Fix input length checking in SPNEGO DER decoding
This commit is contained in:
parent
1003328588
commit
d7334ebf68
58
Fix-input-length-checking-in-SPNEGO-DER-decoding.patch
Normal file
58
Fix-input-length-checking-in-SPNEGO-DER-decoding.patch
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
From 9504dd4de49938e4cdd56ce6df635b76eaf37e96 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Tue, 28 Jul 2020 12:58:26 -0400
|
||||||
|
Subject: [PATCH] Fix input length checking in SPNEGO DER decoding
|
||||||
|
|
||||||
|
In get_mech_set(), check the length before reading the first byte, and
|
||||||
|
decrease the length by the tag byte when reading and verifying the
|
||||||
|
sequence length.
|
||||||
|
|
||||||
|
In get_req_flags(), check the length before reading the first byte,
|
||||||
|
and check the context tag length after decoding it.
|
||||||
|
|
||||||
|
ticket: 8933 (new)
|
||||||
|
tags: pullup
|
||||||
|
target_version: 1.18-next
|
||||||
|
target_version: 1.17-next
|
||||||
|
|
||||||
|
(cherry picked from commit 64f4b75a22212681ca293f8f09ddd24b0244d5b4)
|
||||||
|
---
|
||||||
|
src/lib/gssapi/spnego/spnego_mech.c | 10 +++++-----
|
||||||
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
||||||
|
index 4cf011143..13c351620 100644
|
||||||
|
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
||||||
|
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
||||||
|
@@ -3462,14 +3462,14 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in,
|
||||||
|
unsigned char *start;
|
||||||
|
int i;
|
||||||
|
|
||||||
|
- if (**buff_in != SEQUENCE_OF)
|
||||||
|
+ if (buff_length < 1 || **buff_in != SEQUENCE_OF)
|
||||||
|
return (NULL);
|
||||||
|
|
||||||
|
start = *buff_in;
|
||||||
|
(*buff_in)++;
|
||||||
|
|
||||||
|
- length = gssint_get_der_length(buff_in, buff_length, &bytes);
|
||||||
|
- if (length < 0 || buff_length - bytes < (unsigned int)length)
|
||||||
|
+ length = gssint_get_der_length(buff_in, buff_length - 1, &bytes);
|
||||||
|
+ if (length < 0 || buff_length - 1 - bytes < (unsigned int)length)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
major_status = gss_create_empty_oid_set(minor_status,
|
||||||
|
@@ -3549,11 +3549,11 @@ get_req_flags(unsigned char **buff_in, OM_uint32 bodysize,
|
||||||
|
{
|
||||||
|
unsigned int len;
|
||||||
|
|
||||||
|
- if (**buff_in != (CONTEXT | 0x01))
|
||||||
|
+ if (bodysize < 1 || **buff_in != (CONTEXT | 0x01))
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
if (g_get_tag_and_length(buff_in, (CONTEXT | 0x01),
|
||||||
|
- bodysize, &len) < 0)
|
||||||
|
+ bodysize, &len) < 0 || len != 4)
|
||||||
|
return GSS_S_DEFECTIVE_TOKEN;
|
||||||
|
|
||||||
|
if (*(*buff_in)++ != BIT_STRING)
|
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
|||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.18.2
|
Version: 1.18.2
|
||||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||||
Release: 21%{?dist}
|
Release: 22%{?dist}
|
||||||
|
|
||||||
# rharwood has trust path to signing key and verifies on check-in
|
# rharwood has trust path to signing key and verifies on check-in
|
||||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
|
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
|
||||||
@ -71,6 +71,7 @@ Patch32: Use-two-queues-for-concurrent-t_otp.py-daemons.patch
|
|||||||
Patch33: Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch
|
Patch33: Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch
|
||||||
Patch34: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
|
Patch34: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
|
||||||
Patch35: Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch
|
Patch35: Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch
|
||||||
|
Patch36: Fix-input-length-checking-in-SPNEGO-DER-decoding.patch
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: https://web.mit.edu/kerberos/www/
|
URL: https://web.mit.edu/kerberos/www/
|
||||||
@ -632,6 +633,9 @@ exit 0
|
|||||||
%{_libdir}/libkadm5srv_mit.so.*
|
%{_libdir}/libkadm5srv_mit.so.*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 09 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-22
|
||||||
|
- Fix input length checking in SPNEGO DER decoding
|
||||||
|
|
||||||
* Fri Aug 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-21
|
* Fri Aug 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-21
|
||||||
- Mark crypto-polices snippet as missingok
|
- Mark crypto-polices snippet as missingok
|
||||||
- Resolves: #1868379
|
- Resolves: #1868379
|
||||||
|
Loading…
Reference in New Issue
Block a user