[AUTOPATCHER-CORE] Patched krb5 to address CVE-2023-36054 (#6005)

* Patch krb5 to address CVE-2023-36054

* use autosetup

* update package manifests

* update changelog name and date

---------

Co-authored-by: Tobias Brick <tobiasb@microsoft.com>

SPECS/krb5/CVE-2023-36054.patch

@@ -0,0 +1,62 @@
+From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 21 Jun 2023 10:57:39 -0400
+Subject: [PATCH] Ensure array count consistency in kadm5 RPC
+
+In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
+key_data array count when decoding.  Otherwise when the structure is
+later freed, xdr_array() could iterate over the wrong number of
+elements, either leaking some memory or freeing uninitialized
+pointers.  Reported by Robert Morris.
+
+CVE-2023-36054:
+
+An authenticated attacker can cause a kadmind process to crash by
+freeing uninitialized pointers.  Remote code execution is unlikely.
+An attacker with control of a kadmin server can cause a kadmin client
+to crash by freeing uninitialized pointers.
+
+ticket: 9099 (new)
+tags: pullup
+target_version: 1.21-next
+target_version: 1.20-next
+---
+ src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 0411c3fd3f4..287cae750f9 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
++++ b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ 			     int v)
+ {
+ 	unsigned int n;
++	bool_t r;
+ 
+ 	if (!xdr_krb5_principal(xdrs, &objp->principal)) {
+ 		return (FALSE);
+@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ 	if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
+ 		return (FALSE);
+ 	}
++	if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
++		return (FALSE);
++	}
+ 	if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
+ 		return (FALSE);
+ 	}
+@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ 		return FALSE;
+ 	}
+ 	n = objp->n_key_data;
+-	if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
+-		       &n, ~0, sizeof(krb5_key_data),
+-		       xdr_krb5_key_data_nocontents)) {
++	r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
++		      sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
++	objp->n_key_data = n;
++	if (!r) {
+ 		return (FALSE);
+ 	}
+ 

SPECS/krb5/krb5.spec

@@ -4,7 +4,7 @@
 Summary:        The Kerberos newtork authentication system
 Name:           krb5
 Version:        1.19.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -12,6 +12,7 @@ Group:          System Environment/Security
 URL:            https://web.mit.edu/kerberos/
 Source0:        https://kerberos.org/dist/%{name}/%{maj_version}/%{name}-%{version}.tar.gz
 Source1:        krb5.conf
+Patch0:         CVE-2023-36054.patch
 BuildRequires:  e2fsprogs-devel
 BuildRequires:  openssl-devel
 Requires:       e2fsprogs-libs
@@ -40,7 +41,7 @@ Requires:       %{name} = %{version}-%{release}
 These are the additional language files of krb5.
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 cd src
@@ -126,6 +127,9 @@ make check
 %{_datarootdir}/locale/*
 
 %changelog
+* Mon Aug 21 2023 Tobias Brick <tobiasb@microsoft.com> - 1.19.4-2
+- Add patch for CVE-2023-36054
+
 * Fri Jan 06 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.19.4-1
 - Auto-upgrade to 1.19.4 - to fix CVE-2022-42898
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -188,7 +188,7 @@ libsolv-0.7.24-1.cm2.aarch64.rpm
 libsolv-devel-0.7.24-1.cm2.aarch64.rpm
 libssh2-1.9.0-2.cm2.aarch64.rpm
 libssh2-devel-1.9.0-2.cm2.aarch64.rpm
-krb5-1.19.4-1.cm2.aarch64.rpm
+krb5-1.19.4-2.cm2.aarch64.rpm
 nghttp2-1.46.0-3.cm2.aarch64.rpm
 curl-8.2.1-1.cm2.aarch64.rpm
 curl-devel-8.2.1-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -188,7 +188,7 @@ libsolv-0.7.24-1.cm2.x86_64.rpm
 libsolv-devel-0.7.24-1.cm2.x86_64.rpm
 libssh2-1.9.0-2.cm2.x86_64.rpm
 libssh2-devel-1.9.0-2.cm2.x86_64.rpm
-krb5-1.19.4-1.cm2.x86_64.rpm
+krb5-1.19.4-2.cm2.x86_64.rpm
 nghttp2-1.46.0-3.cm2.x86_64.rpm
 curl-8.2.1-1.cm2.x86_64.rpm
 curl-devel-8.2.1-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -140,10 +140,10 @@ kernel-headers-5.15.126.1-1.cm2.noarch.rpm
 kmod-29-1.cm2.aarch64.rpm
 kmod-debuginfo-29-1.cm2.aarch64.rpm
 kmod-devel-29-1.cm2.aarch64.rpm
-krb5-1.19.4-1.cm2.aarch64.rpm
-krb5-debuginfo-1.19.4-1.cm2.aarch64.rpm
-krb5-devel-1.19.4-1.cm2.aarch64.rpm
-krb5-lang-1.19.4-1.cm2.aarch64.rpm
+krb5-1.19.4-2.cm2.aarch64.rpm
+krb5-debuginfo-1.19.4-2.cm2.aarch64.rpm
+krb5-devel-1.19.4-2.cm2.aarch64.rpm
+krb5-lang-1.19.4-2.cm2.aarch64.rpm
 libarchive-3.6.1-2.cm2.aarch64.rpm
 libarchive-debuginfo-3.6.1-2.cm2.aarch64.rpm
 libarchive-devel-3.6.1-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -140,10 +140,10 @@ kernel-headers-5.15.126.1-1.cm2.noarch.rpm
 kmod-29-1.cm2.x86_64.rpm
 kmod-debuginfo-29-1.cm2.x86_64.rpm
 kmod-devel-29-1.cm2.x86_64.rpm
-krb5-1.19.4-1.cm2.x86_64.rpm
-krb5-debuginfo-1.19.4-1.cm2.x86_64.rpm
-krb5-devel-1.19.4-1.cm2.x86_64.rpm
-krb5-lang-1.19.4-1.cm2.x86_64.rpm
+krb5-1.19.4-2.cm2.x86_64.rpm
+krb5-debuginfo-1.19.4-2.cm2.x86_64.rpm
+krb5-devel-1.19.4-2.cm2.x86_64.rpm
+krb5-lang-1.19.4-2.cm2.x86_64.rpm
 libarchive-3.6.1-2.cm2.x86_64.rpm
 libarchive-debuginfo-3.6.1-2.cm2.x86_64.rpm
 libarchive-devel-3.6.1-2.cm2.x86_64.rpm