import OL munge-0.5.13-14.0.1.el9_7
This commit is contained in:
parent
bf73b35599
commit
0f1b0cfe5e
@ -0,0 +1,52 @@
|
||||
From bf40cc27c4ce8451d4b062c9de0b67ec40894812 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Dunlap <cdunlap@llnl.gov>
|
||||
Date: Mon, 26 Jan 2026 20:42:40 -0800
|
||||
Subject: [PATCH] Fix buffer overflow when unpacking message address length
|
||||
|
||||
Add validation that addr_len does not exceed the size of the addr
|
||||
field before copying IP address data in _msg_unpack().
|
||||
|
||||
The m_msg structure contains a 4-byte struct in_addr for the IP
|
||||
address. When unpacking a MUNGE_MSG_DEC_RSP message, the addr_len
|
||||
field (uint8_t) was read from untrusted message data and used directly
|
||||
in _copy() without validation. An attacker setting addr_len to 255
|
||||
causes _copy() to write 251 bytes past the end of the addr field,
|
||||
corrupting subsequent structure members.
|
||||
|
||||
This buffer overflow corrupts munged's internal state and can
|
||||
be exploited by a local attacker to leak conf->mac_key and other
|
||||
cryptographic secrets from process memory. With the leaked key,
|
||||
an attacker can forge arbitrary MUNGE credentials to impersonate any
|
||||
user to services that rely on MUNGE for authentication.
|
||||
|
||||
Any local user can trigger this by connecting to munged's Unix socket
|
||||
and sending a crafted MUNGE_MSG_DEC_RSP message. While message type
|
||||
validation in job_exec() will reject response-type messages, this
|
||||
validation occurs after m_msg_recv() has already called _msg_unpack()
|
||||
to process the message body. The buffer overflow occurs during the
|
||||
unpacking phase, before the message type is validated and rejected.
|
||||
|
||||
A working proof-of-concept exploit exists that demonstrates key
|
||||
leakage and credential forgery.
|
||||
|
||||
Reported-by: Titouan Lazard <t.lazard@lexfo.fr>
|
||||
Security: CVE-2026-25506
|
||||
---
|
||||
src/libcommon/m_msg.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/libcommon/m_msg.c b/src/libcommon/m_msg.c
|
||||
index 38e01ae3dd81..eaeaf0b8bc3e 100644
|
||||
--- a/src/libcommon/m_msg.c
|
||||
+++ b/src/libcommon/m_msg.c
|
||||
@@ -686,6 +686,7 @@ _msg_unpack (m_msg_t m, m_msg_type_t type, const void *src, int srclen)
|
||||
else if ( _copy (m->realm_str, p, m->realm_len, p, q, &p) < 0) ;
|
||||
else if (!_unpack (&(m->ttl), &p, sizeof (m->ttl), q)) ;
|
||||
else if (!_unpack (&(m->addr_len), &p, sizeof (m->addr_len), q)) ;
|
||||
+ else if (m->addr_len > sizeof (m->addr)) goto err;
|
||||
else if ( _copy (&(m->addr), p, m->addr_len, p, q, &p) < 0) ;
|
||||
else if (!_unpack (&(m->time0), &p, sizeof (m->time0), q)) ;
|
||||
else if (!_unpack (&(m->time1), &p, sizeof (m->time1), q)) ;
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: munge
|
||||
Version: 0.5.13
|
||||
Release: 13%{?dist}
|
||||
Release: 14.0.1%{?dist}
|
||||
Summary: Enables uid & gid authentication across a host cluster
|
||||
|
||||
# The libs and devel package is GPLv3+ and LGPLv3+ where as the main package is GPLv3 only.
|
||||
@ -10,6 +10,7 @@ Source0: https://github.com/dun/munge/releases/download/munge-%{version}/
|
||||
Source1: create-munge-key
|
||||
Source2: munge.logrotate
|
||||
Source3: munge.sysusers
|
||||
Patch01: Fix-buffer-overflow-when-unpacking-message-address-l.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: systemd-rpm-macros
|
||||
@ -49,6 +50,7 @@ Runtime libraries for using MUNGE.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch -P 1 -p1
|
||||
cp -p %{SOURCE1} create-munge-key
|
||||
cp -p %{SOURCE2} munge.logrotate
|
||||
|
||||
@ -72,7 +74,7 @@ install -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/munge.conf
|
||||
|
||||
# rm unneeded files.
|
||||
rm %{buildroot}/%{_sysconfdir}/sysconfig/munge
|
||||
rm %{buildroot}/%{_sysconfdir}/init.d/munge
|
||||
rm %{buildroot}/%{_sysconfdir}/rc.d/init.d/munge
|
||||
# Exclude .la files
|
||||
rm %{buildroot}/%{_libdir}/libmunge.la
|
||||
|
||||
@ -155,6 +157,13 @@ mv %{buildroot}%{_var}/run %{buildroot}
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Feb 23 2026 EL Errata <el-errata_ww@oracle.com> - 0.5.13-14.0.1
|
||||
- Updated path for removal of unneeded init file
|
||||
|
||||
* Sun Feb 15 2026 Kamal Heib <kheib@redhat.com> - 0.5.13-14
|
||||
- Fix CVE-2026-25506
|
||||
- Resolved: RHEL-148533
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.5.13-13
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
Loading…
Reference in New Issue
Block a user