diff --git a/SOURCES/Fix-buffer-overflow-when-unpacking-message-address-l.patch b/SOURCES/Fix-buffer-overflow-when-unpacking-message-address-l.patch new file mode 100644 index 0000000..1648899 --- /dev/null +++ b/SOURCES/Fix-buffer-overflow-when-unpacking-message-address-l.patch @@ -0,0 +1,52 @@ +From bf40cc27c4ce8451d4b062c9de0b67ec40894812 Mon Sep 17 00:00:00 2001 +From: Chris Dunlap +Date: Mon, 26 Jan 2026 20:42:40 -0800 +Subject: [PATCH] Fix buffer overflow when unpacking message address length + +Add validation that addr_len does not exceed the size of the addr +field before copying IP address data in _msg_unpack(). + +The m_msg structure contains a 4-byte struct in_addr for the IP +address. When unpacking a MUNGE_MSG_DEC_RSP message, the addr_len +field (uint8_t) was read from untrusted message data and used directly +in _copy() without validation. An attacker setting addr_len to 255 +causes _copy() to write 251 bytes past the end of the addr field, +corrupting subsequent structure members. + +This buffer overflow corrupts munged's internal state and can +be exploited by a local attacker to leak conf->mac_key and other +cryptographic secrets from process memory. With the leaked key, +an attacker can forge arbitrary MUNGE credentials to impersonate any +user to services that rely on MUNGE for authentication. + +Any local user can trigger this by connecting to munged's Unix socket +and sending a crafted MUNGE_MSG_DEC_RSP message. While message type +validation in job_exec() will reject response-type messages, this +validation occurs after m_msg_recv() has already called _msg_unpack() +to process the message body. The buffer overflow occurs during the +unpacking phase, before the message type is validated and rejected. + +A working proof-of-concept exploit exists that demonstrates key +leakage and credential forgery. + +Reported-by: Titouan Lazard +Security: CVE-2026-25506 +--- + src/libcommon/m_msg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libcommon/m_msg.c b/src/libcommon/m_msg.c +index 38e01ae3dd81..eaeaf0b8bc3e 100644 +--- a/src/libcommon/m_msg.c ++++ b/src/libcommon/m_msg.c +@@ -686,6 +686,7 @@ _msg_unpack (m_msg_t m, m_msg_type_t type, const void *src, int srclen) + else if ( _copy (m->realm_str, p, m->realm_len, p, q, &p) < 0) ; + else if (!_unpack (&(m->ttl), &p, sizeof (m->ttl), q)) ; + else if (!_unpack (&(m->addr_len), &p, sizeof (m->addr_len), q)) ; ++ else if (m->addr_len > sizeof (m->addr)) goto err; + else if ( _copy (&(m->addr), p, m->addr_len, p, q, &p) < 0) ; + else if (!_unpack (&(m->time0), &p, sizeof (m->time0), q)) ; + else if (!_unpack (&(m->time1), &p, sizeof (m->time1), q)) ; +-- +2.52.0 + diff --git a/SPECS/munge.spec b/SPECS/munge.spec index c66ac44..eae8e46 100644 --- a/SPECS/munge.spec +++ b/SPECS/munge.spec @@ -1,6 +1,6 @@ Name: munge Version: 0.5.13 -Release: 13%{?dist} +Release: 14.0.1%{?dist} Summary: Enables uid & gid authentication across a host cluster # The libs and devel package is GPLv3+ and LGPLv3+ where as the main package is GPLv3 only. @@ -10,6 +10,7 @@ Source0: https://github.com/dun/munge/releases/download/munge-%{version}/ Source1: create-munge-key Source2: munge.logrotate Source3: munge.sysusers +Patch01: Fix-buffer-overflow-when-unpacking-message-address-l.patch BuildRequires: gcc BuildRequires: systemd-rpm-macros @@ -49,6 +50,7 @@ Runtime libraries for using MUNGE. %prep %setup -q +%patch -P 1 -p1 cp -p %{SOURCE1} create-munge-key cp -p %{SOURCE2} munge.logrotate @@ -72,7 +74,7 @@ install -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/munge.conf # rm unneeded files. rm %{buildroot}/%{_sysconfdir}/sysconfig/munge -rm %{buildroot}/%{_sysconfdir}/init.d/munge +rm %{buildroot}/%{_sysconfdir}/rc.d/init.d/munge # Exclude .la files rm %{buildroot}/%{_libdir}/libmunge.la @@ -155,6 +157,13 @@ mv %{buildroot}%{_var}/run %{buildroot} %changelog +* Mon Feb 23 2026 EL Errata - 0.5.13-14.0.1 +- Updated path for removal of unneeded init file + +* Sun Feb 15 2026 Kamal Heib - 0.5.13-14 +- Fix CVE-2026-25506 +- Resolved: RHEL-148533 + * Mon Aug 09 2021 Mohan Boddu - 0.5.13-13 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688