New release 1.2.0

Fix CVE-2023-25563: multiple out-of-bounds read when decoding NTLM fields
Fix CVE-2023-25564: memory corruption when decoding UTF16 strings
Fix CVE-2023-25565: incorrect free when decoding target information
Fix CVE-2023-25566: memory leak when parsing usernames
Fix CVE-2023-25567: out-of-bounds read when decoding target information
Resolves: rhbz#2178907

Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
Julien Rische 2023-03-23 15:44:31 +01:00
parent 80ed17ed12
commit 34fe14baea
5 changed files with 53 additions and 163 deletions

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
SOURCES/gssntlmssp-0.7.0.tar.gz
/gssntlmssp-0.7.0.tar.gz
/gssntlmssp-1.2.0.tar.gz

View File

@ -1,149 +0,0 @@
From e498737a96e8832a2cb9141ab1fe51e129185a48 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 29 Jun 2016 11:15:11 -0400
Subject: [PATCH] Add compatibility with OpenSSL 1.1.0
In their continued wisdom OpenSSL developers keep breaking APIs left and right
with very poor documentation and forward/backward source compatibility.
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/crypto.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 48 insertions(+), 12 deletions(-)
diff --git a/src/crypto.c b/src/crypto.c
index 9fe69f97cfe9a4c1c9a5fb1861fef3fdfb8ae596..33a0c3e9060df0fa14784e869b5edce2f462b238 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -27,6 +27,32 @@
#include "crypto.h"
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+HMAC_CTX *HMAC_CTX_new(void)
+{
+ HMAC_CTX *ctx;
+
+ ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
+ if (!ctx) return NULL;
+
+ HMAC_CTX_init(ctx);
+
+ return ctx;
+}
+
+void HMAC_CTX_free(HMAC_CTX *ctx)
+{
+ if (ctx == NULL) return;
+
+ HMAC_CTX_cleanup(ctx);
+ OPENSSL_free(ctx);
+}
+
+#define EVP_MD_CTX_new EVP_MD_CTX_create
+#define EVP_MD_CTX_free EVP_MD_CTX_destroy
+
+#endif
+
int RAND_BUFFER(struct ntlm_buffer *random)
{
int ret;
@@ -42,30 +68,34 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key,
struct ntlm_iov *iov,
struct ntlm_buffer *result)
{
- HMAC_CTX hmac_ctx;
+ HMAC_CTX *hmac_ctx;
unsigned int len;
size_t i;
int ret = 0;
if (result->length != 16) return EINVAL;
- HMAC_CTX_init(&hmac_ctx);
+ hmac_ctx = HMAC_CTX_new();
+ if (!hmac_ctx) {
+ ret = ERR_CRYPTO;
+ goto done;
+ }
- ret = HMAC_Init_ex(&hmac_ctx, key->data, key->length, EVP_md5(), NULL);
+ ret = HMAC_Init_ex(hmac_ctx, key->data, key->length, EVP_md5(), NULL);
if (ret == 0) {
ret = ERR_CRYPTO;
goto done;
}
for (i = 0; i < iov->num; i++) {
- ret = HMAC_Update(&hmac_ctx, iov->data[i]->data, iov->data[i]->length);
+ ret = HMAC_Update(hmac_ctx, iov->data[i]->data, iov->data[i]->length);
if (ret == 0) {
ret = ERR_CRYPTO;
goto done;
}
}
- ret = HMAC_Final(&hmac_ctx, result->data, &len);
+ ret = HMAC_Final(hmac_ctx, result->data, &len);
if (ret == 0) {
ret = ERR_CRYPTO;
goto done;
@@ -74,7 +104,7 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key,
ret = 0;
done:
- HMAC_CTX_cleanup(&hmac_ctx);
+ HMAC_CTX_free(hmac_ctx);
return ret;
}
@@ -93,26 +123,32 @@ static int mdx_hash(const EVP_MD *type,
struct ntlm_buffer *payload,
struct ntlm_buffer *result)
{
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
unsigned int len;
int ret;
if (result->length != 16) return EINVAL;
- EVP_MD_CTX_init(&ctx);
- ret = EVP_DigestInit_ex(&ctx, type, NULL);
+ ctx = EVP_MD_CTX_new();
+ if (!ctx) {
+ ret = ERR_CRYPTO;
+ goto done;
+ }
+
+ EVP_MD_CTX_init(ctx);
+ ret = EVP_DigestInit_ex(ctx, type, NULL);
if (ret == 0) {
ret = ERR_CRYPTO;
goto done;
}
- ret = EVP_DigestUpdate(&ctx, payload->data, payload->length);
+ ret = EVP_DigestUpdate(ctx, payload->data, payload->length);
if (ret == 0) {
ret = ERR_CRYPTO;
goto done;
}
- ret = EVP_DigestFinal_ex(&ctx, result->data, &len);
+ ret = EVP_DigestFinal_ex(ctx, result->data, &len);
if (ret == 0) {
ret = ERR_CRYPTO;
goto done;
@@ -121,7 +157,7 @@ static int mdx_hash(const EVP_MD *type,
ret = 0;
done:
- EVP_MD_CTX_cleanup(&ctx);
+ if (ctx) EVP_MD_CTX_free(ctx);
return ret;
}
--
2.9.3

