krb5: fix CVE-2024-26458 and CVE-2024-26461

Upstream-Status: Backport from https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2024-08-14 10:46:20 +0530
committer: Armin Kuster <akuster808@gmail.com> 2024-08-25 18:11:29 -0400
commit: f0b3330b9dcd56c4fc547d92431db2024ab80359 (patch)
tree: 53521b55cd2306eda0a1c9513c6d50f54a799ddd /meta-oe
parent: 52ecd66835dcfd8b4e55c9cb6325908ccea6a4e7 (diff)
download: meta-openembedded-f0b3330b9dcd56c4fc547d92431db2024ab80359.tar.gz
2 files changed, 208 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2024-26458_CVE-2024-26461.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2024-26458_CVE-2024-26461.patch
new file mode 100644
index 0000000000..10e6a92f46
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2024-26458_CVE-2024-26461.patch
@@ -0,0 +1,207 @@
+From c5f9c816107f70139de11b38aa02db2f1774ee0d Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 5 Mar 2024 19:53:07 -0500
+Subject: [PATCH] Fix two unlikely memory leaks
+In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
+could probably never be triggered) leaks plain.data.  Fix this leak
+and use current practices for cleanup throughout the function.
+In xmt_rmtcallres() (unused within the tree and likely elsewhere),
+store port_ptr into crp->port_ptr as soon as it is allocated;
+otherwise it could leak if the subsequent xdr_u_int32() operation
+fails.
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d]
+CVE: CVE-2024-26458 CVE-2024-26461
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
+ src/lib/rpc/pmap_rmt.c         |  9 +++---
+ 2 files changed, 29 insertions(+), 36 deletions(-)
+diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
+index 48fc508..606fa6d 100644
+--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
+@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+                                 int conf_req_flag, int toktype)
+ {
+     size_t bufsize = 16;
+-    unsigned char *outbuf = 0;
+    unsigned char *outbuf = NULL;
+     krb5_error_code err;
+     int key_usage;
+     unsigned char acceptor_flag;
+@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ #endif
+     size_t ec;
+     unsigned short tok_id;
+-    krb5_checksum sum;
+    krb5_checksum sum = { 0 };
+     krb5_key key;
+     krb5_cksumtype cksumtype;
+    krb5_data plain = empty_data();
+
+    token->value = NULL;
+    token->length = 0;
+ 
+     acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
+     key_usage = (toktype == KG_TOK_WRAP_MSG
+@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ #endif
+ 
+     if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
+-        krb5_data plain;
+         krb5_enc_data cipher;
+         size_t ec_max;
+         size_t encrypt_size;
+ 
+         /* 300: Adds some slop.  */
+-        if (SIZE_MAX - 300 < message->length)
+-            return ENOMEM;
+        if (SIZE_MAX - 300 < message->length) {
+            err = ENOMEM;
+            goto cleanup;
+        }
+         ec_max = SIZE_MAX - message->length - 300;
+         if (ec_max > 0xffff)
+             ec_max = 0xffff;
+@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ #endif
+         err = alloc_data(&plain, message->length + 16 + ec);
+         if (err)
+-            return err;
+            goto cleanup;
+ 
+         /* Get size of ciphertext.  */
+         encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
+         if (encrypt_size > SIZE_MAX / 2) {
+             err = ENOMEM;
+-            goto error;
+            goto cleanup;
+         }
+         bufsize = 16 + encrypt_size;
+         /* Allocate space for header plus encrypted data.  */
+         outbuf = gssalloc_malloc(bufsize);
+         if (outbuf == NULL) {
+-            free(plain.data);
+-            return ENOMEM;
+            err = ENOMEM;
+            goto cleanup;
+         }
+ 
+         /* TOK_ID */
+@@ -165,11 +170,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+         cipher.ciphertext.length = bufsize - 16;
+         cipher.enctype = key->keyblock.enctype;
+         err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
+-        zap(plain.data, plain.length);
+-        free(plain.data);
+-        plain.data = 0;
+         if (err)
+-            goto error;
+            goto cleanup;
+ 
+         /* Now that we know we're returning a valid token....  */
+         ctx->seq_send++;
+@@ -182,7 +184,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+         /* If the rotate fails, don't worry about it.  */
+ #endif
+     } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
+-        krb5_data plain;
+         size_t cksumsize;
+ 
+         /* Here, message is the application-supplied data; message2 is
