rpms/munge
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c8s
munge/Fix-buffer-overflow-when-unpacking-message-address-l.patch
Kamal Heib b795cc14b7 Fix CVE-2026-25506 
Resolves: RHEL-148521
CVE: CVE-2026-25506

Signed-off-by: Kamal Heib <kheib@redhat.com>
2026-02-15 14:41:26 -05:00

53 lines
2.4 KiB
Diff
Raw Permalink Blame History

From bf40cc27c4ce8451d4b062c9de0b67ec40894812 Mon Sep 17 00:00:00 2001
From: Chris Dunlap <cdunlap@llnl.gov>
Date: Mon, 26 Jan 2026 20:42:40 -0800
Subject: [PATCH] Fix buffer overflow when unpacking message address length
Add validation that addr_len does not exceed the size of the addr
field before copying IP address data in _msg_unpack().
The m_msg structure contains a 4-byte struct in_addr for the IP
address. When unpacking a MUNGE_MSG_DEC_RSP message, the addr_len
field (uint8_t) was read from untrusted message data and used directly
in _copy() without validation. An attacker setting addr_len to 255
causes _copy() to write 251 bytes past the end of the addr field,
corrupting subsequent structure members.
This buffer overflow corrupts munged's internal state and can
be exploited by a local attacker to leak conf->mac_key and other
cryptographic secrets from process memory. With the leaked key,
an attacker can forge arbitrary MUNGE credentials to impersonate any
user to services that rely on MUNGE for authentication.
Any local user can trigger this by connecting to munged's Unix socket
and sending a crafted MUNGE_MSG_DEC_RSP message. While message type
validation in job_exec() will reject response-type messages, this
validation occurs after m_msg_recv() has already called _msg_unpack()
to process the message body. The buffer overflow occurs during the
unpacking phase, before the message type is validated and rejected.
A working proof-of-concept exploit exists that demonstrates key
leakage and credential forgery.
Reported-by: Titouan Lazard <t.lazard@lexfo.fr>
Security: CVE-2026-25506
---
src/libcommon/m_msg.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/libcommon/m_msg.c b/src/libcommon/m_msg.c
index 38e01ae3dd81..eaeaf0b8bc3e 100644
--- a/src/libcommon/m_msg.c
+++ b/src/libcommon/m_msg.c
@@ -686,6 +686,7 @@ _msg_unpack (m_msg_t m, m_msg_type_t type, const void *src, int srclen)
else if ( _copy (m->realm_str, p, m->realm_len, p, q, &p) < 0) ;
else if (!_unpack (&(m->ttl), &p, sizeof (m->ttl), q)) ;
else if (!_unpack (&(m->addr_len), &p, sizeof (m->addr_len), q)) ;
+ else if (m->addr_len > sizeof (m->addr)) goto err;
else if ( _copy (&(m->addr), p, m->addr_len, p, q, &p) < 0) ;
else if (!_unpack (&(m->time0), &p, sizeof (m->time0), q)) ;
else if (!_unpack (&(m->time1), &p, sizeof (m->time1), q)) ;
--
2.52.0
Reference in New Issue View Git Blame Copy Permalink