1 files changed, 68 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch
new file mode 100644
index 000000000..160c090bc
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch
@@ -0,0 +1,68 @@
+From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 21 Aug 2023 03:08:15 +0000
+Subject: [PATCH] Ensure array count consistency in kadm5 RPC
+In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
+key_data array count when decoding.  Otherwise when the structure is
+later freed, xdr_array() could iterate over the wrong number of
+elements, either leaking some memory or freeing uninitialized
+pointers.  Reported by Robert Morris.
+CVE: CVE-2023-36054
+An authenticated attacker can cause a kadmind process to crash by
+freeing uninitialized pointers.  Remote code execution is unlikely.
+An attacker with control of a kadmin server can cause a kadmin client
+to crash by freeing uninitialized pointers.
+ticket: 9099 (new)
+tags: pullup
+target_version: 1.21-next
+target_version: 1.20-next
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 2892d41..94b1ce8 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+                             int v)
+ {
+        unsigned int n;
+       bool_t r;
+        if (!xdr_krb5_principal(xdrs, &objp->principal)) {
+                return (FALSE);
+@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+        if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
+                return (FALSE);
+        }
+       if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
+               return (FALSE);
+       }
+        if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
+                return (FALSE);
+        }
+@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+                return FALSE;
+        }
+        n = objp->n_key_data;
+-       if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
+-                      &n, ~0, sizeof(krb5_key_data),
+-                      xdr_krb5_key_data_nocontents)) {
+       r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
+                     sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
+       objp->n_key_data = n;
+       if (!r) {
+                return (FALSE);
+        }
+--
+2.40.0

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch new file mode 100644 index 000000000..160c090bc --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch
@@ -0,0 +1,68 @@
	1	From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001
	2	From: Greg Hudson <ghudson@mit.edu>
	3	Date: Mon, 21 Aug 2023 03:08:15 +0000
	4	Subject: [PATCH] Ensure array count consistency in kadm5 RPC
	5
	6	In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
	7	key_data array count when decoding. Otherwise when the structure is
	8	later freed, xdr_array() could iterate over the wrong number of
	9	elements, either leaking some memory or freeing uninitialized
	10	pointers. Reported by Robert Morris.
	11
	12	CVE: CVE-2023-36054
	13
	14	An authenticated attacker can cause a kadmind process to crash by
	15	freeing uninitialized pointers. Remote code execution is unlikely.
	16	An attacker with control of a kadmin server can cause a kadmin client
	17	to crash by freeing uninitialized pointers.
	18
	19	ticket: 9099 (new)
	20	tags: pullup
	21	target_version: 1.21-next
	22	target_version: 1.20-next
	23
	24	Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd]
	25
	26	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
	27	---
	28	src/lib/kadm5/kadm_rpc_xdr.c \| 11 ++++++++---
	29	1 file changed, 8 insertions(+), 3 deletions(-)
	30
	31	diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
	32	index 2892d41..94b1ce8 100644
	33	--- a/src/lib/kadm5/kadm_rpc_xdr.c
	34	+++ b/src/lib/kadm5/kadm_rpc_xdr.c
	35	@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR xdrs, kadm5_principal_ent_rec objp,
	36	int v)
	37	{
	38	unsigned int n;
	39	+ bool_t r;
	40
	41	if (!xdr_krb5_principal(xdrs, &objp->principal)) {
	42	return (FALSE);
	43	@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR xdrs, kadm5_principal_ent_rec objp,
	44	if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
	45	return (FALSE);
	46	}
	47	+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
	48	+ return (FALSE);
	49	+ }
	50	if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
	51	return (FALSE);
	52	}
	53	@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR xdrs, kadm5_principal_ent_rec objp,
	54	return FALSE;
	55	}
	56	n = objp->n_key_data;
	57	- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
	58	- &n, ~0, sizeof(krb5_key_data),
	59	- xdr_krb5_key_data_nocontents)) {
	60	+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
	61	+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
	62	+ objp->n_key_data = n;
	63	+ if (!r) {
	64	return (FALSE);
	65	}
	66
	67	--
	68	2.40.0