File munge-0001-oob-read-fix.patch of Package munge.41469

From 5bd6d4db92dabdbed3aaf01ebd5f0d98944326bb Mon Sep 17 00:00:00 2001
From: Chris Dunlap <cdunlap@llnl.gov>
Date: Mon, 26 Jan 2026 13:53:36 -0800
Subject: [PATCH 1/2] Fix out-of-bounds read in credential decoding

Add missing bounds check before copying MAC in dec_unpack_outer().

All other fields unpacked in dec_unpack_outer() validate that
sufficient data remains in the buffer before reading.  However,
the MAC was copied without checking if c->mac_len bytes were available.

An attacker can craft a credential specifying a large MAC type
while providing a truncated credential with insufficient data.
When memcpy() attempts to copy c->mac_len bytes, it reads beyond the
received buffer, potentially reading up to 64 bytes of process memory
(for SHA-512 MACs).  Additionally, subtracting c->mac_len from the
remaining length causes an integer underflow, making c->inner_len
negative and resulting in undefined behavior in subsequent operations.

While this is a memory safety violation, subsequent validation
prevents information disclosure.  When encryption is enabled, either
malloc() fails with the negative (wrapped to huge) buffer size or
cipher_update() rejects the negative srclen.  When encryption is
disabled, mac_update() rejects the negative srclen.  In all cases,
the credential is rejected before any leaked data could be disclosed
to the attacker.

Reported-by: Titouan Lazard <t.lazard@lexfo.fr>
---
 src/munged/dec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/munged/dec.c b/src/munged/dec.c
index e8fdcf8b..7d21922b 100644
--- a/src/munged/dec.c
+++ b/src/munged/dec.c
@@ -516,6 +516,9 @@ dec_unpack_outer (munge_cred_t c)
     /*
      *  Unpack the MAC.
      */
+    if (c->mac_len > len) {
+        return (m_msg_set_err (m, EMUNGE_BAD_CRED, strdup ("Truncated MAC")));
+    }
     memcpy (c->mac, p, c->mac_len);
     p += c->mac_len;
     len -= c->mac_len;
-- 
2.51.0