krb5: fix CVE-2024-26458 and CVE-2024-26461

CVE-2024-26458: Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. CVE-2024-26461: Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. References: https://nvd.nist.gov/vuln/detail/CVE-2024-26458 https://nvd.nist.gov/vuln/detail/CVE-2024-26461 Upstream Patch: https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Yogita Urade <yogita.urade@windriver.com> 2024-08-23 06:46:03 +0000
committer: Khem Raj <raj.khem@gmail.com> 2024-08-23 22:35:10 -0700
commit: 2cfb80b24ce790d4d13c315207d28df0afe4d90c (patch)
tree: 88a4dff83ed71142b6bf9355fda4feb2e142cc1c
parent: 8c43e7a2997696179c562fe0d0be2aa076df8916 (diff)
download: meta-openembedded-2cfb80b24ce790d4d13c315207d28df0afe4d90c.tar.gz
2 files changed, 208 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2024-26458_CVE-2024-26461.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2024-26458_CVE-2024-26461.patch
new file mode 100644
index 000000000..46eb6aa96
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2024-26458_CVE-2024-26461.patch
@@ -0,0 +1,207 @@
+From c5f9c816107f70139de11b38aa02db2f1774ee0d Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 5 Mar 2024 19:53:07 -0500
+Subject: [PATCH] Fix two unlikely memory leaks
+In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
+could probably never be triggered) leaks plain.data.  Fix this leak
+and use current practices for cleanup throughout the function.
+In xmt_rmtcallres() (unused within the tree and likely elsewhere),
+store port_ptr into crp->port_ptr as soon as it is allocated;
+otherwise it could leak if the subsequent xdr_u_int32() operation
+fails.
+CVE: CVE-2024-26458 CVE-2024-26461
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
+ src/lib/rpc/pmap_rmt.c         |  9 +++---
+ 2 files changed, 29 insertions(+), 36 deletions(-)
+diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
+index 1fcbdfb..d3210c1 100644
+--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
+@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+                                 int conf_req_flag, int toktype)
+ {
+     size_t bufsize = 16;
+-    unsigned char *outbuf = 0;
+    unsigned char *outbuf = NULL;
+     krb5_error_code err;
+     int key_usage;
+     unsigned char acceptor_flag;
+@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ #endif
+     size_t ec;
+     unsigned short tok_id;
+-    krb5_checksum sum;
+    krb5_checksum sum = { 0 };
+     krb5_key key;
+     krb5_cksumtype cksumtype;
+    krb5_data plain = empty_data();
+
+    token->value = NULL;
+    token->length = 0;
+     acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
+     key_usage = (toktype == KG_TOK_WRAP_MSG
+@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ #endif
+     if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
+-        krb5_data plain;
+         krb5_enc_data cipher;
+         size_t ec_max;
+         size_t encrypt_size;
+         /* 300: Adds some slop.  */
+-        if (SIZE_MAX - 300 < message->length)
+-            return ENOMEM;
+        if (SIZE_MAX - 300 < message->length) {
+            err = ENOMEM;
+            goto cleanup;
+        }
+         ec_max = SIZE_MAX - message->length - 300;
+         if (ec_max > 0xffff)
+             ec_max = 0xffff;
+@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ #endif
+         err = alloc_data(&plain, message->length + 16 + ec);
+         if (err)
+-            return err;
+            goto cleanup;
+         /* Get size of ciphertext.  */
+         encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
+         if (encrypt_size > SIZE_MAX / 2) {
+             err = ENOMEM;
+-            goto error;
+            goto cleanup;
+         }
+         bufsize = 16 + encrypt_size;
+         /* Allocate space for header plus encrypted data.  */
+         outbuf = gssalloc_malloc(bufsize);
+         if (outbuf == NULL) {
+-            free(plain.data);
+-            return ENOMEM;
+            err = ENOMEM;
+            goto cleanup;
+         }
+         /* TOK_ID */
+@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+         cipher.ciphertext.length = bufsize - 16;
+         cipher.enctype = key->keyblock.enctype;
+         err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
+-        zap(plain.data, plain.length);
+-        free(plain.data);
+-        plain.data = 0;
+         if (err)
+-            goto error;
+            goto cleanup;
+         /* Now that we know we're returning a valid token....  */
+         ctx->seq_send++;
+@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+         /* If the rotate fails, don't worry about it.  */