View File

@ -0,0 +1,28 @@
From ddab884bf3a2de76c26559e962919e1145040f11 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 17 Mar 2023 09:08:13 -0400
Subject: [PATCH] Fix potential crash when no target name is present
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/ntlm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/ntlm.c b/src/ntlm.c
index 0f71bfd..60a0787 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -325,7 +325,9 @@ done:
safefree(out);
} else {
/* make sure to terminate output string */
- out[outlen] = '\0';
+ if (out) {
+ out[outlen] = '\0';
+ }
}
*str = out;
--
2.39.2

View File

@ -1,16 +1,16 @@
Name: gssntlmssp
Version: 0.7.0
Release: 6%{?dist}
Summary: GSSAPI NTLMSSP Mechanism
Name: gssntlmssp
Version: 1.2.0
Release: 1%{?dist}
Summary: GSSAPI NTLMSSP Mechanism
Group: System Environment/Libraries
License: LGPLv3+
URL: https://fedorahosted.org/gss-ntlmssp
Source0: https://fedorahosted.org/released/gss-ntlmssp/%{name}-%{version}.tar.gz
Group: System Environment/Libraries
License: LGPLv3+
URL: https://github.com/gssapi/gss-ntlmssp
Source0: https://github.com/gssapi/gss-ntlmssp/releases/download/v%{version}/%{name}-%{version}.tar.gz
Patch01: 0001-Add-compatibility-with-OpenSSL-1.1.0.patch
Patch01: 0001-Fix-potential-crash-when-no-target-name-is-present.patch
Requires: krb5-libs%{?_isa} >= 1.12.1-9
Requires: krb5-libs%{?_isa} >= 1.18.2-22
BuildRequires: autoconf
BuildRequires: automake
@ -22,10 +22,12 @@ BuildRequires: docbook-style-xsl
BuildRequires: doxygen
BuildRequires: gettext-devel
BuildRequires: pkgconfig
BuildRequires: krb5-devel >= 1.11.2
BuildRequires: krb5-devel >= 1.18.2-22
BuildRequires: libunistring-devel
BuildRequires: openssl-devel
BuildRequires: pkgconfig(wbclient)
BuildRequires: zlib-devel
BuildRequires: make
%description
A GSSAPI Mechanism that implements NTLMSSP
@ -40,8 +42,7 @@ Adds a header file with definition for custom GSSAPI extensions for NTLMSSP
%prep
%setup -q
%patch01 -p1
%autosetup -S git
%build
autoreconf -fiv
@ -72,6 +73,15 @@ make test_gssntlmssp
%{_includedir}/gssapi/gssapi_ntlmssp.h
%changelog
* Thu Mar 23 2023 Julien Rische <jrische@redhat.com> - 1.2.0-1
- New release 1.2.0
- Fix CVE-2023-25563: multiple out-of-bounds read when decoding NTLM fields
- Fix CVE-2023-25564: memory corruption when decoding UTF16 strings
- Fix CVE-2023-25565: incorrect free when decoding target information
- Fix CVE-2023-25566: memory leak when parsing usernames
- Fix CVE-2023-25567: out-of-bounds read when decoding target information
- Resolves: rhbz#2178907
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

View File

@ -1 +1 @@
SHA512 (gssntlmssp-0.7.0.tar.gz) = 43fc9e57c00e74be3c6954b3f43677e176f6284a543917533d7e427dff98810f1547336cdc240e5f9161f62975803f4b39c925a429c6c669202267da99e3d841
SHA512 (gssntlmssp-1.2.0.tar.gz) = e918f24dface17ae1f22f30576ee03d209bab55eb439df1a3f9d386e7e57b4f5a7155b79a05bd76ab5acea7ff1a988c6394f14e166f4a48209141bff8b398747