From 15098d870b43104c02405c4c5b3cad02160aea43 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 25 Feb 2025 14:42:53 +0100 Subject: [PATCH] overlay coreos/user-patches: Add some security-related patches --- ...in-the-middle-of-a-GNU-long-linkname.patch | 31 ++++++++++ .../app-arch/libarchive/README.md | 5 ++ ...low-when-calculating-ulog-block-size.patch | 59 +++++++++++++++++++ .../user-patches/app-crypt/mit-krb5/README.md | 11 ++++ ...otential-configuration-parsing-error.patch | 32 ++++++++++ .../user-patches/sys-libs/libcap/README.md | 3 + 6 files changed, 141 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/libarchive/0001-Handle-truncation-in-the-middle-of-a-GNU-long-linkname.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/libarchive/README.md create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-crypt/mit-krb5/0001-Prevent-overflow-when-calculating-ulog-block-size.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-crypt/mit-krb5/README.md create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libcap/0001-pam-cap-Fix-potential-configuration-parsing-error.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libcap/README.md diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/libarchive/0001-Handle-truncation-in-the-middle-of-a-GNU-long-linkname.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/libarchive/0001-Handle-truncation-in-the-middle-of-a-GNU-long-linkname.patch new file mode 100644 index 0000000000..a998542542 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/libarchive/0001-Handle-truncation-in-the-middle-of-a-GNU-long-linkname.patch @@ -0,0 +1,31 @@ +From 82912103214506316bd9990d73f33d743d55f570 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle +Date: Mon, 9 Dec 2024 21:09:29 -0800 +Subject: [PATCH] Handle truncation in the middle of a GNU long linkname + (#2422) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Thanks to gbdngb12 김동건 for reporting this. + +Resolves Issue #2415 +--- + libarchive/archive_read_support_format_tar.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c +index 4aaf1b90ce..b1344ae57d 100644 +--- a/libarchive/archive_read_support_format_tar.c ++++ b/libarchive/archive_read_support_format_tar.c +@@ -1146,7 +1146,9 @@ header_gnu_longlink(struct archive_read *a, struct tar *tar, + struct archive_string linkpath; + archive_string_init(&linkpath); + err = read_body_to_string(a, tar, &linkpath, h, unconsumed); +- archive_entry_set_link(entry, linkpath.s); ++ if (err == ARCHIVE_OK) { ++ archive_entry_set_link(entry, linkpath.s); ++ } + archive_string_free(&linkpath); + return (err); + } diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/libarchive/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/libarchive/README.md new file mode 100644 index 0000000000..ba76d80f31 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/libarchive/README.md @@ -0,0 +1,5 @@ +The +`0001-Handle-truncation-in-the-middle-of-a-GNU-long-linkname.patch` +patch addresses CVE-2024-57970. Currently it is only a part of the +master branch so this patch could be dropped when updating to either +3.8.0 or 3.7.8. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-crypt/mit-krb5/0001-Prevent-overflow-when-calculating-ulog-block-size.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-crypt/mit-krb5/0001-Prevent-overflow-when-calculating-ulog-block-size.patch new file mode 100644 index 0000000000..078cce7ad5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-crypt/mit-krb5/0001-Prevent-overflow-when-calculating-ulog-block-size.patch @@ -0,0 +1,59 @@ +From 78ceba024b64d49612375be4a12d1c066b0bfbd0 Mon Sep 17 00:00:00 2001 +From: Zoltan Borbely +Date: Tue, 28 Jan 2025 16:39:25 -0500 +Subject: [PATCH] Prevent overflow when calculating ulog block size + +In kdb_log.c:resize(), log an error and fail if the update size is +larger than the largest possible block size (2^16-1). + +CVE-2025-24528: + +In MIT krb5 release 1.7 and later with incremental propagation +enabled, an authenticated attacker can cause kadmind to write beyond +the end of the mapped region for the iprop log file, likely causing a +process crash. + +[ghudson@mit.edu: edited commit message and added CVE description] + +ticket: 9159 (new) +tags: pullup +target_version: 1.21-next +--- + lib/kdb/kdb_log.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c +index 2659a250187..68fae919a52 100644 +--- a/lib/kdb/kdb_log.c ++++ b/lib/kdb/kdb_log.c +@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size) + */ + static krb5_error_code + resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, +- unsigned int recsize) ++ unsigned int recsize, const kdb_incr_update_t *upd) + { + unsigned int new_block, new_size; + +@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, + new_block *= ULOG_BLOCK; + new_size += ulogentries * new_block; + ++ if (new_block > UINT16_MAX) { ++ syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"), ++ upd->kdb_princ_name.utf8str_t_len, ++ upd->kdb_princ_name.utf8str_t_val); ++ return KRB5_LOG_ERROR; ++ } + if (new_size > MAXLOGLEN) + return KRB5_LOG_ERROR; + +@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd) + recsize = sizeof(kdb_ent_header_t) + upd_size; + + if (recsize > ulog->kdb_block) { +- retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize); ++ retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd); + if (retval) + return retval; + } diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-crypt/mit-krb5/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-crypt/mit-krb5/README.md new file mode 100644 index 0000000000..4a5523920f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-crypt/mit-krb5/README.md @@ -0,0 +1,11 @@ +The `0001-Prevent-overflow-when-calculating-ulog-block-size.patch` +patch is for addressing CVE-2025-24528. Not sure when it can be +dropped - it currently is a part of a master branch, which is targeted +for version 1.22. So maybe when we update to 1.22 this patch can be +dropped. The krb5-1.21 branch didn't have this patch at the time of +writing (2025-02-25). + +The patch was slightly modified to take into account that the patches +in this package are applied not from the top directory, but from +inside the `src` subdirectory (the S variable is modified in the +ebuild). diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libcap/0001-pam-cap-Fix-potential-configuration-parsing-error.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libcap/0001-pam-cap-Fix-potential-configuration-parsing-error.patch new file mode 100644 index 0000000000..839aed2ccc --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libcap/0001-pam-cap-Fix-potential-configuration-parsing-error.patch @@ -0,0 +1,32 @@ +From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Mon, 17 Feb 2025 10:31:55 +0800 +Subject: pam_cap: Fix potential configuration parsing error + +The current configuration parsing does not actually skip user names +that do not start with @, but instead treats the name as a group +name for further parsing, which can result in matching unexpected +capability sets and may trigger potential security issues. Only +names starting with @ should be parsed as group names. + +Signed-off-by: Tianjia Zhang +Signed-off-by: Andrew G. Morgan +--- + pam_cap/pam_cap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c +index 24de329..3ec99bb 100644 +--- a/pam_cap/pam_cap.c ++++ b/pam_cap/pam_cap.c +@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source) + + if (line[0] != '@') { + D(("user [%s] is not [%s] - skipping", user, line)); ++ continue; + } + + int i; +-- +cgit 1.2.3-korg + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libcap/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libcap/README.md new file mode 100644 index 0000000000..a931f4f466 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/libcap/README.md @@ -0,0 +1,3 @@ +The `0001-pam-cap-Fix-potential-configuration-parsing-error.patch` +patch addresses CVE-2025-1390. It can be dropped when updating to +2.74.