Auto sync2gitlab import of krb5-1.18.2-22.el8.src.rpm
This commit is contained in:
parent
da349d17a0
commit
94c0b83203
106
Fix-integer-overflows-in-PAC-parsing.patch
Normal file
106
Fix-integer-overflows-in-PAC-parsing.patch
Normal file
@ -0,0 +1,106 @@
|
|||||||
|
From d2477aa606ad590ca4097941bb6c2e1955b2a8c8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Mon, 17 Oct 2022 20:25:11 -0400
|
||||||
|
Subject: [PATCH] Fix integer overflows in PAC parsing
|
||||||
|
|
||||||
|
In krb5_parse_pac(), check for buffer counts large enough to threaten
|
||||||
|
integer overflow in the header length and memory length calculations.
|
||||||
|
Avoid potential integer overflows when checking the length of each
|
||||||
|
buffer.
|
||||||
|
|
||||||
|
CVE-2022-42898:
|
||||||
|
|
||||||
|
In MIT krb5 releases 1.8 and later, an authenticated attacker may be
|
||||||
|
able to cause a KDC or kadmind process to crash by reading beyond the
|
||||||
|
bounds of allocated memory, creating a denial of service. A
|
||||||
|
privileged attacker may similarly be able to cause a Kerberos or GSS
|
||||||
|
application service to crash. On 32-bit platforms, an attacker can
|
||||||
|
also cause insufficient memory to be allocated for the result,
|
||||||
|
potentially leading to remote code execution in a KDC, kadmind, or GSS
|
||||||
|
or Kerberos application server process. An attacker with the
|
||||||
|
privileges of a cross-realm KDC may be able to extract secrets from
|
||||||
|
the KDC process's memory by having them copied into the PAC of a new
|
||||||
|
ticket.
|
||||||
|
|
||||||
|
ticket: 9074 (new)
|
||||||
|
tags: pullup
|
||||||
|
target_version: 1.20-next
|
||||||
|
target_version: 1.19-next
|
||||||
|
---
|
||||||
|
src/lib/krb5/krb/pac.c | 9 +++++++--
|
||||||
|
src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++
|
||||||
|
2 files changed, 25 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
||||||
|
index 950beda657..1b9ef12276 100644
|
||||||
|
--- a/src/lib/krb5/krb/pac.c
|
||||||
|
+++ b/src/lib/krb5/krb/pac.c
|
||||||
|
@@ -27,6 +27,8 @@
|
||||||
|
#include "k5-int.h"
|
||||||
|
#include "authdata.h"
|
||||||
|
|
||||||
|
+#define MAX_BUFFERS 4096
|
||||||
|
+
|
||||||
|
/* draft-brezak-win2k-krb-authz-00 */
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context,
|
||||||
|
if (version != 0)
|
||||||
|
return EINVAL;
|
||||||
|
|
||||||
|
+ if (cbuffers < 1 || cbuffers > MAX_BUFFERS)
|
||||||
|
+ return ERANGE;
|
||||||
|
+
|
||||||
|
header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
|
||||||
|
if (len < header_len)
|
||||||
|
return ERANGE;
|
||||||
|
@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context,
|
||||||
|
krb5_pac_free(context, pac);
|
||||||
|
return EINVAL;
|
||||||
|
}
|
||||||
|
- if (buffer->Offset < header_len ||
|
||||||
|
- buffer->Offset + buffer->cbBufferSize > len) {
|
||||||
|
+ if (buffer->Offset < header_len || buffer->Offset > len ||
|
||||||
|
+ buffer->cbBufferSize > len - buffer->Offset) {
|
||||||
|
krb5_pac_free(context, pac);
|
||||||
|
return ERANGE;
|
||||||
|
}
|
||||||
|
diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
|
||||||
|
index ee47152ee4..ccd165380d 100644
|
||||||
|
--- a/src/lib/krb5/krb/t_pac.c
|
||||||
|
+++ b/src/lib/krb5/krb/t_pac.c
|
||||||
|
@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {
|
||||||
|
0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00
|
||||||
|
};
|
||||||
|
|
||||||
|
+static const unsigned char fuzz1[] = {
|
||||||
|
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
+ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static const unsigned char fuzz2[] = {
|
||||||
|
+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
+ 0x20, 0x20
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
static const char *s4u_principal = "w2k8u@ACME.COM";
|
||||||
|
static const char *s4u_enterprise = "w2k8u@abc@ACME.COM";
|
||||||
|
|
||||||
|
@@ -646,6 +656,14 @@ main(int argc, char **argv)
|
||||||
|
krb5_free_principal(context, sep);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Check problematic PACs found by fuzzing. */
|
||||||
|
+ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
|
||||||
|
+ if (!ret)
|
||||||
|
+ err(context, ret, "krb5_pac_parse should have failed");
|
||||||
|
+ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
|
||||||
|
+ if (!ret)
|
||||||
|
+ err(context, ret, "krb5_pac_parse should have failed");
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Test empty free
|
||||||
|
*/
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
|||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.18.2
|
Version: 1.18.2
|
||||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||||
Release: 21%{?dist}
|
Release: 22%{?dist}
|
||||||
|
|
||||||
# lookaside-cached sources; two downloads and a build artifact
|
# lookaside-cached sources; two downloads and a build artifact
|
||||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
|
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
|
||||||
@ -93,6 +93,7 @@ Patch147: Try-harder-to-avoid-password-change-replay-errors.patch
|
|||||||
Patch148: downstream-Fix-dejagnu-unit-tests-directory-name-for-RPC-lib.patch
|
Patch148: downstream-Fix-dejagnu-unit-tests-directory-name-for-RPC-lib.patch
|
||||||
Patch149: krb5-krad-larger-attrs.patch
|
Patch149: krb5-krad-larger-attrs.patch
|
||||||
Patch150: krb5-krad-remote.patch
|
Patch150: krb5-krad-remote.patch
|
||||||
|
Patch151: Fix-integer-overflows-in-PAC-parsing.patch
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://web.mit.edu/kerberos/www/
|
URL: http://web.mit.edu/kerberos/www/
|
||||||
@ -703,6 +704,10 @@ exit 0
|
|||||||
%{_libdir}/libkadm5srv_mit.so.*
|
%{_libdir}/libkadm5srv_mit.so.*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 08 2022 Julien Rische <jrische@redhat.com> - 1.18.2-22
|
||||||
|
- Fix integer overflows in PAC parsing (CVE-2022-42898)
|
||||||
|
- Resolves: rhbz#2140968
|
||||||
|
|
||||||
* Fri Jul 01 2022 Julien Rische <jrische@redhat.com> - 1.18.2-21
|
* Fri Jul 01 2022 Julien Rische <jrische@redhat.com> - 1.18.2-21
|
||||||
- Backport fix of memory use after free during libkrad cleanup
|
- Backport fix of memory use after free during libkrad cleanup
|
||||||
- Backport support for larger RADIUS attributes in libkrad
|
- Backport support for larger RADIUS attributes in libkrad
|
||||||
|
Loading…
Reference in New Issue
Block a user