+@@ -194,21 +195,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+     wrap_with_checksum:
+         err = alloc_data(&plain, message->length + 16);
+         if (err)
+-            return err;
+            goto cleanup;
+ 
+         err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
+         if (err)
+-            goto error;
+            goto cleanup;
+ 
+         assert(cksumsize <= 0xffff);
+ 
+         bufsize = 16 + message2->length + cksumsize;
+         outbuf = gssalloc_malloc(bufsize);
+         if (outbuf == NULL) {
+-            free(plain.data);
+-            plain.data = 0;
+             err = ENOMEM;
+-            goto error;
+            goto cleanup;
+         }
+ 
+         /* TOK_ID */
+@@ -240,23 +239,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+         if (message2->length)
+             memcpy(outbuf + 16, message2->value, message2->length);
+ 
+-        sum.contents = outbuf + 16 + message2->length;
+-        sum.length = cksumsize;
+-
+         err = krb5_k_make_checksum(context, cksumtype, key,
+                                    key_usage, &plain, &sum);
+-        zap(plain.data, plain.length);
+-        free(plain.data);
+-        plain.data = 0;
+         if (err) {
+             zap(outbuf,bufsize);
+-            goto error;
+            goto cleanup;
+         }
+         if (sum.length != cksumsize)
+             abort();
+         memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
+-        krb5_free_checksum_contents(context, &sum);
+-        sum.contents = 0;
+         /* Now that we know we're actually generating the token...  */
+         ctx->seq_send++;
+ 
+@@ -286,12 +277,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ 
+     token->value = outbuf;
+     token->length = bufsize;
+-    return 0;
+    outbuf = NULL;
+    err = 0;
+ 
+-error:
+cleanup:
+    krb5_free_checksum_contents(context, &sum);
+    zapfree(plain.data, plain.length);
+     gssalloc_free(outbuf);
+-    token->value = NULL;
+-    token->length = 0;
+     return err;
+ }
+ 
+diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
+index 8c7e30c..0748af3 100644
+--- a/src/lib/rpc/pmap_rmt.c
+++ b/src/lib/rpc/pmap_rmt.c
+@@ -160,11 +160,12 @@ xdr_rmtcallres(
+        caddr_t port_ptr;
+ 
+        port_ptr = (caddr_t)(void *)crp->port_ptr;
+-       if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
+-           xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) {
+-               crp->port_ptr = (uint32_t *)(void *)port_ptr;
+       if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
+                          (xdrproc_t)xdr_u_int32))
+               return (FALSE);
+       crp->port_ptr = (uint32_t *)(void *)port_ptr;
+       if (xdr_u_int32(xdrs, &crp->resultslen))
+                return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
+-       }
+        return (FALSE);
+ }
+ 
+-- 
+2.25.1
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb
index ef256179fe..4c86bd94f5 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
           file://CVE-2023-36054.patch;striplevel=2 \
           file://CVE-2024-37370_37371-pre1.patch;striplevel=2 \
           file://CVE-2024-37370_37371.patch;striplevel=2 \
+           file://CVE-2024-26458_CVE-2024-26461.patch;striplevel=2 \
 "
 SRC_URI[md5sum] = "aa4337fffa3b61f22dbd0167f708818f"
 SRC_URI[sha256sum] = "1a4bba94df92f6d39a197a10687653e8bfbc9a2076e129f6eb92766974f86134"
author	Hitendra Prajapati <hprajapati@mvista.com>	2024-08-14 10:46:20 +0530
committer	Armin Kuster <akuster808@gmail.com>	2024-08-25 18:11:29 -0400
commit	f0b3330b9dcd56c4fc547d92431db2024ab80359 (patch)
tree	53521b55cd2306eda0a1c9513c6d50f54a799ddd /meta-oe
parent	52ecd66835dcfd8b4e55c9cb6325908ccea6a4e7 (diff)
download	meta-openembedded-f0b3330b9dcd56c4fc547d92431db2024ab80359.tar.gz

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2024-26458_CVE-2024-26461.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2024-26458_CVE-2024-26461.patch new file mode 100644 index 0000000000..10e6a92f46 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2024-26458_CVE-2024-26461.patch
@@ -0,0 +1,207 @@
		1	From c5f9c816107f70139de11b38aa02db2f1774ee0d Mon Sep 17 00:00:00 2001
		2	From: Greg Hudson <ghudson@mit.edu>
		3	Date: Tue, 5 Mar 2024 19:53:07 -0500
		4	Subject: [PATCH] Fix two unlikely memory leaks
		5
		6	In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
		7	could probably never be triggered) leaks plain.data. Fix this leak
		8	and use current practices for cleanup throughout the function.
		9
		10	In xmt_rmtcallres() (unused within the tree and likely elsewhere),
		11	store port_ptr into crp->port_ptr as soon as it is allocated;
		12	otherwise it could leak if the subsequent xdr_u_int32() operation
		13	fails.
