diff --git a/SOURCES/Fix-two-NegoEx-parsing-vulnerabilities.patch b/SOURCES/Fix-two-NegoEx-parsing-vulnerabilities.patch new file mode 100644 index 0000000..a230738 --- /dev/null +++ b/SOURCES/Fix-two-NegoEx-parsing-vulnerabilities.patch @@ -0,0 +1,65 @@ +From 317d6cc21d12148bbb1366b6d143c1913bff4d80 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 8 Apr 2026 17:57:59 -0400 +Subject: [PATCH] Fix two NegoEx parsing vulnerabilities + +In parse_nego_message(), check the result of the second call to +vector_base() before dereferencing it. In parse_message(), check for +a short header_len to prevent an integer underflow when calculating +the remaining message length. + +Reported by Cem Onat Karagun. + +CVE-2026-40355: + +In MIT krb5 release 1.18 and later, if an application calls +gss_accept_sec_context() on a system with a NegoEx mechanism +registered in /etc/gss/mech, an unauthenticated remote attacker can +trigger a null pointer dereference, causing the process to terminate. + +CVE-2026-40356: + +In MIT krb5 release 1.18 and later, if an application calls +gss_accept_sec_context() on a system with a NegoEx mechanism +registered in /etc/gss/mech, an unauthenticated remote attacker can +trigger a read overrun of up to 52 bytes, possibly causing the process +to terminate. Exfiltration of the bytes read does not appear +possible. + +ticket: 9205 (new) +tags: pullup +target_version: 1.22-next + +(cherry picked from commit 2e75f0d9362fb979f5fc92829431a590a130929f) +--- + src/lib/gssapi/spnego/negoex_util.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c +index 99580fd79c..632f719ba8 100644 +--- a/src/lib/gssapi/spnego/negoex_util.c ++++ b/src/lib/gssapi/spnego/negoex_util.c +@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in, + offset = k5_input_get_uint32_le(in); + count = k5_input_get_uint16_le(in); + p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len); ++ if (p == NULL) { ++ *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; ++ return GSS_S_DEFECTIVE_TOKEN; ++ } + for (i = 0; i < count; i++) { + extension_type = load_32_le(p + i * EXTENSION_LENGTH); + if (extension_type & EXTENSION_FLAG_CRITICAL) { +@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in, + msg_len = k5_input_get_uint32_le(in); + conv_id = k5_input_get_bytes(in, GUID_LENGTH); + +- if (in->status || msg_len > token_remaining || header_len > msg_len) { ++ if (in->status || msg_len > token_remaining || ++ header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) { + *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; + return GSS_S_DEFECTIVE_TOKEN; + } +-- +2.53.0 + diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index 42436b5..602e758 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 33%{?dist} +Release: 34%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -118,6 +118,7 @@ Patch172: Add-PKINIT-paChecksum2-from-MS-PKCA-v20230920.patch Patch173: downstream-Do-not-block-HMAC-MD4-5-in-FIPS-mode.patch Patch174: Improve-ulog-block-resize-efficiency.patch Patch175: Fix-uninitialized-pointer-dereference-in-libkrad.patch +Patch176: Fix-two-NegoEx-parsing-vulnerabilities.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -728,6 +729,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Apr 28 2026 Julien Rische - 1.18.2-34 +- Fix NegoEx parsing vulnerabilities (CVE-2026-40355, CVE-2026-40356) + Resolves: RHEL-171589 RHEL-171594 + * Wed Jan 28 2026 Julien Rische - 1.18.2-33 - krad: packet ID fetched from uninitialized variable Resolves: RHEL-109220