+ #endif
+     } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
+-        krb5_data plain;
+         size_t cksumsize;
+         /* Here, message is the application-supplied data; message2 is
+@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+     wrap_with_checksum:
+         err = alloc_data(&plain, message->length + 16);
+         if (err)
+-            return err;
+            goto cleanup;
+         err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
+         if (err)
+-            goto error;
+            goto cleanup;
+         assert(cksumsize <= 0xffff);
+         bufsize = 16 + message2->length + cksumsize;
+         outbuf = gssalloc_malloc(bufsize);
+         if (outbuf == NULL) {
+-            free(plain.data);
+-            plain.data = 0;
+             err = ENOMEM;
+-            goto error;
+            goto cleanup;
+         }
+         /* TOK_ID */
+@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+         if (message2->length)
+             memcpy(outbuf + 16, message2->value, message2->length);
+-        sum.contents = outbuf + 16 + message2->length;
+-        sum.length = cksumsize;
+-
+         err = krb5_k_make_checksum(context, cksumtype, key,
+                                    key_usage, &plain, &sum);
+-        zap(plain.data, plain.length);
+-        free(plain.data);
+-        plain.data = 0;
+         if (err) {
+             zap(outbuf,bufsize);
+-            goto error;
+            goto cleanup;
+         }
+         if (sum.length != cksumsize)
+             abort();
+         memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
+-        krb5_free_checksum_contents(context, &sum);
+-        sum.contents = 0;
+         /* Now that we know we're actually generating the token...  */
+         ctx->seq_send++;
+@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+     token->value = outbuf;
+     token->length = bufsize;
+-    return 0;
+    outbuf = NULL;
+    err = 0;
+-error:
+cleanup:
+    krb5_free_checksum_contents(context, &sum);
+    zapfree(plain.data, plain.length);
+     gssalloc_free(outbuf);
+-    token->value = NULL;
+-    token->length = 0;
+     return err;
+ }
+diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
+index 8c7e30c..522cb20 100644
+--- a/src/lib/rpc/pmap_rmt.c
+++ b/src/lib/rpc/pmap_rmt.c
+@@ -160,11 +160,12 @@ xdr_rmtcallres(
+        caddr_t port_ptr;
+        port_ptr = (caddr_t)(void *)crp->port_ptr;
+-       if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
+-           xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) {
+-               crp->port_ptr = (uint32_t *)(void *)port_ptr;
+        if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
+                          (xdrproc_t)xdr_u_int32))
+               return (FALSE);
+       crp->port_ptr = (uint32_t *)(void *)port_ptr;
+       if (xdr_u_int32(xdrs, &crp->resultslen))
+                return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
+-       }
+        return (FALSE);
+ }
+--
+2.40.0
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb
index c482472ff..748918132 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb
@@ -28,6 +28,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
           file://etc/default/krb5-admin-server \
           file://krb5-kdc.service \
           file://krb5-admin-server.service \
+           file://CVE-2024-26458_CVE-2024-26461.patch;striplevel=2 \
 "
 SRC_URI[sha256sum] = "b7a4cd5ead67fb08b980b21abd150ff7217e85ea320c9ed0c6dadd304840ad35"
author	Yogita Urade <yogita.urade@windriver.com>	2024-08-23 06:46:03 +0000
committer	Khem Raj <raj.khem@gmail.com>	2024-08-23 22:35:10 -0700
commit	2cfb80b24ce790d4d13c315207d28df0afe4d90c (patch)
tree	88a4dff83ed71142b6bf9355fda4feb2e142cc1c
parent	8c43e7a2997696179c562fe0d0be2aa076df8916 (diff)
download	meta-openembedded-2cfb80b24ce790d4d13c315207d28df0afe4d90c.tar.gz

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2024-26458_CVE-2024-26461.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2024-26458_CVE-2024-26461.patch new file mode 100644 index 000000000..46eb6aa96 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2024-26458_CVE-2024-26461.patch
@@ -0,0 +1,207 @@
		1	From c5f9c816107f70139de11b38aa02db2f1774ee0d Mon Sep 17 00:00:00 2001
		2	From: Greg Hudson <ghudson@mit.edu>
		3	Date: Tue, 5 Mar 2024 19:53:07 -0500
		4	Subject: [PATCH] Fix two unlikely memory leaks
		5
		6	In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
		7	could probably never be triggered) leaks plain.data. Fix this leak
		8	and use current practices for cleanup throughout the function.
