The code for CMS data verification was initially written for OpenSSL's
PKCS7_verify() function.  It now uses CMS_verify(), but error handling
is still done using PKCS7_verify() error identifiers.  Update the
recognized error codes so that the KDC generates
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate.
Use ERR_peek_last_error() to observe the error generated closest to
the API surface.

[[email protected]: edited commit message]

(cherry picked from commit 70f61d4)

ticket: 9069
version_fixed: 1.20.2

Commit 70f61d4 updated the
CMS_verify() error code checks, using two error codes new to OpenSSL
3.0 (RSA_R_DIGEST_NOT_ALLOWED and CMS_R_UNKNOWN_DIGEST_ALGORITHM).
This change broke the build for OpenSSL 1.0 and 1.1.

Instead of looking for codes indicating an algorithm issue and
assuming that everything else is an invalid signature, check for the
code indicating an invalid signature and assume that everything else
is an algorithm issue.

(cherry picked from commit e48e2e5)

ticket: 9069
version_fixed: 1.20.2

An incorrect closure inside KRB5_AC_INET6 is innocuous with autoconf
versions up to 2.71, but will cause an error at configure time with
the forthcoming autoconf 2.72.

[[email protected]: added more context to commit message]

(cherry picked from commit d864d74)

ticket: 9077
version_fixed: 1.20.2

(cherry picked from commit d0ea8de)

ticket: 9083
version_fixed: 1.20.2

Fix three read overruns discovered by the GitHub Security Lab team
(GHSL-2023-016, GHSL-2023-017, and GHSL-2023-018) using OSS-Fuzz.

In get_mech_set(), error out if gss_add_oid_set_member() fails rather
than continue the loop and increment i past the current bound of
returned_mechSet.  In g_verify_neg_token_init(), check for zero-byte
sequences before reading tag bytes, and reduce cur_size by one to
account for the tag byte when calling gssint_get_der_length().

(cherry picked from commit 47c2a12)

ticket: 9085
version_fixed: 1.20.2

In krb5_dbe_def_encrypt_key_data(), when we free
key_data->key_data_contents[0], reset it to null so the caller doesn't
free it as well.

Since commit a06945b this bug
manifests as a double-free during KDB creation if master key
encryption fails.

[[email protected]: edited commit message]

(cherry picked from commit fddd419)

ticket: 9086
version_fixed: 1.20.2

Commit d3356bc (ticket 8927)
incorrectly tagged tMERIDIAN as <Number>.  So while the lexer assigns
meridian values to the Meridian union field, the parser erroneously
reads them from the Number field.  On 64-bit IBM zSystems (s390x),
this can result in using the most recently read number as a meridian
value, leading to an abort in ToSeconds().

Fix the tMERIDIAN token type to be <Meridian>.

[[email protected]: edited commit message]

(cherry picked from commit 0108d7d)

ticket: 9087
version_fixed: 1.20.2

In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
key_data array count when decoding.  Otherwise when the structure is
later freed, xdr_array() could iterate over the wrong number of
elements, either leaking some memory or freeing uninitialized
pointers.  Reported by Robert Morris.

CVE-2023-36054:

An authenticated attacker can cause a kadmind process to crash by
freeing uninitialized pointers.  Remote code execution is unlikely.
An attacker with control of a kadmin server can cause a kadmin client
to crash by freeing uninitialized pointers.

(cherry picked from commit ef08b09)

ticket: 9099
version_fixed: 1.20.2