Ticket History #9159: Prevent overflow when calculating ulog block size

# Tue Jan 28 22:24:54 2025 ghudson@mit.edu (Greg Hudson) - Ticket created

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 805B

Prevent overflow when calculating ulog block size

In kdb_log.c:resize(), log an error and fail if the update size is
larger than the largest possible block size (2^16-1).

CVE-2025-24528:

In MIT krb5 release 1.7 and later with incremental propagation
enabled, an authenticated attacker can cause kadmind to write beyond
the end of the mapped region for the iprop log file, likely causing a
process crash.

[ghudson@mit.edu: edited commit message and added CVE description]

https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0
Author: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 78ceba024b64d49612375be4a12d1c066b0bfbd0
Branch: master
src/lib/kdb/kdb_log.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

# Tue Jan 28 22:24:54 2025 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Tue Jan 28 22:24:54 2025 ghudson@mit.edu (Greg Hudson) - Target_Version 1.21-next added

# Tue Jan 28 22:24:54 2025 ghudson@mit.edu (Greg Hudson) - Requestor ghudson@mit.edu (Greg Hudson) added

# Tue Jan 28 22:24:54 2025 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'resolved'

# Mon May 05 18:09:48 2025 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.22 added

# Mon Aug 04 18:32:19 2025 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.21.4 added

# Mon Aug 04 18:32:19 2025 ghudson@mit.edu (Greg Hudson) - Correspondence added

Subject:	git commit
From:	ghudson@mit.edu

Download (untitled) / with headers
text/plain 878B

Prevent overflow when calculating ulog block size

In kdb_log.c:resize(), log an error and fail if the update size is
larger than the largest possible block size (2^16-1).

CVE-2025-24528:

In MIT krb5 release 1.7 and later with incremental propagation
enabled, an authenticated attacker can cause kadmind to write beyond
the end of the mapped region for the iprop log file, likely causing a
process crash.

[ghudson@mit.edu: edited commit message and added CVE description]

(cherry picked from commit 78ceba024b64d49612375be4a12d1c066b0bfbd0)

https://github.com/krb5/krb5/commit/daa1a9127616c4f50e421038de0b0b93145d74ef
Author: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: daa1a9127616c4f50e421038de0b0b93145d74ef
Branch: krb5-1.21
src/lib/kdb/kdb_log.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

# Mon Aug 04 18:32:52 2025 ghudson@mit.edu (Greg Hudson) - Tags pullup deleted