[AutoPR- Security] Patch krb5 for CVE-2025-24528 [MEDIUM] (#15545)

azurelinux-security · web-flow · commit 6c17b96a4ba5 · 2026-01-22T22:41:11.000+05:30
diff --git a/SPECS/krb5/CVE-2025-24528.patch b/SPECS/krb5/CVE-2025-24528.patch
@@ -0,0 +1,65 @@
+From d53fe0c6e1c6ca432365f9f194428936532ea491 Mon Sep 17 00:00:00 2001
+From: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
+Date: Tue, 28 Jan 2025 16:39:25 -0500
+Subject: [PATCH] Prevent overflow when calculating ulog block size
+
+In kdb_log.c:resize(), log an error and fail if the update size is
+larger than the largest possible block size (2^16-1).
+
+CVE-2025-24528:
+
+In MIT krb5 release 1.7 and later with incremental propagation
+enabled, an authenticated attacker can cause kadmind to write beyond
+the end of the mapped region for the iprop log file, likely causing a
+process crash.
+
+[ghudson@mit.edu: edited commit message and added CVE description]
+
+ticket: 9159 (new)
+tags: pullup
+target_version: 1.21-next
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0.patch
+---
+ src/lib/kdb/kdb_log.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
+index 2659a25..68fae91 100644
+--- a/src/lib/kdb/kdb_log.c
++++ b/src/lib/kdb/kdb_log.c
+@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
+  */
+ static krb5_error_code
+ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+-       unsigned int recsize)
++       unsigned int recsize, const kdb_incr_update_t *upd)
+ {
+     unsigned int new_block, new_size;
+ 
+@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+     new_block *= ULOG_BLOCK;
+     new_size += ulogentries * new_block;
+ 
++    if (new_block > UINT16_MAX) {
++        syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
++               upd->kdb_princ_name.utf8str_t_len,
++               upd->kdb_princ_name.utf8str_t_val);
++        return KRB5_LOG_ERROR;
++    }
+     if (new_size > MAXLOGLEN)
+         return KRB5_LOG_ERROR;
+ 
+@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd)
+     recsize = sizeof(kdb_ent_header_t) + upd_size;
+ 
+     if (recsize > ulog->kdb_block) {
+-        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
++        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
+         if (retval)
+             return retval;
+     }
+-- 
+2.45.4
+
diff --git a/SPECS/krb5/krb5.spec b/SPECS/krb5/krb5.spec
@@ -4,7 +4,7 @@
 Summary:        The Kerberos newtork authentication system
 Name:           krb5
 Version:        1.21.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -13,6 +13,7 @@ URL:            https://web.mit.edu/kerberos/
 Source0:        https://kerberos.org/dist/%{name}/%{maj_version}/%{name}-%{version}.tar.gz
 Source1:        krb5.conf
 Patch0:         CVE-2024-26461.patch
+Patch1:         CVE-2025-24528.patch
 BuildRequires:  e2fsprogs-devel
 BuildRequires:  openssl-devel
 Requires:       e2fsprogs-libs
@@ -126,6 +127,9 @@ make check
 %{_datarootdir}/locale/*
 
 %changelog
+* Wed Jan 21 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.21.3-3
+- Patch for CVE-2025-24528
+
 * Mon Sep 2 2024 Ankita Pareek <ankitapareek@microsoft.com> - 1.21.3-2
 - Add patch for CVE-2024-26458 and CVE-2024-26461
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -195,8 +195,8 @@ libsolv-0.7.28-3.azl3.aarch64.rpm
 libsolv-devel-0.7.28-3.azl3.aarch64.rpm
 libssh2-1.11.1-1.azl3.aarch64.rpm
 libssh2-devel-1.11.1-1.azl3.aarch64.rpm
-krb5-1.21.3-2.azl3.aarch64.rpm
-krb5-devel-1.21.3-2.azl3.aarch64.rpm
+krb5-1.21.3-3.azl3.aarch64.rpm
+krb5-devel-1.21.3-3.azl3.aarch64.rpm
 nghttp2-1.61.0-2.azl3.aarch64.rpm
 nghttp2-devel-1.61.0-2.azl3.aarch64.rpm
 curl-8.11.1-4.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -195,8 +195,8 @@ libsolv-0.7.28-3.azl3.x86_64.rpm
 libsolv-devel-0.7.28-3.azl3.x86_64.rpm
 libssh2-1.11.1-1.azl3.x86_64.rpm
 libssh2-devel-1.11.1-1.azl3.x86_64.rpm
-krb5-1.21.3-2.azl3.x86_64.rpm
-krb5-devel-1.21.3-2.azl3.x86_64.rpm
+krb5-1.21.3-3.azl3.x86_64.rpm
+krb5-devel-1.21.3-3.azl3.x86_64.rpm
 nghttp2-1.61.0-2.azl3.x86_64.rpm
 nghttp2-devel-1.61.0-2.azl3.x86_64.rpm
 curl-8.11.1-4.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -162,10 +162,10 @@ kernel-headers-6.6.119.3-3.azl3.noarch.rpm
 kmod-30-1.azl3.aarch64.rpm
 kmod-debuginfo-30-1.azl3.aarch64.rpm
 kmod-devel-30-1.azl3.aarch64.rpm
-krb5-1.21.3-2.azl3.aarch64.rpm
-krb5-debuginfo-1.21.3-2.azl3.aarch64.rpm
-krb5-devel-1.21.3-2.azl3.aarch64.rpm
-krb5-lang-1.21.3-2.azl3.aarch64.rpm
+krb5-1.21.3-3.azl3.aarch64.rpm
+krb5-debuginfo-1.21.3-3.azl3.aarch64.rpm
+krb5-devel-1.21.3-3.azl3.aarch64.rpm
+krb5-lang-1.21.3-3.azl3.aarch64.rpm
 libacl-2.3.1-2.azl3.aarch64.rpm
 libacl-devel-2.3.1-2.azl3.aarch64.rpm
 libarchive-3.7.7-4.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -170,10 +170,10 @@ kernel-headers-6.6.119.3-3.azl3.noarch.rpm
 kmod-30-1.azl3.x86_64.rpm
 kmod-debuginfo-30-1.azl3.x86_64.rpm
 kmod-devel-30-1.azl3.x86_64.rpm
-krb5-1.21.3-2.azl3.x86_64.rpm
-krb5-debuginfo-1.21.3-2.azl3.x86_64.rpm
-krb5-devel-1.21.3-2.azl3.x86_64.rpm
-krb5-lang-1.21.3-2.azl3.x86_64.rpm
+krb5-1.21.3-3.azl3.x86_64.rpm
+krb5-debuginfo-1.21.3-3.azl3.x86_64.rpm
+krb5-devel-1.21.3-3.azl3.x86_64.rpm
+krb5-lang-1.21.3-3.azl3.x86_64.rpm
 libacl-2.3.1-2.azl3.x86_64.rpm
 libacl-devel-2.3.1-2.azl3.x86_64.rpm
 libarchive-3.7.7-4.azl3.x86_64.rpm
