489e4b7d2f
- Fix NegoEx parsing vulnerabilities (CVE-2026-40355, CVE-2026-40356) Resolves: RHEL-171589 RHEL-171594 Signed-off-by: Julien Rische <jrische@redhat.com>
66 lines
2.5 KiB
Diff
66 lines
2.5 KiB
Diff
From 317d6cc21d12148bbb1366b6d143c1913bff4d80 Mon Sep 17 00:00:00 2001
|
|
From: Greg Hudson <ghudson@mit.edu>
|
|
Date: Wed, 8 Apr 2026 17:57:59 -0400
|
|
Subject: [PATCH] Fix two NegoEx parsing vulnerabilities
|
|
|
|
In parse_nego_message(), check the result of the second call to
|
|
vector_base() before dereferencing it. In parse_message(), check for
|
|
a short header_len to prevent an integer underflow when calculating
|
|
the remaining message length.
|
|
|
|
Reported by Cem Onat Karagun.
|
|
|
|
CVE-2026-40355:
|
|
|
|
In MIT krb5 release 1.18 and later, if an application calls
|
|
gss_accept_sec_context() on a system with a NegoEx mechanism
|
|
registered in /etc/gss/mech, an unauthenticated remote attacker can
|
|
trigger a null pointer dereference, causing the process to terminate.
|
|
|
|
CVE-2026-40356:
|
|
|
|
In MIT krb5 release 1.18 and later, if an application calls
|
|
gss_accept_sec_context() on a system with a NegoEx mechanism
|
|
registered in /etc/gss/mech, an unauthenticated remote attacker can
|
|
trigger a read overrun of up to 52 bytes, possibly causing the process
|
|
to terminate. Exfiltration of the bytes read does not appear
|
|
possible.
|
|
|
|
ticket: 9205 (new)
|
|
tags: pullup
|
|
target_version: 1.22-next
|
|
|
|
(cherry picked from commit 2e75f0d9362fb979f5fc92829431a590a130929f)
|
|
---
|
|
src/lib/gssapi/spnego/negoex_util.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c
|
|
index 99580fd79c..632f719ba8 100644
|
|
--- a/src/lib/gssapi/spnego/negoex_util.c
|
|
+++ b/src/lib/gssapi/spnego/negoex_util.c
|
|
@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in,
|
|
offset = k5_input_get_uint32_le(in);
|
|
count = k5_input_get_uint16_le(in);
|
|
p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len);
|
|
+ if (p == NULL) {
|
|
+ *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
|
|
+ return GSS_S_DEFECTIVE_TOKEN;
|
|
+ }
|
|
for (i = 0; i < count; i++) {
|
|
extension_type = load_32_le(p + i * EXTENSION_LENGTH);
|
|
if (extension_type & EXTENSION_FLAG_CRITICAL) {
|
|
@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in,
|
|
msg_len = k5_input_get_uint32_le(in);
|
|
conv_id = k5_input_get_bytes(in, GUID_LENGTH);
|
|
|
|
- if (in->status || msg_len > token_remaining || header_len > msg_len) {
|
|
+ if (in->status || msg_len > token_remaining ||
|
|
+ header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) {
|
|
*minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
|
|
return GSS_S_DEFECTIVE_TOKEN;
|
|
}
|
|
--
|
|
2.53.0
|
|
|