		9
		10	In xmt_rmtcallres() (unused within the tree and likely elsewhere),
		11	store port_ptr into crp->port_ptr as soon as it is allocated;
		12	otherwise it could leak if the subsequent xdr_u_int32() operation
		13	fails.
		14
		15	CVE: CVE-2024-26458 CVE-2024-26461
		16	Upstream-Status: Backport [https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d]
		17
		18	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		19	---
		20	src/lib/gssapi/krb5/k5sealv3.c \| 56 +++++++++++++++-------------------
		21	src/lib/rpc/pmap_rmt.c \| 9 +++---
		22	2 files changed, 29 insertions(+), 36 deletions(-)
		23
		24	diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
		25	index 1fcbdfb..d3210c1 100644
		26	--- a/src/lib/gssapi/krb5/k5sealv3.c
		27	+++ b/src/lib/gssapi/krb5/k5sealv3.c
		28	@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		29	int conf_req_flag, int toktype)
		30	{
		31	size_t bufsize = 16;
		32	- unsigned char *outbuf = 0;
		33	+ unsigned char *outbuf = NULL;
		34	krb5_error_code err;
		35	int key_usage;
		36	unsigned char acceptor_flag;
		37	@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		38	#endif
		39	size_t ec;
		40	unsigned short tok_id;
		41	- krb5_checksum sum;
		42	+ krb5_checksum sum = { 0 };
		43	krb5_key key;
		44	krb5_cksumtype cksumtype;
		45	+ krb5_data plain = empty_data();
		46	+
		47	+ token->value = NULL;
		48	+ token->length = 0;
		49
		50	acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
		51	key_usage = (toktype == KG_TOK_WRAP_MSG
		52	@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		53	#endif
		54
		55	if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
		56	- krb5_data plain;
		57	krb5_enc_data cipher;
		58	size_t ec_max;
		59	size_t encrypt_size;
		60
		61	/* 300: Adds some slop. */
		62	- if (SIZE_MAX - 300 < message->length)
		63	- return ENOMEM;
		64	+ if (SIZE_MAX - 300 < message->length) {
		65	+ err = ENOMEM;
		66	+ goto cleanup;
		67	+ }
		68	ec_max = SIZE_MAX - message->length - 300;
		69	if (ec_max > 0xffff)
		70	ec_max = 0xffff;
		71	@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		72	#endif
		73	err = alloc_data(&plain, message->length + 16 + ec);
		74	if (err)
		75	- return err;
		76	+ goto cleanup;
		77
		78	/* Get size of ciphertext. */
		79	encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
		80	if (encrypt_size > SIZE_MAX / 2) {
		81	err = ENOMEM;
		82	- goto error;
		83	+ goto cleanup;
		84	}
		85	bufsize = 16 + encrypt_size;
		86	/* Allocate space for header plus encrypted data. */
		87	outbuf = gssalloc_malloc(bufsize);
		88	if (outbuf == NULL) {
		89	- free(plain.data);
		90	- return ENOMEM;
		91	+ err = ENOMEM;
		92	+ goto cleanup;
		93	}
		94
		95	/* TOK_ID */
		96	@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		97	cipher.ciphertext.length = bufsize - 16;
		98	cipher.enctype = key->keyblock.enctype;
		99	err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
		100	- zap(plain.data, plain.length);
		101	- free(plain.data);
		102	- plain.data = 0;
		103	if (err)
		104	- goto error;
		105	+ goto cleanup;
		106
		107	/* Now that we know we're returning a valid token.... */
		108	ctx->seq_send++;
		109	@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		110	/* If the rotate fails, don't worry about it. */
		111	#endif
		112	} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
		113	- krb5_data plain;
		114	size_t cksumsize;
		115
