (recsize > ulog->kdb_block) {
+-        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
+        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
+         if (retval)
+             return retval;
+     }
+-- 
+2.40.0
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb
index 7489181322..b64bdb4af7 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
           file://krb5-kdc.service \
           file://krb5-admin-server.service \
           file://CVE-2024-26458_CVE-2024-26461.patch;striplevel=2 \
+           file://CVE-2025-24528.patch;striplevel=2 \
 "
 SRC_URI[sha256sum] = "b7a4cd5ead67fb08b980b21abd150ff7217e85ea320c9ed0c6dadd304840ad35"
author	Divya Chellam <divya.chellam@windriver.com>	2025-03-25 10:46:17 +0000
committer	Khem Raj <raj.khem@gmail.com>	2025-03-25 14:57:20 -0700
commit	2822175ed62ca4b17e41edf62fecd1fb5bd0227d (patch)
tree	33491d5bcb6f72f6d57983c21ce96a05387e2423
parent	f9951c8a092fcb3f459e5b005d43f968e98e01dd (diff)
download	meta-openembedded-2822175ed62ca4b17e41edf62fecd1fb5bd0227d.tar.gz

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2025-24528.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2025-24528.patch new file mode 100644 index 0000000000..ac6039edf1 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2025-24528.patch
@@ -0,0 +1,68 @@
		1	From 78ceba024b64d49612375be4a12d1c066b0bfbd0 Mon Sep 17 00:00:00 2001
		2	From: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
		3	Date: Tue, 28 Jan 2025 16:39:25 -0500
		4	Subject: [PATCH] Prevent overflow when calculating ulog block size
		5
		6	In kdb_log.c:resize(), log an error and fail if the update size is
		7	larger than the largest possible block size (2^16-1).
		8
		9	CVE-2025-24528:
		10
		11	In MIT krb5 release 1.7 and later with incremental propagation
		12	enabled, an authenticated attacker can cause kadmind to write beyond
		13	the end of the mapped region for the iprop log file, likely causing a
		14	process crash.
		15
		16	[ghudson@mit.edu: edited commit message and added CVE description]
		17
		18	ticket: 9159 (new)
		19	tags: pullup
		20	target_version: 1.21-next
		21
		22	CVE: CVE-2025-24528
		23
		24	Upstream-Status: Backport [https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0]
		25
		26	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		27	---
		28	src/lib/kdb/kdb_log.c \| 10 ++++++++--
		29	1 file changed, 8 insertions(+), 2 deletions(-)
		30
		31	diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
		32	index 2659a25..68fae91 100644
		33	--- a/src/lib/kdb/kdb_log.c
		34	+++ b/src/lib/kdb/kdb_log.c
		35	@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
		36	*/
		37	static krb5_error_code
		38	resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
		39	- unsigned int recsize)
		40	+ unsigned int recsize, const kdb_incr_update_t *upd)
		41	{
		42	unsigned int new_block, new_size;
		43
		44	@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
		45	new_block *= ULOG_BLOCK;
		46	new_size += ulogentries * new_block;
		47
		48	+ if (new_block > UINT16_MAX) {
		49	+ syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
		50	+ upd->kdb_princ_name.utf8str_t_len,
		51	+ upd->kdb_princ_name.utf8str_t_val);
		52	+ return KRB5_LOG_ERROR;
		53	+ }
		54	if (new_size > MAXLOGLEN)
		55	return KRB5_LOG_ERROR;
		56
		57	@@ -291,7 +297,7 @@ store_update(kdb_log_context log_ctx, kdb_incr_update_t upd)
		58	recsize = sizeof(kdb_ent_header_t) + upd_size;
		59
		60	if (recsize > ulog->kdb_block) {
		61	- retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
		62	+ retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
		63	if (retval)
		64	return retval;
		65	}
		66	--
		67	2.40.0
		68


diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb index 7489181322..b64bdb4af7 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
29	file://krb5-kdc.service \	29	file://krb5-kdc.service \
30	file://krb5-admin-server.service \	30	file://krb5-admin-server.service \
31	file://CVE-2024-26458_CVE-2024-26461.patch;striplevel=2 \	31	file://CVE-2024-26458_CVE-2024-26461.patch;striplevel=2 \
		32	file://CVE-2025-24528.patch;striplevel=2 \
32	"	33	"
33		34
34	SRC_URI[sha256sum] = "b7a4cd5ead67fb08b980b21abd150ff7217e85ea320c9ed0c6dadd304840ad35"	35	SRC_URI[sha256sum] = "b7a4cd5ead67fb08b980b21abd150ff7217e85ea320c9ed0c6dadd304840ad35"