backport patches

Signed-off-by: xuraoqing <xuraoqing@huawei.com>

backport-Avoid-small-read-overrun-in-UTF8-normalization.patch

@@ -0,0 +1,37 @@
+From fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 12 Oct 2022 00:27:17 -0400
+Subject: [PATCH] Avoid small read overrun in UTF8 normalization
+
+In krb5int_utf8_normalize(), check the length of the current character
+against the buffer length before reading more than one byte.  Credit
+to OSS-Fuzz for discovering the overrun.
+
+ticket: 9072 (new)
+
+Reference: https://github.com/krb5/krb5/commit/fb9cf8cfbf8da0d160cb61250b952f2b8e5484f4
+Conflict: NA
+---
+ src/lib/krb5/unicode/ucstr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/lib/krb5/unicode/ucstr.c b/src/lib/krb5/unicode/ucstr.c
+index 21030bf25..e3ed9bc64 100644
+--- a/src/lib/krb5/unicode/ucstr.c
++++ b/src/lib/krb5/unicode/ucstr.c
+@@ -199,6 +199,12 @@ krb5int_utf8_normalize(
+ 	/* s[i] is non-ascii */
+ 	/* convert everything up to next ascii to ucs-4 */
+ 	while (i < len) {
++	    /* KRB5_UTF8_CHARLEN only looks at the first byte; use it to guard
++	     * against small read overruns. */
++	    if (KRB5_UTF8_CHARLEN(s + i) > len - i) {
++		retval = KRB5_ERR_INVALID_UTF8;
++		goto cleanup;
++	    }
+ 	    clen = KRB5_UTF8_CHARLEN2(s + i, clen);
+ 	    if (clen == 0) {
+ 		retval = KRB5_ERR_INVALID_UTF8;
+-- 
+2.27.0
+

backport-Fix-kpropd-crash-with-unrecognized-option.patch

@@ -0,0 +1,32 @@
+From d0ea8de883a2487dfde8bfa377b64df1194ed5cb Mon Sep 17 00:00:00 2001
+From: abushwang <wangshuo_1994@foxmail.com>
+Date: Wed, 28 Dec 2022 15:06:02 +0800
+Subject: [PATCH] Fix kpropd crash with unrecognized option
+
+ticket: 9083 (new)
+tags: pullup
+target_version: 1.20-next
+target_version: 1.19-next
+
+
+Reference: https://github.com/krb5/krb5/commit/d0ea8de883a2487dfde8bfa377b64df1194ed5cb
+Conflict: NA
+---
+ src/kprop/kpropd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
+index f2341d720..aa3c81ea3 100644
+--- a/src/kprop/kpropd.c
++++ b/src/kprop/kpropd.c
+@@ -1047,6 +1047,7 @@ parse_args(int argc, char **argv)
+     enum { PID_FILE = 256 };
+     struct option long_options[] = {
+         { "pid-file", 1, NULL, PID_FILE },
++        { NULL, 0, NULL, 0 },
+     };
+ 
+     memset(&params, 0, sizeof(params));
+-- 
+2.27.0
+

backport-Fix-preauth-crash-on-memory-exhaustion.patch

@@ -0,0 +1,35 @@
+From 7736144eb613f797dea57a44da33007a19602e5e Mon Sep 17 00:00:00 2001
+From: ChenChen Zhou <357726167@qq.com>
+Date: Sun, 27 Nov 2022 22:24:24 +0800
+Subject: [PATCH] Fix preauth crash on memory exhaustion
+
+In k5_preauth_request_context_init(), check the result of calloc().
+
+[ghudson@mit.edu: rewrote commit message; added free() of reqctx on error]
+
+ticket: 9079 (new)
+
+Reference: https://github.com/krb5/krb5/commit/7736144eb613f797dea57a44da33007a19602e5e
+Conflict: NA
+---
+ src/lib/krb5/krb/preauth2.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
+index ffca476c2..32f35b761 100644
+--- a/src/lib/krb5/krb/preauth2.c
++++ b/src/lib/krb5/krb/preauth2.c
+@@ -263,6 +263,10 @@ k5_preauth_request_context_init(krb5_context context,
+      * preauth context's array of handles. */
+     for (count = 0; pctx->handles[count] != NULL; count++);
+     reqctx->modreqs = calloc(count, sizeof(*reqctx->modreqs));
++    if (reqctx->modreqs == NULL) {
++        free(reqctx);
++        return;
++    }
+     for (i = 0; i < count; i++) {
+         h = pctx->handles[i];
+         if (h->vt.request_init != NULL)
+-- 
+2.27.0
+

