From 5fffb24bdc55b6a1eb632f96ae05c797e83be6cf Mon Sep 17 00:00:00 2001 From: Tyson Hamilton Date: Thu, 28 May 2026 08:49:50 -0400 Subject: [PATCH 1/3] build/deps: upgrade krb5 to 1.22.2 Replace krb5 1.21.3 with 1.22.2. The memory leak fixes previously applied via patch are included in 1.22 upstream. The NegoEx CVE fixes (CVE-2026-40355, CVE-2026-40356) patch still applies cleanly and is retained until they land upstream. Co-Authored-By: Claude Sonnet 4.6 --- bazel/repositories.bzl | 7 +- .../0001-Fix-two-unlikely-memory-leaks.patch | 217 ------------------ 2 files changed, 3 insertions(+), 221 deletions(-) delete mode 100644 bazel/thirdparty/0001-Fix-two-unlikely-memory-leaks.patch diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index bd0fe18e37950..2b1f5d3f29985 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -78,11 +78,10 @@ def data_dependency(): http_archive( name = "krb5", build_file = "//bazel/thirdparty:krb5.BUILD", - sha256 = "2157d92020d408ed63ebcd886a92d1346a1383b0f91123a0473b4f69b4a24861", - strip_prefix = "krb5-krb5-1.21.3-final", - url = "https://github.com/krb5/krb5/archive/refs/tags/krb5-1.21.3-final.tar.gz", + sha256 = "289f5bb81d1f2f8d5eecebe56a056aeed95d35fd9bb4a7071c5dd7ad4b3fe888", + strip_prefix = "krb5-krb5-1.22.2-final", + url = "https://github.com/krb5/krb5/archive/refs/tags/krb5-1.22.2-final.tar.gz", patches = [ - "//bazel/thirdparty:0001-Fix-two-unlikely-memory-leaks.patch", "//bazel/thirdparty:0002-Fix-two-NegoEx-parsing-vulnerabilities.patch", ], patch_args = ["-p1"], diff --git a/bazel/thirdparty/0001-Fix-two-unlikely-memory-leaks.patch b/bazel/thirdparty/0001-Fix-two-unlikely-memory-leaks.patch deleted file mode 100644 index a04dab5a3a32e..0000000000000 --- a/bazel/thirdparty/0001-Fix-two-unlikely-memory-leaks.patch +++ /dev/null @@ -1,217 +0,0 @@ -From 8161936fa0188709585ddcd0f6ea0ebdaa3e0b17 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 5 Mar 2024 19:53:07 -0500 -Subject: [PATCH] Fix two unlikely memory leaks - -In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which -could probably never be triggered) leaks plain.data. Fix this leak -and use current practices for cleanup throughout the function. - -In xmt_rmtcallres() (unused within the tree and likely elsewhere), -store port_ptr into crp->port_ptr as soon as it is allocated; -otherwise it could leak if the subsequent xdr_u_int32() operation -fails. - -(cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d) ---- - src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++------------------- - src/lib/rpc/pmap_rmt.c | 9 +++--- - 2 files changed, 29 insertions(+), 36 deletions(-) - -diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c -index 1fcbdfbb8..d3210c110 100644 ---- a/src/lib/gssapi/krb5/k5sealv3.c -+++ b/src/lib/gssapi/krb5/k5sealv3.c -@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, - int conf_req_flag, int toktype) - { - size_t bufsize = 16; -- unsigned char *outbuf = 0; -+ unsigned char *outbuf = NULL; - krb5_error_code err; - int key_usage; - unsigned char acceptor_flag; -@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, - #endif - size_t ec; - unsigned short tok_id; -- krb5_checksum sum; -+ krb5_checksum sum = { 0 }; - krb5_key key; - krb5_cksumtype cksumtype; -+ krb5_data plain = empty_data(); -+ -+ token->value = NULL; -+ token->length = 0; - - acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR; - key_usage = (toktype == KG_TOK_WRAP_MSG -@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, - #endif - - if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) { -- krb5_data plain; - krb5_enc_data cipher; - size_t ec_max; - size_t encrypt_size; - - /* 300: Adds some slop. */ -- if (SIZE_MAX - 300 < message->length) -- return ENOMEM; -+ if (SIZE_MAX - 300 < message->length) { -+ err = ENOMEM; -+ goto cleanup; -+ } - ec_max = SIZE_MAX - message->length - 300; - if (ec_max > 0xffff) - ec_max = 0xffff; -@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, - #endif - err = alloc_data(&plain, message->length + 16 + ec); - if (err) -- return err; -+ goto cleanup; - - /* Get size of ciphertext. */ - encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype); - if (encrypt_size > SIZE_MAX / 2) { - err = ENOMEM; -- goto error; -+ goto cleanup; - } - bufsize = 16 + encrypt_size; - /* Allocate space for header plus encrypted data. */ - outbuf = gssalloc_malloc(bufsize); - if (outbuf == NULL) { -- free(plain.data); -- return ENOMEM; -+ err = ENOMEM; -+ goto cleanup; - } - - /* TOK_ID */ -@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, - cipher.ciphertext.length = bufsize - 16; - cipher.enctype = key->keyblock.enctype; - err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher); -- zap(plain.data, plain.length); -- free(plain.data); -- plain.data = 0; - if (err) -- goto error; -+ goto cleanup; - - /* Now that we know we're returning a valid token.... */ - ctx->seq_send++; -@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, - /* If the rotate fails, don't worry about it. */ - #endif - } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) { -- krb5_data plain; - size_t cksumsize; - - /* Here, message is the application-supplied data; message2 is -@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, - wrap_with_checksum: - err = alloc_data(&plain, message->length + 16); - if (err) -- return err; -+ goto cleanup; - - err = krb5_c_checksum_length(context, cksumtype, &cksumsize); - if (err) -- goto error; -+ goto cleanup; - - assert(cksumsize <= 0xffff); - - bufsize = 16 + message2->length + cksumsize; - outbuf = gssalloc_malloc(bufsize); - if (outbuf == NULL) { -- free(plain.data); -- plain.data = 0; - err = ENOMEM; -- goto error; -+ goto cleanup; - } - - /* TOK_ID */ -@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, - if (message2->length) - memcpy(outbuf + 16, message2->value, message2->length); - -- sum.contents = outbuf + 16 + message2->length; -- sum.length = cksumsize; -- - err = krb5_k_make_checksum(context, cksumtype, key, - key_usage, &plain, &sum); -- zap(plain.data, plain.length); -- free(plain.data); -- plain.data = 0; - if (err) { - zap(outbuf,bufsize); -- goto error; -+ goto cleanup; - } - if (sum.length != cksumsize) - abort(); - memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize); -- krb5_free_checksum_contents(context, &sum); -- sum.contents = 0; - /* Now that we know we're actually generating the token... */ - ctx->seq_send++; - -@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, - - token->value = outbuf; - token->length = bufsize; -- return 0; -+ outbuf = NULL; -+ err = 0; - --error: -+cleanup: -+ krb5_free_checksum_contents(context, &sum); -+ zapfree(plain.data, plain.length); - gssalloc_free(outbuf); -- token->value = NULL; -- token->length = 0; - return err; - } - -diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c -index 8c7e30c21..149de98b0 100644 ---- a/src/lib/rpc/pmap_rmt.c -+++ b/src/lib/rpc/pmap_rmt.c -@@ -160,11 +160,12 @@ xdr_rmtcallres( - caddr_t port_ptr; - - port_ptr = (caddr_t)(void *)crp->port_ptr; -- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t), -- xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) { -- crp->port_ptr = (uint32_t *)(void *)port_ptr; -+ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t), -+ xdr_u_int32)) -+ return (FALSE); -+ crp->port_ptr = (uint32_t *)(void *)port_ptr; -+ if (xdr_u_int32(xdrs, &crp->resultslen)) - return ((*(crp->xdr_results))(xdrs, crp->results_ptr)); -- } - return (FALSE); - } - -diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c -index aa1a486dc..12e6b7ea8 100644 ---- a/src/lib/gssapi/krb5/acquire_cred.c -+++ b/src/lib/gssapi/krb5/acquire_cred.c -@@ -912,6 +912,7 @@ error_out: - if (cred->name) - kg_release_name(context, &cred->name); - krb5_free_principal(context, cred->impersonator); -+ krb5_free_principal(context, cred->acceptor_mprinc); - zapfreestr(cred->password); - k5_mutex_destroy(&cred->lock); - xfree(cred); --- -2.34.1 - From 5acac50623aaa42cb4066aede0a4c75641e4cda2 Mon Sep 17 00:00:00 2001 From: Tyson Hamilton Date: Thu, 28 May 2026 13:56:46 -0400 Subject: [PATCH 2/3] build: update MODULE.bazel.lock for krb5 1.22.2 Co-Authored-By: Claude Sonnet 4.6 --- MODULE.bazel.lock | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/MODULE.bazel.lock b/MODULE.bazel.lock index 1cc4ea4fe97ed..8492f625f3e97 100644 --- a/MODULE.bazel.lock +++ b/MODULE.bazel.lock @@ -355,7 +355,7 @@ "moduleExtensions": { "//bazel:extensions.bzl%non_module_dependencies": { "general": { - "bzlTransitiveDigest": "3YefO78kqM0cS68i34c2V/zTAUb+YuLPn5tHmCHnUaU=", + "bzlTransitiveDigest": "Mztpah+gr75XPhPALc1PogZGuFEmAhocT6Do3FZQtuA=", "usagesDigest": "FEiDyZe9eAU6yEqnarZf0XMEUk+prUyYClvq1RU1J98=", "recordedInputs": [ "REPO_MAPPING:,bazel_tools bazel_tools", @@ -443,11 +443,10 @@ "repoRuleId": "@@bazel_tools//tools/build_defs/repo:http.bzl%http_archive", "attributes": { "build_file": "@@//bazel/thirdparty:krb5.BUILD", - "sha256": "2157d92020d408ed63ebcd886a92d1346a1383b0f91123a0473b4f69b4a24861", - "strip_prefix": "krb5-krb5-1.21.3-final", - "url": "https://github.com/krb5/krb5/archive/refs/tags/krb5-1.21.3-final.tar.gz", + "sha256": "289f5bb81d1f2f8d5eecebe56a056aeed95d35fd9bb4a7071c5dd7ad4b3fe888", + "strip_prefix": "krb5-krb5-1.22.2-final", + "url": "https://github.com/krb5/krb5/archive/refs/tags/krb5-1.22.2-final.tar.gz", "patches": [ - "@@//bazel/thirdparty:0001-Fix-two-unlikely-memory-leaks.patch", "@@//bazel/thirdparty:0002-Fix-two-NegoEx-parsing-vulnerabilities.patch" ], "patch_args": [ From ba231dd72dad138150646e1c2ca32743061641c0 Mon Sep 17 00:00:00 2001 From: Tyson Hamilton Date: Fri, 29 May 2026 10:20:28 -0400 Subject: [PATCH 3/3] build/deps: fix krb5 1.22.2 build in sandboxed environments krb5 1.22.2 has a bug where struct kdclist and kdclist_entry are defined inside a KRB5_DNS_LOOKUP conditional, but the functions using them are outside it. When configure doesn't define KRB5_DNS_LOOKUP (as in the Bazel sandbox), the structs