diff --git a/Fix-buffer-overflow-when-unpacking-message-address-l.patch b/Fix-buffer-overflow-when-unpacking-message-address-l.patch new file mode 100644 index 0000000..1648899 --- /dev/null +++ b/Fix-buffer-overflow-when-unpacking-message-address-l.patch @@ -0,0 +1,52 @@ +From bf40cc27c4ce8451d4b062c9de0b67ec40894812 Mon Sep 17 00:00:00 2001 +From: Chris Dunlap +Date: Mon, 26 Jan 2026 20:42:40 -0800 +Subject: [PATCH] Fix buffer overflow when unpacking message address length + +Add validation that addr_len does not exceed the size of the addr +field before copying IP address data in _msg_unpack(). + +The m_msg structure contains a 4-byte struct in_addr for the IP +address. When unpacking a MUNGE_MSG_DEC_RSP message, the addr_len +field (uint8_t) was read from untrusted message data and used directly +in _copy() without validation. An attacker setting addr_len to 255 +causes _copy() to write 251 bytes past the end of the addr field, +corrupting subsequent structure members. + +This buffer overflow corrupts munged's internal state and can +be exploited by a local attacker to leak conf->mac_key and other +cryptographic secrets from process memory. With the leaked key, +an attacker can forge arbitrary MUNGE credentials to impersonate any +user to services that rely on MUNGE for authentication. + +Any local user can trigger this by connecting to munged's Unix socket +and sending a crafted MUNGE_MSG_DEC_RSP message. While message type +validation in job_exec() will reject response-type messages, this +validation occurs after m_msg_recv() has already called _msg_unpack() +to process the message body. The buffer overflow occurs during the +unpacking phase, before the message type is validated and rejected. + +A working proof-of-concept exploit exists that demonstrates key +leakage and credential forgery. + +Reported-by: Titouan Lazard +Security: CVE-2026-25506 +--- + src/libcommon/m_msg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libcommon/m_msg.c b/src/libcommon/m_msg.c +index 38e01ae3dd81..eaeaf0b8bc3e 100644 +--- a/src/libcommon/m_msg.c ++++ b/src/libcommon/m_msg.c +@@ -686,6 +686,7 @@ _msg_unpack (m_msg_t m, m_msg_type_t type, const void *src, int srclen) + else if ( _copy (m->realm_str, p, m->realm_len, p, q, &p) < 0) ; + else if (!_unpack (&(m->ttl), &p, sizeof (m->ttl), q)) ; + else if (!_unpack (&(m->addr_len), &p, sizeof (m->addr_len), q)) ; ++ else if (m->addr_len > sizeof (m->addr)) goto err; + else if ( _copy (&(m->addr), p, m->addr_len, p, q, &p) < 0) ; + else if (!_unpack (&(m->time0), &p, sizeof (m->time0), q)) ; + else if (!_unpack (&(m->time1), &p, sizeof (m->time1), q)) ; +-- +2.52.0 + diff --git a/munge.spec b/munge.spec index d5b59fc..df537d6 100644 --- a/munge.spec +++ b/munge.spec @@ -13,6 +13,7 @@ Source1: https://github.com/dun/munge/releases/download/%{name}-%{version Source2: https://github.com/dun.gpg Source3: munge.sysusers Source4: README.md +Patch01: Fix-buffer-overflow-when-unpacking-message-address-l.patch BuildRequires: make BuildRequires: gcc