Fix CVE-2026-25506
Resolves: RHEL-148520 Signed-off-by: Kamal Heib <kheib@redhat.com>
This commit is contained in:
Kamal Heib
parent
130e673de2
commit
4107e738fb
52
Fix-buffer-overflow-when-unpacking-message-address-l.patch
Normal file
52
Fix-buffer-overflow-when-unpacking-message-address-l.patch
Normal file
@ -0,0 +1,52 @@
|
||||
From bf40cc27c4ce8451d4b062c9de0b67ec40894812 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Dunlap <cdunlap@llnl.gov>
|
||||
Date: Mon, 26 Jan 2026 20:42:40 -0800
|
||||
Subject: [PATCH] Fix buffer overflow when unpacking message address length
|
||||
|
||||
Add validation that addr_len does not exceed the size of the addr
|
||||
field before copying IP address data in _msg_unpack().
|
||||
|
||||
The m_msg structure contains a 4-byte struct in_addr for the IP
|
||||
address. When unpacking a MUNGE_MSG_DEC_RSP message, the addr_len
|
||||
field (uint8_t) was read from untrusted message data and used directly
|
||||
in _copy() without validation. An attacker setting addr_len to 255
|
||||
causes _copy() to write 251 bytes past the end of the addr field,
|
||||
corrupting subsequent structure members.
|
||||
|
||||
This buffer overflow corrupts munged's internal state and can
|
||||
be exploited by a local attacker to leak conf->mac_key and other
|
||||
cryptographic secrets from process memory. With the leaked key,
|
||||
an attacker can forge arbitrary MUNGE credentials to impersonate any
|
||||
user to services that rely on MUNGE for authentication.
|
||||
|
||||
Any local user can trigger this by connecting to munged's Unix socket
|
||||
and sending a crafted MUNGE_MSG_DEC_RSP message. While message type
|
||||
validation in job_exec() will reject response-type messages, this
|
||||
validation occurs after m_msg_recv() has already called _msg_unpack()
|
||||
to process the message body. The buffer overflow occurs during the
|
||||
unpacking phase, before the message type is validated and rejected.
|
||||
|
||||
A working proof-of-concept exploit exists that demonstrates key
|
||||
leakage and credential forgery.
|
||||
|
||||
Reported-by: Titouan Lazard <t.lazard@lexfo.fr>
|
||||
Security: CVE-2026-25506
|
||||
---
|
||||
src/libcommon/m_msg.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/libcommon/m_msg.c b/src/libcommon/m_msg.c
|
||||
index 38e01ae3dd81..eaeaf0b8bc3e 100644
|
||||
--- a/src/libcommon/m_msg.c
|
||||
+++ b/src/libcommon/m_msg.c
|
||||
@@ -686,6 +686,7 @@ _msg_unpack (m_msg_t m, m_msg_type_t type, const void *src, int srclen)
|
||||
else if ( _copy (m->realm_str, p, m->realm_len, p, q, &p) < 0) ;
|
||||
else if (!_unpack (&(m->ttl), &p, sizeof (m->ttl), q)) ;
|
||||
else if (!_unpack (&(m->addr_len), &p, sizeof (m->addr_len), q)) ;
|
||||
+ else if (m->addr_len > sizeof (m->addr)) goto err;
|
||||
else if ( _copy (&(m->addr), p, m->addr_len, p, q, &p) < 0) ;
|
||||
else if (!_unpack (&(m->time0), &p, sizeof (m->time0), q)) ;
|
||||
else if (!_unpack (&(m->time1), &p, sizeof (m->time1), q)) ;
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -13,6 +13,7 @@ Source1: https://github.com/dun/munge/releases/download/%{name}-%{version
|
||||
Source2: https://github.com/dun.gpg
|
||||
Source3: munge.sysusers
|
||||
Source4: README.md
|
||||
Patch01: Fix-buffer-overflow-when-unpacking-message-address-l.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
|
||||
Loading…
Reference in New Issue
Block a user