Bug#1100421: bookworm-pu: package krb5/1.20.1-2+deb12u3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1100421: bookworm-pu: package krb5/1.20.1-2+deb12u3
From: Bastien Roucariès <rouca@debian.org>
Date: Thu, 13 Mar 2025 18:09:52 +0000
Message-id: <[🔎] 4842210.q1plWqQRdY@portable-bastien>
Reply-to: Bastien Roucariès <rouca@debian.org>, 1100421@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: krb5@packages.debian.org
Control: affects -1 + src:krb5
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
* CVE-2025-24528

[ Impact ]
* low security bug is no-dsa but should be fixed

[ Tests ]
* automatic upstream test


[ Risks ]
Low code is straightforward

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
* Non Maintainer upload by LTS team
* Fixes CVE-2024-26462 (Closes: #1064965)
    A memory leak vulnerability was found in /krb5/src/kdc/ndr.c.
* Fixes CVE-2025-24528 (Closes: #1094730)
    Prevent overflow when calculating ulog block size
* Add Salsa CI

[ Other info ]
None

diff -Nru krb5-1.20.1/debian/changelog krb5-1.20.1/debian/changelog
--- krb5-1.20.1/debian/changelog	2024-07-01 17:31:35.000000000 +0000
+++ krb5-1.20.1/debian/changelog	2025-02-23 17:42:24.000000000 +0000
@@ -1,5 +1,16 @@
+krb5 (1.20.1-2+deb12u3) bookworm; urgency=medium
+
+  * Non Maintainer upload by LTS team
+  * Fixes CVE-2024-26462 (Closes: #1064965)
+    A memory leak vulnerability was found in /krb5/src/kdc/ndr.c.
+  * Fixes CVE-2025-24528 (Closes: #1094730)
+    Prevent overflow when calculating ulog block size
+  * Add Salsa CI
+
+ -- Bastien Roucariès <rouca@debian.org>  Sun, 23 Feb 2025 17:42:24 +0000
+
 krb5 (1.20.1-2+deb12u2) bookworm-security; urgency=high
-	
+
   * CVE-2024-37370: an unauthenticated attacker can modify the
     extra count in an RFC 4121 GSS token, causing the token to appear
     truncated.
diff -Nru krb5-1.20.1/debian/patches/CVE-2024-26462.patch krb5-1.20.1/debian/patches/CVE-2024-26462.patch
--- krb5-1.20.1/debian/patches/CVE-2024-26462.patch	1970-01-01 00:00:00.000000000 +0000
+++ krb5-1.20.1/debian/patches/CVE-2024-26462.patch	2025-02-23 17:42:24.000000000 +0000
@@ -0,0 +1,41 @@
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 5 Mar 2024 17:38:49 -0500
+Subject: CVE-2024-26462 Fix leak in KDC NDR encoding
+
+If the KDC tries to encode a principal containing encode invalid UTF-8
+sequences for inclusion in a PAC delegation info buffer, it will leak
+a small amount of memory in enc_wchar_pointer() before failing.  Fix
+the leak.
+
+ticket: 9115 (new)
+tags: pullup
+target_version: 1.21-next
+origin: https://github.com/krb5/krb5/commit/7d0d85bf99caf60c0afd4dcf91b0c4c683b983fe
+bug: https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html
+bug-lumingyindetect: https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064965
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-26462
+---
+ src/kdc/ndr.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c
+index 48395ab..d438408 100644
+--- a/src/kdc/ndr.c
++++ b/src/kdc/ndr.c
+@@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out)
+     size_t utf16len, num_wchars;
+     uint8_t *utf16;
+ 
+-    k5_buf_init_dynamic(&b);
+-
+     ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len);
+     if (ret)
+         return ret;
+ 
+     num_wchars = utf16len / 2;
+ 
++    k5_buf_init_dynamic(&b);
+     k5_buf_add_uint32_le(&b, num_wchars + 1);
+     k5_buf_add_uint32_le(&b, 0);
+     k5_buf_add_uint32_le(&b, num_wchars);
diff -Nru krb5-1.20.1/debian/patches/CVE-2025-24528.patch krb5-1.20.1/debian/patches/CVE-2025-24528.patch
--- krb5-1.20.1/debian/patches/CVE-2025-24528.patch	1970-01-01 00:00:00.000000000 +0000
