From d7334ebf68fab49402c648d80416aad7bafc7b65 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 9 Sep 2020 17:47:18 -0400 Subject: [PATCH] Fix input length checking in SPNEGO DER decoding --- ...ngth-checking-in-SPNEGO-DER-decoding.patch | 58 +++++++++++++++++++ krb5.spec | 6 +- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 Fix-input-length-checking-in-SPNEGO-DER-decoding.patch diff --git a/Fix-input-length-checking-in-SPNEGO-DER-decoding.patch b/Fix-input-length-checking-in-SPNEGO-DER-decoding.patch new file mode 100644 index 0000000..4bad883 --- /dev/null +++ b/Fix-input-length-checking-in-SPNEGO-DER-decoding.patch @@ -0,0 +1,58 @@ +From 9504dd4de49938e4cdd56ce6df635b76eaf37e96 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 28 Jul 2020 12:58:26 -0400 +Subject: [PATCH] Fix input length checking in SPNEGO DER decoding + +In get_mech_set(), check the length before reading the first byte, and +decrease the length by the tag byte when reading and verifying the +sequence length. + +In get_req_flags(), check the length before reading the first byte, +and check the context tag length after decoding it. + +ticket: 8933 (new) +tags: pullup +target_version: 1.18-next +target_version: 1.17-next + +(cherry picked from commit 64f4b75a22212681ca293f8f09ddd24b0244d5b4) +--- + src/lib/gssapi/spnego/spnego_mech.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 4cf011143..13c351620 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -3462,14 +3462,14 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in, + unsigned char *start; + int i; + +- if (**buff_in != SEQUENCE_OF) ++ if (buff_length < 1 || **buff_in != SEQUENCE_OF) + return (NULL); + + start = *buff_in; + (*buff_in)++; + +- length = gssint_get_der_length(buff_in, buff_length, &bytes); +- if (length < 0 || buff_length - bytes < (unsigned int)length) ++ length = gssint_get_der_length(buff_in, buff_length - 1, &bytes); ++ if (length < 0 || buff_length - 1 - bytes < (unsigned int)length) + return NULL; + + major_status = gss_create_empty_oid_set(minor_status, +@@ -3549,11 +3549,11 @@ get_req_flags(unsigned char **buff_in, OM_uint32 bodysize, + { + unsigned int len; + +- if (**buff_in != (CONTEXT | 0x01)) ++ if (bodysize < 1 || **buff_in != (CONTEXT | 0x01)) + return (0); + + if (g_get_tag_and_length(buff_in, (CONTEXT | 0x01), +- bodysize, &len) < 0) ++ bodysize, &len) < 0 || len != 4) + return GSS_S_DEFECTIVE_TOKEN; + + if (*(*buff_in)++ != BIT_STRING) diff --git a/krb5.spec b/krb5.spec index 0e5d23c..a1faa71 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 21%{?dist} +Release: 22%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -71,6 +71,7 @@ Patch32: Use-two-queues-for-concurrent-t_otp.py-daemons.patch Patch33: Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch Patch34: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch Patch35: Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch +Patch36: Fix-input-length-checking-in-SPNEGO-DER-decoding.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -632,6 +633,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Sep 09 2020 Robbie Harwood - 1.18.2-22 +- Fix input length checking in SPNEGO DER decoding + * Fri Aug 28 2020 Robbie Harwood - 1.18.2-21 - Mark crypto-polices snippet as missingok - Resolves: #1868379