[meta-oe,scarthgap] krb5: fix CVE-2025-24528

Message ID	20250325104914.3577346-1-divya.chellam@windriver.com
State	New
Headers	show Return-Path: <Divya.Chellam@windriver.com> ip: 205.220.166.238, mailfrom: prvs=517906a106=divya.chellam@windriver.com) From: dchellam <divya.chellam@windriver.com> To: <openembedded-devel@lists.openembedded.org> Subject: [oe][meta-oe][scarthgap][PATCH] krb5: fix CVE-2025-24528 Date: Tue, 25 Mar 2025 10:49:14 +0000 Message-ID: <20250325104914.3577346-1-divya.chellam@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[meta-oe,scarthgap] krb5: fix CVE-2025-24528 \| expand [meta-oe,scarthgap] krb5: fix CVE-2025-24528

Message ID

20250325104914.3577346-1-divya.chellam@windriver.com

State

New

Headers

From: dchellam <divya.chellam@windriver.com>
To: <openembedded-devel@lists.openembedded.org>
Subject: [oe][meta-oe][scarthgap][PATCH] krb5: fix CVE-2025-24528
Date: Tue, 25 Mar 2025 10:49:14 +0000
Message-ID: <20250325104914.3577346-1-divya.chellam@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[meta-oe,scarthgap] krb5: fix CVE-2025-24528 | expand

Commit Message

dchellam March 25, 2025, 10:49 a.m. UTC

From: Divya Chellam <divya.chellam@windriver.com>

In MIT krb5 release 1.7 and later with incremental propagation
enabled, an authenticated attacker can cause kadmind to write beyond
the end of the mapped region for the iprop log file, likely causing a
process crash.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-24528

Upstream-patch:
https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
 .../krb5/krb5/CVE-2025-24528.patch            | 68 +++++++++++++++++++
 .../recipes-connectivity/krb5/krb5_1.21.3.bb  |  1 +
 2 files changed, 69 insertions(+)
 create mode 100644 meta-oe/recipes-connectivity/krb5/krb5/CVE-2025-24528.patch

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2025-24528.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2025-24528.patch
new file mode 100644
index 0000000000..ac6039edf1
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2025-24528.patch
@@ -0,0 +1,68 @@ 
+From 78ceba024b64d49612375be4a12d1c066b0bfbd0 Mon Sep 17 00:00:00 2001
+From: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
+Date: Tue, 28 Jan 2025 16:39:25 -0500
+Subject: [PATCH] Prevent overflow when calculating ulog block size
+
+In kdb_log.c:resize(), log an error and fail if the update size is
+larger than the largest possible block size (2^16-1).
+
+CVE-2025-24528:
+
+In MIT krb5 release 1.7 and later with incremental propagation
+enabled, an authenticated attacker can cause kadmind to write beyond
+the end of the mapped region for the iprop log file, likely causing a
+process crash.
+
+[ghudson@mit.edu: edited commit message and added CVE description]
+
+ticket: 9159 (new)
+tags: pullup
+target_version: 1.21-next
+
+CVE: CVE-2025-24528
+
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/lib/kdb/kdb_log.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
+index 2659a25..68fae91 100644
+--- a/src/lib/kdb/kdb_log.c
++++ b/src/lib/kdb/kdb_log.c
+@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
+  */
+ static krb5_error_code
+ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+-       unsigned int recsize)
++       unsigned int recsize, const kdb_incr_update_t *upd)
+ {
+     unsigned int new_block, new_size;
+ 
+@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+     new_block *= ULOG_BLOCK;
+     new_size += ulogentries * new_block;
+ 
++    if (new_block > UINT16_MAX) {
++        syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
++               upd->kdb_princ_name.utf8str_t_len,
++               upd->kdb_princ_name.utf8str_t_val);
++        return KRB5_LOG_ERROR;
++    }
+     if (new_size > MAXLOGLEN)
+         return KRB5_LOG_ERROR;
+ 
+@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd)
+     recsize = sizeof(kdb_ent_header_t) + upd_size;
+ 
+     if (recsize > ulog->kdb_block) {
+-        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
++        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
+         if (retval)
+             return retval;
+     }
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb
index 8262da500d..4742fe47b2 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb
@@ -29,6 +29,7 @@  SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
            file://krb5-kdc.service \
            file://krb5-admin-server.service \
            file://CVE-2024-26458_CVE-2024-26461.patch;striplevel=2 \
+           file://CVE-2025-24528.patch;striplevel=2 \
 "
 
 SRC_URI[sha256sum] = "b7a4cd5ead67fb08b980b21abd150ff7217e85ea320c9ed0c6dadd304840ad35"

[meta-oe,scarthgap] krb5: fix CVE-2025-24528

Commit Message

Patch