krb5: Fix CVE-2023-36054

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count. References: https://nvd.nist.gov/vuln/detail/CVE-2023-36054 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2023-08-25 07:39:23 +0000
committer: Armin Kuster <akuster808@gmail.com> 2023-09-04 11:55:22 -0400
commit: 86124cc62563eda0b19dc35a9478bc18517d515c (patch)
tree: 4560027e2b3b0b03d5153e91e74d42eb8dc107cb
parent: 41fffef6b044b2722aa13f7e7648a3f848231851 (diff)
download: meta-openembedded-86124cc62563eda0b19dc35a9478bc18517d515c.tar.gz
2 files changed, 69 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch
new file mode 100644
index 000000000..160c090bc
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch
@@ -0,0 +1,68 @@
+From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 21 Aug 2023 03:08:15 +0000
+Subject: [PATCH] Ensure array count consistency in kadm5 RPC
+In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
+key_data array count when decoding.  Otherwise when the structure is
+later freed, xdr_array() could iterate over the wrong number of
+elements, either leaking some memory or freeing uninitialized
+pointers.  Reported by Robert Morris.
+CVE: CVE-2023-36054
+An authenticated attacker can cause a kadmind process to crash by
+freeing uninitialized pointers.  Remote code execution is unlikely.
+An attacker with control of a kadmin server can cause a kadmin client
+to crash by freeing uninitialized pointers.
+ticket: 9099 (new)
+tags: pullup
+target_version: 1.21-next
+target_version: 1.20-next
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 2892d41..94b1ce8 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+                             int v)
+ {
+        unsigned int n;
+       bool_t r;
+        if (!xdr_krb5_principal(xdrs, &objp->principal)) {
+                return (FALSE);
+@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+        if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
+                return (FALSE);
+        }
+       if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
+               return (FALSE);
+       }
+        if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
+                return (FALSE);
+        }
+@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+                return FALSE;
+        }
+        n = objp->n_key_data;
+-       if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
+-                      &n, ~0, sizeof(krb5_key_data),
+-                      xdr_krb5_key_data_nocontents)) {
+       r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
+                     sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
+       objp->n_key_data = n;
+       if (!r) {
+                return (FALSE);
+        }
+--
+2.40.0
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
index 10fff11c2..e353b58aa 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
           file://etc/default/krb5-admin-server \
           file://krb5-kdc.service \
           file://krb5-admin-server.service \
+           file://CVE-2023-36054.patch;striplevel=2 \
 "
 SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686"
 SRC_URI[sha256sum] = "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851"
author	Soumya Sambu <soumya.sambu@windriver.com>	2023-08-25 07:39:23 +0000
committer	Armin Kuster <akuster808@gmail.com>	2023-09-04 11:55:22 -0400
commit	86124cc62563eda0b19dc35a9478bc18517d515c (patch)
tree	4560027e2b3b0b03d5153e91e74d42eb8dc107cb
parent	41fffef6b044b2722aa13f7e7648a3f848231851 (diff)
download	meta-openembedded-86124cc62563eda0b19dc35a9478bc18517d515c.tar.gz

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch new file mode 100644 index 000000000..160c090bc --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch
@@ -0,0 +1,68 @@
		1	From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001
		2	From: Greg Hudson <ghudson@mit.edu>
		3	Date: Mon, 21 Aug 2023 03:08:15 +0000
		4	Subject: [PATCH] Ensure array count consistency in kadm5 RPC
		5
		6	In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
		7	key_data array count when decoding. Otherwise when the structure is
		8	later freed, xdr_array() could iterate over the wrong number of
		9	elements, either leaking some memory or freeing uninitialized
		10	pointers. Reported by Robert Morris.
		11
		12	CVE: CVE-2023-36054
		13
		14	An authenticated attacker can cause a kadmind process to crash by
		15	freeing uninitialized pointers. Remote code execution is unlikely.
		16	An attacker with control of a kadmin server can cause a kadmin client
		17	to crash by freeing uninitialized pointers.
		18
		19	ticket: 9099 (new)
		20	tags: pullup
		21	target_version: 1.21-next
		22	target_version: 1.20-next
		23
		24	Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd]
		25
		26	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		27	---
		28	src/lib/kadm5/kadm_rpc_xdr.c \| 11 ++++++++---
		29	1 file changed, 8 insertions(+), 3 deletions(-)
		30
		31	diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
		32	index 2892d41..94b1ce8 100644
		33	--- a/src/lib/kadm5/kadm_rpc_xdr.c
		34	+++ b/src/lib/kadm5/kadm_rpc_xdr.c
		35	@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR xdrs, kadm5_principal_ent_rec objp,
		36	int v)
		37	{
		38	unsigned int n;
		39	+ bool_t r;
		40
		41	if (!xdr_krb5_principal(xdrs, &objp->principal)) {
		42	return (FALSE);
		43	@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR xdrs, kadm5_principal_ent_rec objp,
		44	if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
		45	return (FALSE);
		46	}
		47	+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
		48	+ return (FALSE);
		49	+ }
		50	if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
		51	return (FALSE);
		52	}
		53	@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR xdrs, kadm5_principal_ent_rec objp,
		54	return FALSE;
		55	}
		56	n = objp->n_key_data;
		57	- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
		58	- &n, ~0, sizeof(krb5_key_data),
		59	- xdr_krb5_key_data_nocontents)) {
		60	+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
		61	+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
		62	+ objp->n_key_data = n;
		63	+ if (!r) {
		64	return (FALSE);
		65	}
		66
		67	--
		68	2.40.0


diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb index 10fff11c2..e353b58aa 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
29	file://etc/default/krb5-admin-server \	29	file://etc/default/krb5-admin-server \
30	file://krb5-kdc.service \	30	file://krb5-kdc.service \
31	file://krb5-admin-server.service \	31	file://krb5-admin-server.service \
		32	file://CVE-2023-36054.patch;striplevel=2 \
32	"	33	"
33	SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686"	34	SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686"
34	SRC_URI[sha256sum] = "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851"	35	SRC_URI[sha256sum] = "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851"