overlay coreos/user-patches: Add some security-related patches

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/libarchive/0001-Handle-truncation-in-the-middle-of-a-GNU-long-linkname.patch

@@ -0,0 +1,31 @@
+From 82912103214506316bd9990d73f33d743d55f570 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Mon, 9 Dec 2024 21:09:29 -0800
+Subject: [PATCH] Handle truncation in the middle of a GNU long linkname
+ (#2422)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Thanks to gbdngb12 김동건 for reporting this.
+
+Resolves Issue #2415
+---
+ libarchive/archive_read_support_format_tar.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c
+index 4aaf1b90ce..b1344ae57d 100644
+--- a/libarchive/archive_read_support_format_tar.c
++++ b/libarchive/archive_read_support_format_tar.c
+@@ -1146,7 +1146,9 @@ header_gnu_longlink(struct archive_read *a, struct tar *tar,
+ 	struct archive_string linkpath;
+ 	archive_string_init(&linkpath);
+ 	err = read_body_to_string(a, tar, &linkpath, h, unconsumed);
+-	archive_entry_set_link(entry, linkpath.s);
++	if (err == ARCHIVE_OK) {
++		archive_entry_set_link(entry, linkpath.s);
++	}
+ 	archive_string_free(&linkpath);
+ 	return (err);
+ }

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/libarchive/README.md

@@ -0,0 +1,5 @@
+The
+`0001-Handle-truncation-in-the-middle-of-a-GNU-long-linkname.patch`
+patch addresses CVE-2024-57970. Currently it is only a part of the
+master branch so this patch could be dropped when updating to either
+3.8.0 or 3.7.8.

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-crypt/mit-krb5/0001-Prevent-overflow-when-calculating-ulog-block-size.patch

@@ -0,0 +1,59 @@
+From 78ceba024b64d49612375be4a12d1c066b0bfbd0 Mon Sep 17 00:00:00 2001
+From: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
+Date: Tue, 28 Jan 2025 16:39:25 -0500
+Subject: [PATCH] Prevent overflow when calculating ulog block size
+
+In kdb_log.c:resize(), log an error and fail if the update size is
+larger than the largest possible block size (2^16-1).
+
+CVE-2025-24528:
+
+In MIT krb5 release 1.7 and later with incremental propagation
+enabled, an authenticated attacker can cause kadmind to write beyond
+the end of the mapped region for the iprop log file, likely causing a
+process crash.
+
+[ghudson@mit.edu: edited commit message and added CVE description]
+
+ticket: 9159 (new)
+tags: pullup
+target_version: 1.21-next
+---
+ lib/kdb/kdb_log.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
+index 2659a250187..68fae919a52 100644
+--- a/lib/kdb/kdb_log.c
++++ b/lib/kdb/kdb_log.c
+@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
+  */
+ static krb5_error_code
+ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+-       unsigned int recsize)
++       unsigned int recsize, const kdb_incr_update_t *upd)
+ {
+     unsigned int new_block, new_size;
+ 
+@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+     new_block *= ULOG_BLOCK;
+     new_size += ulogentries * new_block;
+ 
++    if (new_block > UINT16_MAX) {
++        syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
++               upd->kdb_princ_name.utf8str_t_len,
++               upd->kdb_princ_name.utf8str_t_val);
++        return KRB5_LOG_ERROR;
++    }
+     if (new_size > MAXLOGLEN)
+         return KRB5_LOG_ERROR;
+ 
+@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd)
+     recsize = sizeof(kdb_ent_header_t) + upd_size;
+ 
+     if (recsize > ulog->kdb_block) {
+-        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
++        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
+         if (retval)
+             return retval;
+     }

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-crypt/mit-krb5/README.md

@@ -0,0 +1,11 @@
+The `0001-Prevent-overflow-when-calculating-ulog-block-size.patch`
+patch is for addressing CVE-2025-24528. Not sure when it can be
+dropped - it currently is a part of a master branch, which is targeted
+for version 1.22. So maybe when we update to 1.22 this patch can be
+dropped. The krb5-1.21 branch didn't have this patch at the time of
+writing (2025-02-25).
+
+The patch was slightly modified to take into account that the patches
+in this package are applied not from the top directory, but from
+inside the `src` subdirectory (the S variable is modified in the
+ebuild).

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libcap/0001-pam-cap-Fix-potential-configuration-parsing-error.patch

@@ -0,0 +1,32 @@
+From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Mon, 17 Feb 2025 10:31:55 +0800
+Subject: pam_cap: Fix potential configuration parsing error
+
+The current configuration parsing does not actually skip user names
+that do not start with @, but instead treats the name as a group
+name for further parsing, which can result in matching unexpected
+capability sets and may trigger potential security issues.  Only
+names starting with @ should be parsed as group names.
+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+---
+ pam_cap/pam_cap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
+index 24de329..3ec99bb 100644
+--- a/pam_cap/pam_cap.c
++++ b/pam_cap/pam_cap.c
+@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
+ 
+ 	    if (line[0] != '@') {
+ 		D(("user [%s] is not [%s] - skipping", user, line));
++		continue;
+ 	    }
+ 
+ 	    int i;
+-- 
+cgit 1.2.3-korg
+

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libcap/README.md

@@ -0,0 +1,3 @@
+The `0001-pam-cap-Fix-potential-configuration-parsing-error.patch`
+patch addresses CVE-2025-1390. It can be dropped when updating to
+2.74.