backport-Use-memmove-in-Unicode-functions.patch

@@ -0,0 +1,130 @@
+From 5c52ab2252953055e64d9b9855ad64b27eda060e Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 18 Oct 2022 16:17:55 -0400
+Subject: [PATCH] Use memmove() in Unicode functions
+
+Where the upstream OpenLDAP code uses AC_MEMCPY(), use memmove()
+instead of memcpy() as the copies frequently involve overlapping
+memory regions.  Credit to OSS-Fuzz for discovering one instance of
+the issue.
+
+ticket: 9076 (new)
+
+Conflict:NA
+Reference: https://github.com/krb5/krb5/commit/5c52ab2252953055e64d9b9855ad64b27eda060e
+---
+ src/lib/krb5/unicode/ucdata/ucdata.c   |  4 ++--
+ src/lib/krb5/unicode/ucdata/ucgendat.c | 20 ++++++++++----------
+ src/lib/krb5/unicode/ure/ure.c         |  8 ++++----
+ 3 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/src/lib/krb5/unicode/ucdata/ucdata.c b/src/lib/krb5/unicode/ucdata/ucdata.c
+index e1b560d96..5b6ac7085 100644
+--- a/src/lib/krb5/unicode/ucdata/ucdata.c
++++ b/src/lib/krb5/unicode/ucdata/ucdata.c
+@@ -958,7 +958,7 @@ uccanoncompatdecomp(const krb5_ui_4 *in, int inlen,
+                     for (l = i; l > 0; l--)
+                         if (class >= uccombining_class((*out)[l-1]))
+                             break;
+-                    memcpy(*out + l + 1, *out + l, (i - l) * sizeof(**out));
++                    memmove(*out + l + 1, *out + l, (i - l) * sizeof(**out));
+                     (*out)[l] = decomp[k];
+                 }
+                 i++;
+@@ -988,7 +988,7 @@ uccanoncompatdecomp(const krb5_ui_4 *in, int inlen,
+                 for (l = i; l > 0; l--)
+                     if (class >= uccombining_class((*out)[l-1]))
+                         break;
+-                memcpy(*out + l + 1, *out + l, (i - l) * sizeof(**out));
++                memmove(*out + l + 1, *out + l, (i - l) * sizeof(**out));
+                 (*out)[l] = in[j];
+             }
+             i++;
+diff --git a/src/lib/krb5/unicode/ucdata/ucgendat.c b/src/lib/krb5/unicode/ucdata/ucgendat.c
+index 9114e8a70..70cec52d0 100644
+--- a/src/lib/krb5/unicode/ucdata/ucgendat.c
++++ b/src/lib/krb5/unicode/ucdata/ucgendat.c
+@@ -485,8 +485,8 @@ add_decomp(krb5_ui_4 code, short compat)
+          * Shift the decomps up by one if the codes don't match.
+          */
+         for (j = *pdecomps_used; j > i; j--)
+-          (void) memcpy((char *) &(*pdecomps)[j], (char *) &(*pdecomps)[j - 1],
+-                        sizeof(_decomp_t));
++          (void) memmove((char *) &(*pdecomps)[j], (char *) &(*pdecomps)[j - 1],
++                         sizeof(_decomp_t));
+     }
+ 
+     /*
+@@ -509,8 +509,8 @@ add_decomp(krb5_ui_4 code, short compat)
+ 
+     (*pdecomps)[i].code = code;
+     (*pdecomps)[i].used = dectmp_size;
+-    (void) memcpy((char *) (*pdecomps)[i].decomp, (char *) dectmp,
+-                  sizeof(krb5_ui_4) * dectmp_size);
++    (void) memmove((char *) (*pdecomps)[i].decomp, (char *) dectmp,
++                   sizeof(krb5_ui_4) * dectmp_size);
+ 
+     /*
+      * NOTICE: This needs changing later so it is more general than simply
+@@ -549,8 +549,8 @@ add_title(krb5_ui_4 code)
+          * Shift the array up by one.
