From 34fe14baea5e746e12446fc63e4d8856a69d32fe Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Thu, 23 Mar 2023 15:44:31 +0100 Subject: [PATCH] New release 1.2.0 Fix CVE-2023-25563: multiple out-of-bounds read when decoding NTLM fields Fix CVE-2023-25564: memory corruption when decoding UTF16 strings Fix CVE-2023-25565: incorrect free when decoding target information Fix CVE-2023-25566: memory leak when parsing usernames Fix CVE-2023-25567: out-of-bounds read when decoding target information Resolves: rhbz#2178907 Signed-off-by: Julien Rische --- .gitignore | 1 + ...Add-compatibility-with-OpenSSL-1.1.0.patch | 149 ------------------ ...crash-when-no-target-name-is-present.patch | 28 ++++ gssntlmssp.spec | 36 +++-- sources | 2 +- 5 files changed, 53 insertions(+), 163 deletions(-) delete mode 100644 0001-Add-compatibility-with-OpenSSL-1.1.0.patch create mode 100644 0001-Fix-potential-crash-when-no-target-name-is-present.patch diff --git a/.gitignore b/.gitignore index ce5c8f0..20c3ec3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ SOURCES/gssntlmssp-0.7.0.tar.gz /gssntlmssp-0.7.0.tar.gz +/gssntlmssp-1.2.0.tar.gz diff --git a/0001-Add-compatibility-with-OpenSSL-1.1.0.patch b/0001-Add-compatibility-with-OpenSSL-1.1.0.patch deleted file mode 100644 index a3b3913..0000000 --- a/0001-Add-compatibility-with-OpenSSL-1.1.0.patch +++ /dev/null @@ -1,149 +0,0 @@ -From e498737a96e8832a2cb9141ab1fe51e129185a48 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Wed, 29 Jun 2016 11:15:11 -0400 -Subject: [PATCH] Add compatibility with OpenSSL 1.1.0 - -In their continued wisdom OpenSSL developers keep breaking APIs left and right -with very poor documentation and forward/backward source compatibility. - -Signed-off-by: Simo Sorce ---- - src/crypto.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++------------ - 1 file changed, 48 insertions(+), 12 deletions(-) - -diff --git a/src/crypto.c b/src/crypto.c -index 9fe69f97cfe9a4c1c9a5fb1861fef3fdfb8ae596..33a0c3e9060df0fa14784e869b5edce2f462b238 100644 ---- a/src/crypto.c -+++ b/src/crypto.c -@@ -27,6 +27,32 @@ - - #include "crypto.h" - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+HMAC_CTX *HMAC_CTX_new(void) -+{ -+ HMAC_CTX *ctx; -+ -+ ctx = OPENSSL_malloc(sizeof(HMAC_CTX)); -+ if (!ctx) return NULL; -+ -+ HMAC_CTX_init(ctx); -+ -+ return ctx; -+} -+ -+void HMAC_CTX_free(HMAC_CTX *ctx) -+{ -+ if (ctx == NULL) return; -+ -+ HMAC_CTX_cleanup(ctx); -+ OPENSSL_free(ctx); -+} -+ -+#define EVP_MD_CTX_new EVP_MD_CTX_create -+#define EVP_MD_CTX_free EVP_MD_CTX_destroy -+ -+#endif -+ - int RAND_BUFFER(struct ntlm_buffer *random) - { - int ret; -@@ -42,30 +68,34 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key, - struct ntlm_iov *iov, - struct ntlm_buffer *result) - { -- HMAC_CTX hmac_ctx; -+ HMAC_CTX *hmac_ctx; - unsigned int len; - size_t i; - int ret = 0; - - if (result->length != 16) return EINVAL; - -- HMAC_CTX_init(&hmac_ctx); -+ hmac_ctx = HMAC_CTX_new(); -+ if (!hmac_ctx) { -+ ret = ERR_CRYPTO; -+ goto done; -+ } - -- ret = HMAC_Init_ex(&hmac_ctx, key->data, key->length, EVP_md5(), NULL); -+ ret = HMAC_Init_ex(hmac_ctx, key->data, key->length, EVP_md5(), NULL); - if (ret == 0) { - ret = ERR_CRYPTO; - goto done; - } - - for (i = 0; i < iov->num; i++) { -- ret = HMAC_Update(&hmac_ctx, iov->data[i]->data, iov->data[i]->length); -+ ret = HMAC_Update(hmac_ctx, iov->data[i]->data, iov->data[i]->length); - if (ret == 0) { - ret = ERR_CRYPTO; - goto done; - } - } - -- ret = HMAC_Final(&hmac_ctx, result->data, &len); -+ ret = HMAC_Final(hmac_ctx, result->data, &len); - if (ret == 0) { - ret = ERR_CRYPTO; - goto done; -@@ -74,7 +104,7 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key, - ret = 0; - - done: -- HMAC_CTX_cleanup(&hmac_ctx); -+ HMAC_CTX_free(hmac_ctx); - return ret; - } - -@@ -93,26 +123,32 @@ static int mdx_hash(const EVP_MD *type, - struct ntlm_buffer *payload, - struct ntlm_buffer *result) - { -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - unsigned int len; - int ret; - - if (result->length != 16) return EINVAL; - -- EVP_MD_CTX_init(&ctx); -- ret = EVP_DigestInit_ex(&ctx, type, NULL); -+ ctx = EVP_MD_CTX_new(); -+ if (!ctx) { -+ ret = ERR_CRYPTO; -+ goto done; -+ } -+ -+ EVP_MD_CTX_init(ctx); -+ ret = EVP_DigestInit_ex(ctx, type, NULL); - if (ret == 0) { - ret = ERR_CRYPTO; - goto done; - } - -- ret = EVP_DigestUpdate(&ctx, payload->data, payload->length); -+ ret = EVP_DigestUpdate(ctx, payload->data, payload->length); - if (ret == 0) { - ret = ERR_CRYPTO; - goto done; - } - -- ret = EVP_DigestFinal_ex(&ctx, result->data, &len); -+ ret = EVP_DigestFinal_ex(ctx, result->data, &len); - if (ret == 0) { - ret = ERR_CRYPTO; - goto done; -@@ -121,7 +157,7 @@ static int mdx_hash(const EVP_MD *type, - ret = 0; - - done: -- EVP_MD_CTX_cleanup(&ctx); -+ if (ctx) EVP_MD_CTX_free(ctx); - return ret; - } - --- -2.9.3 - diff --git a/0001-Fix-potential-crash-when-no-target-name-is-present.patch b/0001-Fix-potential-crash-when-no-target-name-is-present.patch new file mode 100644 index 0000000..2776722 --- /dev/null +++ b/0001-Fix-potential-crash-when-no-target-name-is-present.patch @@ -0,0 +1,28 @@ +From ddab884bf3a2de76c26559e962919e1145040f11 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 17 Mar 2023 09:08:13 -0400 +Subject: [PATCH] Fix potential crash when no target name is present + +Signed-off-by: Simo Sorce +--- + src/ntlm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/ntlm.c b/src/ntlm.c +index 0f71bfd..60a0787 100644 +--- a/src/ntlm.c ++++ b/src/ntlm.c +@@ -325,7 +325,9 @@ done: + safefree(out); + } else { + /* make sure to terminate output string */ +- out[outlen] = '\0'; ++ if (out) { ++ out[outlen] = '\0'; ++ } + } + + *str = out; +-- +2.39.2 + diff --git a/gssntlmssp.spec b/gssntlmssp.spec index f8f5dcc..6ae616d 100644 --- a/gssntlmssp.spec +++ b/gssntlmssp.spec @@ -1,16 +1,16 @@ -Name: gssntlmssp -Version: 0.7.0 -Release: 6%{?dist} -Summary: GSSAPI NTLMSSP Mechanism +Name: gssntlmssp +Version: 1.2.0 +Release: 1%{?dist} +Summary: GSSAPI NTLMSSP Mechanism -Group: System Environment/Libraries -License: LGPLv3+ -URL: https://fedorahosted.org/gss-ntlmssp -Source0: https://fedorahosted.org/released/gss-ntlmssp/%{name}-%{version}.tar.gz +Group: System Environment/Libraries +License: LGPLv3+ +URL: https://github.com/gssapi/gss-ntlmssp +Source0: https://github.com/gssapi/gss-ntlmssp/releases/download/v%{version}/%{name}-%{version}.tar.gz -Patch01: 0001-Add-compatibility-with-OpenSSL-1.1.0.patch +Patch01: 0001-Fix-potential-crash-when-no-target-name-is-present.patch -Requires: krb5-libs%{?_isa} >= 1.12.1-9 +Requires: krb5-libs%{?_isa} >= 1.18.2-22 BuildRequires: autoconf BuildRequires: automake @@ -22,10 +22,12 @@ BuildRequires: docbook-style-xsl BuildRequires: doxygen BuildRequires: gettext-devel BuildRequires: pkgconfig -BuildRequires: krb5-devel >= 1.11.2 +BuildRequires: krb5-devel >= 1.18.2-22 BuildRequires: libunistring-devel BuildRequires: openssl-devel BuildRequires: pkgconfig(wbclient) +BuildRequires: zlib-devel +BuildRequires: make %description A GSSAPI Mechanism that implements NTLMSSP @@ -40,8 +42,7 @@ Adds a header file with definition for custom GSSAPI extensions for NTLMSSP %prep -%setup -q -%patch01 -p1 +%autosetup -S git %build autoreconf -fiv @@ -72,6 +73,15 @@ make test_gssntlmssp %{_includedir}/gssapi/gssapi_ntlmssp.h %changelog +* Thu Mar 23 2023 Julien Rische - 1.2.0-1 +- New release 1.2.0 +- Fix CVE-2023-25563: multiple out-of-bounds read when decoding NTLM fields +- Fix CVE-2023-25564: memory corruption when decoding UTF16 strings +- Fix CVE-2023-25565: incorrect free when decoding target information +- Fix CVE-2023-25566: memory leak when parsing usernames +- Fix CVE-2023-25567: out-of-bounds read when decoding target information +- Resolves: rhbz#2178907 + * Wed Feb 07 2018 Fedora Release Engineering - 0.7.0-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/sources b/sources index a4a641c..224f428 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (gssntlmssp-0.7.0.tar.gz) = 43fc9e57c00e74be3c6954b3f43677e176f6284a543917533d7e427dff98810f1547336cdc240e5f9161f62975803f4b39c925a429c6c669202267da99e3d841 +SHA512 (gssntlmssp-1.2.0.tar.gz) = e918f24dface17ae1f22f30576ee03d209bab55eb439df1a3f9d386e7e57b4f5a7155b79a05bd76ab5acea7ff1a988c6394f14e166f4a48209141bff8b398747