+++ krb5-1.20.1/debian/patches/CVE-2025-24528.patch	2025-02-23 17:42:24.000000000 +0000
@@ -0,0 +1,62 @@
+From: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
+Date: Tue, 28 Jan 2025 16:39:25 -0500
+Subject: CVE-2025-24528 Prevent overflow when calculating ulog block size
+
+In kdb_log.c:resize(), log an error and fail if the update size is
+larger than the largest possible block size (2^16-1).
+
+CVE-2025-24528:
+
+In MIT krb5 release 1.7 and later with incremental propagation
+enabled, an authenticated attacker can cause kadmind to write beyond
+the end of the mapped region for the iprop log file, likely causing a
+process crash.
+
+[ghudson@mit.edu: edited commit message and added CVE description]
+
+ticket: 9159 (new)
+tags: pullup
+target_version: 1.21-next
+origin: https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0
+bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2342796
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094730
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-24528
+---
+ src/lib/kdb/kdb_log.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
+index 2659a25..68fae91 100644
+--- a/src/lib/kdb/kdb_log.c
++++ b/src/lib/kdb/kdb_log.c
+@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
+  */
+ static krb5_error_code
+ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+-       unsigned int recsize)
++       unsigned int recsize, const kdb_incr_update_t *upd)
+ {
+     unsigned int new_block, new_size;
+ 
+@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+     new_block *= ULOG_BLOCK;
+     new_size += ulogentries * new_block;
+ 
++    if (new_block > UINT16_MAX) {
++        syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
++               upd->kdb_princ_name.utf8str_t_len,
++               upd->kdb_princ_name.utf8str_t_val);
++        return KRB5_LOG_ERROR;
++    }
+     if (new_size > MAXLOGLEN)
+         return KRB5_LOG_ERROR;
+ 
+@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd)
+     recsize = sizeof(kdb_ent_header_t) + upd_size;
+ 
+     if (recsize > ulog->kdb_block) {
+-        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
++        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
+         if (retval)
+             return retval;
+     }
diff -Nru krb5-1.20.1/debian/patches/series krb5-1.20.1/debian/patches/series
--- krb5-1.20.1/debian/patches/series	2024-07-01 17:31:35.000000000 +0000
+++ krb5-1.20.1/debian/patches/series	2025-02-23 17:42:24.000000000 +0000
@@ -9,3 +9,5 @@
 0009-Add-.gitignore.patch
 upstream/0010-Ensure-array-count-consistency-in-kadm5-RPC.patch
 CVE-2024-37370
+CVE-2024-26462.patch
+CVE-2025-24528.patch
diff -Nru krb5-1.20.1/debian/salsa-ci.yml krb5-1.20.1/debian/salsa-ci.yml
--- krb5-1.20.1/debian/salsa-ci.yml	1970-01-01 00:00:00.000000000 +0000
+++ krb5-1.20.1/debian/salsa-ci.yml	2025-02-23 17:42:24.000000000 +0000
@@ -0,0 +1,9 @@
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  RELEASE: 'bookworm'
+  SALSA_CI_COMPONENTS: 'main contrib non-free'
+
+blhc:
+  allow_failure: true

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package krb5/1.20.1-2+deb12u3
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1100421: bookworm-pu: package krb5/1.20.1-2+deb12u3
  - From: Jonathan Wiltshire <jmw@debian.org>
- Processed: Re: Bug#1100421: bookworm-pu: package krb5/1.20.1-2+deb12u3
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: bookworm-pu: package krb5/1.20.1-2+deb12u3
Next by Date: Bug#1100424: RM: python-mapnik/1:0.0~20240222-5ab32f020-3
Previous by thread: Bug#1098925: marked as done (transition: glibc 2.41)
Next by thread: Processed: bookworm-pu: package krb5/1.20.1-2+deb12u3
Index(es):
- Date
- Thread