krb5 1.21.3-11
- Fix NegoEx parsing vulnerabilities (CVE-2026-40355, CVE-2026-40356) Resolves: RHEL-171587 RHEL-171595 Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
parent
f8072c590c
commit
4104772ea8
65
0046-Fix-two-NegoEx-parsing-vulnerabilities.patch
Normal file
65
0046-Fix-two-NegoEx-parsing-vulnerabilities.patch
Normal file
@ -0,0 +1,65 @@
|
||||
From 0523cb0d15e8c3bef3c83d50277f3a964e91b244 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 8 Apr 2026 17:57:59 -0400
|
||||
Subject: [PATCH] Fix two NegoEx parsing vulnerabilities
|
||||
|
||||
In parse_nego_message(), check the result of the second call to
|
||||
vector_base() before dereferencing it. In parse_message(), check for
|
||||
a short header_len to prevent an integer underflow when calculating
|
||||
the remaining message length.
|
||||
|
||||
Reported by Cem Onat Karagun.
|
||||
|
||||
CVE-2026-40355:
|
||||
|
||||
In MIT krb5 release 1.18 and later, if an application calls
|
||||
gss_accept_sec_context() on a system with a NegoEx mechanism
|
||||
registered in /etc/gss/mech, an unauthenticated remote attacker can
|
||||
trigger a null pointer dereference, causing the process to terminate.
|
||||
|
||||
CVE-2026-40356:
|
||||
|
||||
In MIT krb5 release 1.18 and later, if an application calls
|
||||
gss_accept_sec_context() on a system with a NegoEx mechanism
|
||||
registered in /etc/gss/mech, an unauthenticated remote attacker can
|
||||
trigger a read overrun of up to 52 bytes, possibly causing the process
|
||||
to terminate. Exfiltration of the bytes read does not appear
|
||||
possible.
|
||||
|
||||
ticket: 9205 (new)
|
||||
tags: pullup
|
||||
target_version: 1.22-next
|
||||
|
||||
(cherry picked from commit 2e75f0d9362fb979f5fc92829431a590a130929f)
|
||||
---
|
||||
src/lib/gssapi/spnego/negoex_util.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c
|
||||
index edc5462e84..a65238e573 100644
|
||||
--- a/src/lib/gssapi/spnego/negoex_util.c
|
||||
+++ b/src/lib/gssapi/spnego/negoex_util.c
|
||||
@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in,
|
||||
offset = k5_input_get_uint32_le(in);
|
||||
count = k5_input_get_uint16_le(in);
|
||||
p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len);
|
||||
+ if (p == NULL) {
|
||||
+ *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
|
||||
+ return GSS_S_DEFECTIVE_TOKEN;
|
||||
+ }
|
||||
for (i = 0; i < count; i++) {
|
||||
extension_type = load_32_le(p + i * EXTENSION_LENGTH);
|
||||
if (extension_type & EXTENSION_FLAG_CRITICAL) {
|
||||
@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in,
|
||||
msg_len = k5_input_get_uint32_le(in);
|
||||
conv_id = k5_input_get_bytes(in, GUID_LENGTH);
|
||||
|
||||
- if (in->status || msg_len > token_remaining || header_len > msg_len) {
|
||||
+ if (in->status || msg_len > token_remaining ||
|
||||
+ header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) {
|
||||
*minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
|
||||
return GSS_S_DEFECTIVE_TOKEN;
|
||||
}
|
||||
--
|
||||
2.53.0
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
#
|
||||
# baserelease is what we have standardized across Fedora and what
|
||||
# rpmdev-bumpspec knows how to handle.
|
||||
%global baserelease 10
|
||||
%global baserelease 11
|
||||
|
||||
# This should be e.g. beta1 or %%nil
|
||||
%global pre_release %nil
|
||||
@ -104,6 +104,7 @@ Patch0042: 0042-downstream-Install-xrealmauthz-like-other-plugins.patch
|
||||
Patch0043: 0043-Fix-S4U2Self-ignoring-time_req-when-acquiring-impers.patch
|
||||
Patch0044: 0044-Fix-S4U2Self-ignoring-time_req-when-copying-imperson.patch
|
||||
Patch0045: 0045-Add-t_s4u-test-for-time_req-bounding-all-delegated-c.patch
|
||||
Patch0046: 0046-Fix-two-NegoEx-parsing-vulnerabilities.patch
|
||||
|
||||
License: Brian-Gladman-2-Clause AND BSD-2-Clause AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-first-lines AND BSD-3-Clause AND BSD-4-Clause AND CMU-Mach-nodoc AND FSFULLRWD AND HPND AND HPND-export2-US AND HPND-export-US AND HPND-export-US-acknowledgement AND HPND-export-US-modify AND ISC AND MIT AND MIT-CMU AND OLDAP-2.8 AND OpenVision
|
||||
URL: https://web.mit.edu/kerberos/www/
|
||||
@ -762,6 +763,10 @@ exit 0
|
||||
%{_datarootdir}/%{name}-tests/%{_arch}
|
||||
|
||||
%changelog
|
||||
* Tue Apr 28 2026 Julien Rische <jrische@redhat.com> - 1.21.3-11
|
||||
- Fix NegoEx parsing vulnerabilities (CVE-2026-40355, CVE-2026-40356)
|
||||
Resolves: RHEL-171587 RHEL-171595
|
||||
|
||||
* Mon Mar 23 2026 Julien Rische <jrische@redhat.com> - 1.21.3-10
|
||||
- Fix S4U2Self ignoring time_req when acquiring impersonated credentials
|
||||
Resolves: RHEL-155169
|
||||
|
||||
Loading…
Reference in New Issue
Block a user