diff options
author | Soumya Sambu <soumya.sambu@windriver.com> | 2023-08-25 07:39:23 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-09-04 11:55:22 -0400 |
commit | 86124cc62563eda0b19dc35a9478bc18517d515c (patch) | |
tree | 4560027e2b3b0b03d5153e91e74d42eb8dc107cb | |
parent | 41fffef6b044b2722aa13f7e7648a3f848231851 (diff) | |
download | meta-openembedded-86124cc62563eda0b19dc35a9478bc18517d515c.tar.gz |
krb5: Fix CVE-2023-36054
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2
and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote
authenticated user can trigger a kadmind crash. This occurs because
_xdr_kadm5_principal_ent_rec does not validate the relationship
between n_key_data and the key_data array count.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-36054
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch | 68 | ||||
-rw-r--r-- | meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb | 1 |
2 files changed, 69 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch new file mode 100644 index 000000000..160c090bc --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001 | ||
2 | From: Greg Hudson <ghudson@mit.edu> | ||
3 | Date: Mon, 21 Aug 2023 03:08:15 +0000 | ||
4 | Subject: [PATCH] Ensure array count consistency in kadm5 RPC | ||
5 | |||
6 | In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the | ||
7 | key_data array count when decoding. Otherwise when the structure is | ||
8 | later freed, xdr_array() could iterate over the wrong number of | ||
9 | elements, either leaking some memory or freeing uninitialized | ||
10 | pointers. Reported by Robert Morris. | ||
11 | |||
12 | CVE: CVE-2023-36054 | ||
13 | |||
14 | An authenticated attacker can cause a kadmind process to crash by | ||
15 | freeing uninitialized pointers. Remote code execution is unlikely. | ||
16 | An attacker with control of a kadmin server can cause a kadmin client | ||
17 | to crash by freeing uninitialized pointers. | ||
18 | |||
19 | ticket: 9099 (new) | ||
20 | tags: pullup | ||
21 | target_version: 1.21-next | ||
22 | target_version: 1.20-next | ||
23 | |||
24 | Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd] | ||
25 | |||
26 | Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> | ||
27 | --- | ||
28 | src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++--- | ||
29 | 1 file changed, 8 insertions(+), 3 deletions(-) | ||
30 | |||
31 | diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c | ||
32 | index 2892d41..94b1ce8 100644 | ||
33 | --- a/src/lib/kadm5/kadm_rpc_xdr.c | ||
34 | +++ b/src/lib/kadm5/kadm_rpc_xdr.c | ||
35 | @@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, | ||
36 | int v) | ||
37 | { | ||
38 | unsigned int n; | ||
39 | + bool_t r; | ||
40 | |||
41 | if (!xdr_krb5_principal(xdrs, &objp->principal)) { | ||
42 | return (FALSE); | ||
43 | @@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, | ||
44 | if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) { | ||
45 | return (FALSE); | ||
46 | } | ||
47 | + if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) { | ||
48 | + return (FALSE); | ||
49 | + } | ||
50 | if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) { | ||
51 | return (FALSE); | ||
52 | } | ||
53 | @@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, | ||
54 | return FALSE; | ||
55 | } | ||
56 | n = objp->n_key_data; | ||
57 | - if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, | ||
58 | - &n, ~0, sizeof(krb5_key_data), | ||
59 | - xdr_krb5_key_data_nocontents)) { | ||
60 | + r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data, | ||
61 | + sizeof(krb5_key_data), xdr_krb5_key_data_nocontents); | ||
62 | + objp->n_key_data = n; | ||
63 | + if (!r) { | ||
64 | return (FALSE); | ||
65 | } | ||
66 | |||
67 | -- | ||
68 | 2.40.0 | ||
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb index 10fff11c2..e353b58aa 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb | |||
@@ -29,6 +29,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ | |||
29 | file://etc/default/krb5-admin-server \ | 29 | file://etc/default/krb5-admin-server \ |
30 | file://krb5-kdc.service \ | 30 | file://krb5-kdc.service \ |
31 | file://krb5-admin-server.service \ | 31 | file://krb5-admin-server.service \ |
32 | file://CVE-2023-36054.patch;striplevel=2 \ | ||
32 | " | 33 | " |
33 | SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686" | 34 | SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686" |
34 | SRC_URI[sha256sum] = "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851" | 35 | SRC_URI[sha256sum] = "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851" |