diff options
| author | Polampalli, Archana <archana.polampalli@windriver.com> | 2023-06-16 12:21:21 +0000 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2023-06-17 14:22:30 -0400 |
| commit | 5790310da3eeed427d8911905ede545386db35a0 (patch) | |
| tree | c69ee17c9bb9e77ff623e34799f8591053837a85 | |
| parent | 0393024cc5ccbe2575ca1f0db0af56c5682a7ce4 (diff) | |
| download | meta-openembedded-5790310da3eeed427d8911905ede545386db35a0.tar.gz | |
samba: fix CVE-2021-44758
Heimdal before 7.7.1 allows attackers to cause a NULL pointer
dereference in a SPNEGO acceptor via a preferred_mech_type of
GSS_C_NO_OID and a nonzero initial_response value to send_accept.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-44758
Upstream patches:
https://github.com/heimdal/heimdal/commit/f9ec7002cdd526ae84fbacbf153162e118f22580
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta-networking/recipes-connectivity/samba/samba/CVE-2021-44758.patch | 72 | ||||
| -rw-r--r-- | meta-networking/recipes-connectivity/samba/samba_4.14.14.bb | 1 |
2 files changed, 73 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2021-44758.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2021-44758.patch new file mode 100644 index 0000000000..6610899458 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2021-44758.patch | |||
| @@ -0,0 +1,72 @@ | |||
| 1 | From f9ec7002cdd526ae84fbacbf153162e118f22580 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nicolas Williams <nico@twosigma.com> | ||
| 3 | Date: Wed Mar 9 10:18:52 2022 -0600 | ||
| 4 | Subject: [PATCH] spnego: CVE-2021-44758 send_reject when no mech selected | ||
| 5 | |||
| 6 | This fixes a DoS where an initial SPNEGO token that has no acceptable | ||
| 7 | mechanisms causes a NULL dereference in acceptors. | ||
| 8 | |||
| 9 | send_accept() when called with a non-zero 'initial_response' did | ||
| 10 | not handle the case of gssspnego_ctx.preferred_mech_type equal | ||
| 11 | to GSS_C_NO_OID. | ||
| 12 | |||
| 13 | The failure to handle GSS_C_NO_OID has been present since the | ||
| 14 | initial revision of gssapi/spnego, | ||
| 15 | 2baa7e7d613c26b2b037b368931519a84baec53d but might not have | ||
| 16 | been exercised until later revisions. | ||
| 17 | |||
| 18 | The introduction of opportunistic token handling in | ||
| 19 | gss_accept_sec_context(), 3c9d3266f47f594a29068c9d629908e7000ac663, | ||
| 20 | introduced two bugs: | ||
| 21 | |||
| 22 | 1. The optional mechToken field is used unconditionally | ||
| 23 | possibly resulting in a segmentation fault. | ||
| 24 | |||
| 25 | 2. If use of the opportunistic token is unsuccessful and the | ||
| 26 | mech type list length is one, send_accept() can be called | ||
| 27 | with 'initial_response' true and preferred mech set to | ||
| 28 | GSS_C_NO_OID. | ||
| 29 | |||
| 30 | b53c90da0890a9cce6f95c552f094ff6d69027bf ("Make error reporting | ||
| 31 | somewhat more correct for SPNEGO") attempted to fix the first | ||
| 32 | issue and increased the likelihood of the second. | ||
| 33 | |||
| 34 | This change alters the behavior of acceptor_start() so it calls | ||
| 35 | send_reject() when no mechanism was selected. | ||
| 36 | |||
| 37 | Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/f9ec7002cdd526ae84fbacbf153162e118f22580] | ||
| 38 | CVE: CVE-2021-44758 | ||
| 39 | |||
| 40 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
| 41 | --- | ||
| 42 | .../heimdal/lib/gssapi/spnego/accept_sec_context.c | 14 ++++++++------ | ||
| 43 | 1 file changed, 8 insertions(+), 6 deletions(-) | ||
| 44 | |||
| 45 | diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c | ||
| 46 | index 3a51dd3..b60dc19 100644 | ||
| 47 | --- a/lib/gssapi/spnego/accept_sec_context.c | ||
| 48 | +++ b/lib/gssapi/spnego/accept_sec_context.c | ||
| 49 | @@ -619,13 +619,15 @@ acceptor_start | ||
| 50 | if (ret == 0) | ||
| 51 | break; | ||
| 52 | } | ||
| 53 | - if (preferred_mech_type == GSS_C_NO_OID) { | ||
| 54 | - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); | ||
| 55 | - free_NegotiationToken(&nt); | ||
| 56 | - return ret; | ||
| 57 | - } | ||
| 58 | + } | ||
| 59 | + | ||
| 60 | + ctx->preferred_mech_type = preferred_mech_type; | ||
| 61 | |||
| 62 | - ctx->preferred_mech_type = preferred_mech_type; | ||
| 63 | + if (preferred_mech_type == GSS_C_NO_OID) { | ||
| 64 | + send_reject(minor_status, output_token); | ||
| 65 | + HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); | ||
| 66 | + free_NegotiationToken(&nt); | ||
| 67 | + return ret; | ||
| 68 | } | ||
| 69 | |||
| 70 | /* | ||
| 71 | -- | ||
| 72 | 2.40.0 | ||
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb index fcec63752f..72021745b3 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb | |||
| @@ -32,6 +32,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ | |||
| 32 | file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \ | 32 | file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \ |
| 33 | file://CVE-2022-45142.patch;patchdir=source4/heimdal \ | 33 | file://CVE-2022-45142.patch;patchdir=source4/heimdal \ |
| 34 | file://CVE-2022-41916.patch;patchdir=source4/heimdal \ | 34 | file://CVE-2022-41916.patch;patchdir=source4/heimdal \ |
| 35 | file://CVE-2021-44758.patch;patchdir=source4/heimdal \ | ||
| 35 | " | 36 | " |
| 36 | 37 | ||
| 37 | SRC_URI:append:libc-musl = " \ | 38 | SRC_URI:append:libc-musl = " \ |