+          */
+         for (j = title_used; j > i; j--)
+-          (void) memcpy((char *) &title[j], (char *) &title[j - 1],
+-                        sizeof(_case_t));
++          (void) memmove((char *) &title[j], (char *) &title[j - 1],
++                         sizeof(_case_t));
+     }
+ 
+     title[i].key = cases[2];    /* Title */
+@@ -596,8 +596,8 @@ add_upper(krb5_ui_4 code)
+          * Shift the array up by one.
+          */
+         for (j = upper_used; j > i; j--)
+-          (void) memcpy((char *) &upper[j], (char *) &upper[j - 1],
+-                        sizeof(_case_t));
++          (void) memmove((char *) &upper[j], (char *) &upper[j - 1],
++                         sizeof(_case_t));
+     }
+ 
+     upper[i].key = cases[0];    /* Upper */
+@@ -643,8 +643,8 @@ add_lower(krb5_ui_4 code)
+          * Shift the array up by one.
+          */
+         for (j = lower_used; j > i; j--)
+-          (void) memcpy((char *) &lower[j], (char *) &lower[j - 1],
+-                        sizeof(_case_t));
++          (void) memmove((char *) &lower[j], (char *) &lower[j - 1],
++                         sizeof(_case_t));
+     }
+ 
+     lower[i].key = cases[1];    /* Lower */
+diff --git a/src/lib/krb5/unicode/ure/ure.c b/src/lib/krb5/unicode/ure/ure.c
+index e6d2b11ea..7b3048713 100644
+--- a/src/lib/krb5/unicode/ure/ure.c
++++ b/src/lib/krb5/unicode/ure/ure.c
+@@ -1124,8 +1124,8 @@ _ure_make_symbol(ucs2_t *sym, unsigned long limit, unsigned long *consumed,
+     }
+ 
+     symbol.id = b->symtab_used++;
+-    (void) memcpy((char *) &b->symtab[symbol.id], (char *) &symbol,
+-                  sizeof(_ure_symtab_t));
++    (void) memmove((char *) &b->symtab[symbol.id], (char *) &symbol,
++                   sizeof(_ure_symtab_t));
+ 
+     return symbol.id;
+ }
+@@ -1358,8 +1358,8 @@ _ure_add_state(ucs2_t nstates, ucs2_t *states, _ure_buffer_t *b)
+             sp->st.slist_size = sp->st.slist_used + nstates;
+         }
+         sp->st.slist_used = nstates;
+-        (void) memcpy((char *) sp->st.slist, (char *) states,
+-                      sizeof(ucs2_t) * nstates);
++        (void) memmove((char *) sp->st.slist, (char *) states,
++                       sizeof(ucs2_t) * nstates);
+     }
+ 
+     /*
+-- 
+2.27.0
+

krb5.spec

@@ -3,7 +3,7 @@
 
 Name:     krb5
 Version:  1.18.2
-Release:  8
+Release:  9
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@@ -31,6 +31,10 @@ Patch8: backport-CVE-2021-36222.patch
 Patch9: backport-CVE-2021-37750.patch
 Patch10: Fix-CVE-2022-42898-integer-overflows-in-PAC-parsing.patch
 Patch11: CVE-2023-36054.patch
+Patch12: backport-Avoid-small-read-overrun-in-UTF8-normalization.patch
+Patch13: backport-Use-memmove-in-Unicode-functions.patch
+Patch14: backport-Fix-preauth-crash-on-memory-exhaustion.patch
+Patch15: backport-Fix-kpropd-crash-with-unrecognized-option.patch
 
 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@@ -322,6 +326,9 @@ make -C src check || :
 %{_mandir}/man8/*
 
 %changelog
+* Fri Dec 29 2023 xuraoqing<xuraoqing@huawei.com> - 1.18.2-9
+- backport patches
+
 * Tue Aug 15 2023 liningjie <liningjie@xfusion.com> - 1.18.2-8
 - fix CVE-2023-36054