		116	/* Here, message is the application-supplied data; message2 is
		117	@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		118	wrap_with_checksum:
		119	err = alloc_data(&plain, message->length + 16);
		120	if (err)
		121	- return err;
		122	+ goto cleanup;
		123
		124	err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
		125	if (err)
		126	- goto error;
		127	+ goto cleanup;
		128
		129	assert(cksumsize <= 0xffff);
		130
		131	bufsize = 16 + message2->length + cksumsize;
		132	outbuf = gssalloc_malloc(bufsize);
		133	if (outbuf == NULL) {
		134	- free(plain.data);
		135	- plain.data = 0;
		136	err = ENOMEM;
		137	- goto error;
		138	+ goto cleanup;
		139	}
		140
		141	/* TOK_ID */
		142	@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		143	if (message2->length)
		144	memcpy(outbuf + 16, message2->value, message2->length);
		145
		146	- sum.contents = outbuf + 16 + message2->length;
		147	- sum.length = cksumsize;
		148	-
		149	err = krb5_k_make_checksum(context, cksumtype, key,
		150	key_usage, &plain, &sum);
		151	- zap(plain.data, plain.length);
		152	- free(plain.data);
		153	- plain.data = 0;
		154	if (err) {
		155	zap(outbuf,bufsize);
		156	- goto error;
		157	+ goto cleanup;
		158	}
		159	if (sum.length != cksumsize)
		160	abort();
		161	memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
		162	- krb5_free_checksum_contents(context, &sum);
		163	- sum.contents = 0;
		164	/* Now that we know we're actually generating the token... */
		165	ctx->seq_send++;
		166
		167	@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		168
		169	token->value = outbuf;
		170	token->length = bufsize;
		171	- return 0;
		172	+ outbuf = NULL;
		173	+ err = 0;
		174
		175	-error:
		176	+cleanup:
		177	+ krb5_free_checksum_contents(context, &sum);
		178	+ zapfree(plain.data, plain.length);
		179	gssalloc_free(outbuf);
		180	- token->value = NULL;
		181	- token->length = 0;
		182	return err;
		183	}
		184
		185	diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
		186	index 8c7e30c..522cb20 100644
		187	--- a/src/lib/rpc/pmap_rmt.c
		188	+++ b/src/lib/rpc/pmap_rmt.c
		189	@@ -160,11 +160,12 @@ xdr_rmtcallres(
		190	caddr_t port_ptr;
		191
		192	port_ptr = (caddr_t)(void *)crp->port_ptr;
		193	- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
		194	- xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) {
		195	- crp->port_ptr = (uint32_t )(void )port_ptr;
		196	+ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
		197	+ (xdrproc_t)xdr_u_int32))
		198	+ return (FALSE);
		199	+ crp->port_ptr = (uint32_t )(void )port_ptr;
		200	+ if (xdr_u_int32(xdrs, &crp->resultslen))
		201	return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
		202	- }
		203	return (FALSE);
		204	}
		205
		206	--
		207	2.40.0


diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb index c482472ff..748918132 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb
@@ -28,6 +28,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
28	file://etc/default/krb5-admin-server \	28	file://etc/default/krb5-admin-server \
29	file://krb5-kdc.service \	29	file://krb5-kdc.service \
30	file://krb5-admin-server.service \	30	file://krb5-admin-server.service \
		31	file://CVE-2024-26458_CVE-2024-26461.patch;striplevel=2 \
31	"	32	"
32		33
33	SRC_URI[sha256sum] = "b7a4cd5ead67fb08b980b21abd150ff7217e85ea320c9ed0c6dadd304840ad35"	34	SRC_URI[sha256sum] = "b7a4cd5ead67fb08b980b21abd150ff7217e85ea320c9ed0c6dadd304840ad35"