are incomplete at compile time. Cherry-pick the upstream fix from master (3c672ca). Co-Authored-By: Claude Sonnet 4.6 --- MODULE.bazel.lock | 5 +- bazel/repositories.bzl | 1 + ...ld-when-KRB5_DNS_LOOKUP-isnt-defined.patch | 50 +++++++++++++++++++ 3 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 bazel/thirdparty/0003-Fix-build-when-KRB5_DNS_LOOKUP-isnt-defined.patch diff --git a/MODULE.bazel.lock b/MODULE.bazel.lock index 8492f625f3e97..ac48963e1adbf 100644 --- a/MODULE.bazel.lock +++ b/MODULE.bazel.lock @@ -355,7 +355,7 @@ "moduleExtensions": { "//bazel:extensions.bzl%non_module_dependencies": { "general": { - "bzlTransitiveDigest": "Mztpah+gr75XPhPALc1PogZGuFEmAhocT6Do3FZQtuA=", + "bzlTransitiveDigest": "jFn1y0jZFkpmqhpyfbU/wNurSJI2TMc4N1/k+//Wwqs=", "usagesDigest": "FEiDyZe9eAU6yEqnarZf0XMEUk+prUyYClvq1RU1J98=", "recordedInputs": [ "REPO_MAPPING:,bazel_tools bazel_tools", @@ -447,7 +447,8 @@ "strip_prefix": "krb5-krb5-1.22.2-final", "url": "https://github.com/krb5/krb5/archive/refs/tags/krb5-1.22.2-final.tar.gz", "patches": [ - "@@//bazel/thirdparty:0002-Fix-two-NegoEx-parsing-vulnerabilities.patch" + "@@//bazel/thirdparty:0002-Fix-two-NegoEx-parsing-vulnerabilities.patch", + "@@//bazel/thirdparty:0003-Fix-build-when-KRB5_DNS_LOOKUP-isnt-defined.patch" ], "patch_args": [ "-p1" diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index 2b1f5d3f29985..94b160f148304 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -83,6 +83,7 @@ def data_dependency(): url = "https://github.com/krb5/krb5/archive/refs/tags/krb5-1.22.2-final.tar.gz", patches = [ "//bazel/thirdparty:0002-Fix-two-NegoEx-parsing-vulnerabilities.patch", + "//bazel/thirdparty:0003-Fix-build-when-KRB5_DNS_LOOKUP-isnt-defined.patch", ], patch_args = ["-p1"], ) diff --git a/bazel/thirdparty/0003-Fix-build-when-KRB5_DNS_LOOKUP-isnt-defined.patch b/bazel/thirdparty/0003-Fix-build-when-KRB5_DNS_LOOKUP-isnt-defined.patch new file mode 100644 index 0000000000000..eaf052a8671b4 --- /dev/null +++ b/bazel/thirdparty/0003-Fix-build-when-KRB5_DNS_LOOKUP-isnt-defined.patch @@ -0,0 +1,50 @@ +From 3c672caba714164f26a7464ba82873dff750573c Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Subject: [PATCH] Fix build when KRB5_DNS_LOOKUP isn't defined + +Commit fabbf11f457a84904a5fa251584fd660a52fa583 mistakenly defined the +kdclist and kdclist_entry structures inside a KRB5_DNS_LOOKUP +conditional. Move the definitions outside of the conditional. +--- + src/lib/krb5/os/locate_kdc.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c +--- a/src/lib/krb5/os/locate_kdc.c ++++ b/src/lib/krb5/os/locate_kdc.c +@@ -27,16 +27,6 @@ + #include "k5-int.h" + #include "fake-addrinfo.h" + #include "os-proto.h" +- +-#ifdef KRB5_DNS_LOOKUP +- +-#define DEFAULT_LOOKUP_KDC 1 +-#if KRB5_DNS_LOOKUP_REALM +-#define DEFAULT_LOOKUP_REALM 1 +-#else +-#define DEFAULT_LOOKUP_REALM 0 +-#endif +-#define DEFAULT_URI_LOOKUP TRUE + + struct kdclist_entry { + krb5_data realm; +@@ -47,6 +37,16 @@ + size_t count; + struct kdclist_entry *list; + }; ++ ++#ifdef KRB5_DNS_LOOKUP ++ ++#define DEFAULT_LOOKUP_KDC 1 ++#if KRB5_DNS_LOOKUP_REALM ++#define DEFAULT_LOOKUP_REALM 1 ++#else ++#define DEFAULT_LOOKUP_REALM 0 ++#endif ++#define DEFAULT_URI_LOOKUP TRUE + + static int + maybe_use_dns (krb5_context context, const char *name, int defalt) +-- +2.34.1