		14
		15	Upstream-Status: Backport [https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d]
		16	CVE: CVE-2024-26458 CVE-2024-26461
		17	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		18	---
		19	src/lib/gssapi/krb5/k5sealv3.c \| 56 +++++++++++++++-------------------
		20	src/lib/rpc/pmap_rmt.c \| 9 +++---
		21	2 files changed, 29 insertions(+), 36 deletions(-)
		22
		23	diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
		24	index 48fc508..606fa6d 100644
		25	--- a/src/lib/gssapi/krb5/k5sealv3.c
		26	+++ b/src/lib/gssapi/krb5/k5sealv3.c
		27	@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		28	int conf_req_flag, int toktype)
		29	{
		30	size_t bufsize = 16;
		31	- unsigned char *outbuf = 0;
		32	+ unsigned char *outbuf = NULL;
		33	krb5_error_code err;
		34	int key_usage;
		35	unsigned char acceptor_flag;
		36	@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		37	#endif
		38	size_t ec;
		39	unsigned short tok_id;
		40	- krb5_checksum sum;
		41	+ krb5_checksum sum = { 0 };
		42	krb5_key key;
		43	krb5_cksumtype cksumtype;
		44	+ krb5_data plain = empty_data();
		45	+
		46	+ token->value = NULL;
		47	+ token->length = 0;
		48
		49	acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
		50	key_usage = (toktype == KG_TOK_WRAP_MSG
		51	@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		52	#endif
		53
		54	if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
		55	- krb5_data plain;
		56	krb5_enc_data cipher;
		57	size_t ec_max;
		58	size_t encrypt_size;
		59
		60	/* 300: Adds some slop. */
		61	- if (SIZE_MAX - 300 < message->length)
		62	- return ENOMEM;
		63	+ if (SIZE_MAX - 300 < message->length) {
		64	+ err = ENOMEM;
		65	+ goto cleanup;
		66	+ }
		67	ec_max = SIZE_MAX - message->length - 300;
		68	if (ec_max > 0xffff)
		69	ec_max = 0xffff;
		70	@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		71	#endif
		72	err = alloc_data(&plain, message->length + 16 + ec);
		73	if (err)
		74	- return err;
		75	+ goto cleanup;
		76
		77	/* Get size of ciphertext. */
		78	encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
		79	if (encrypt_size > SIZE_MAX / 2) {
		80	err = ENOMEM;
		81	- goto error;
		82	+ goto cleanup;
		83	}
		84	bufsize = 16 + encrypt_size;
		85	/* Allocate space for header plus encrypted data. */
		86	outbuf = gssalloc_malloc(bufsize);
		87	if (outbuf == NULL) {
		88	- free(plain.data);
		89	- return ENOMEM;
		90	+ err = ENOMEM;
		91	+ goto cleanup;
		92	}
		93
		94	/* TOK_ID */
		95	@@ -165,11 +170,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		96	cipher.ciphertext.length = bufsize - 16;
		97	cipher.enctype = key->keyblock.enctype;
		98	err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
		99	- zap(plain.data, plain.length);
		100	- free(plain.data);
		101	- plain.data = 0;
		102	if (err)
		103	- goto error;
		104	+ goto cleanup;
		105
		106	/* Now that we know we're returning a valid token.... */
		107	ctx->seq_send++;
		108	@@ -182,7 +184,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		109	/* If the rotate fails, don't worry about it. */
		110	#endif
		111	} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
		112	- krb5_data plain;
		113	size_t cksumsize;
		114
		115	/* Here, message is the application-supplied data; message2 is
		116	@@ -194,21 +195,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		117	wrap_with_checksum:
		118	err = alloc_data(&plain, message->length + 16);
		119	if (err)
		120	- return err;
		121	+ goto cleanup;
		122
		123	err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
		124	if (err)
		125	- goto error;
		126	+ goto cleanup;
		127
		128	assert(cksumsize <= 0xffff);
		129
		130	bufsize = 16 + message2->length + cksumsize;
		131	outbuf = gssalloc_malloc(bufsize);
		132	if (outbuf == NULL) {
		133	- free(plain.data);
		134	- plain.data = 0;
		135	err = ENOMEM;
		136	- goto error;
		137	+ goto cleanup;
		138	}
		139
		140	/* TOK_ID */
		141	@@ -240,23 +239,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		142	if (message2->length)
		143	memcpy(outbuf + 16, message2->value, message2->length);
		144
		145	- sum.contents = outbuf + 16 + message2->length;
		146	- sum.length = cksumsize;
		147	-
		148	err = krb5_k_make_checksum(context, cksumtype, key,
		149	key_usage, &plain, &sum);
		150	- zap(plain.data, plain.length);
		151	- free(plain.data);
		152	- plain.data = 0;
		153	if (err) {
		154	zap(outbuf,bufsize);
		155	- goto error;
		156	+ goto cleanup;
		157	}
		158	if (sum.length != cksumsize)
		159	abort();
		160	memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
		161	- krb5_free_checksum_contents(context, &sum);
		162	- sum.contents = 0;
		163	/* Now that we know we're actually generating the token... */
		164	ctx->seq_send++;
		165
		166	@@ -286,12 +277,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
		167
		168	token->value = outbuf;
		169	token->length = bufsize;
		170	- return 0;
		171	+ outbuf = NULL;
		172	+ err = 0;
		173
		174	-error:
		175	+cleanup:
		176	+ krb5_free_checksum_contents(context, &sum);
		177	+ zapfree(plain.data, plain.length);
		178	gssalloc_free(outbuf);
		179	- token->value = NULL;
		180	- token->length = 0;
		181	return err;
		182	}
		183
		184	diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
		185	index 8c7e30c..0748af3 100644
		186	--- a/src/lib/rpc/pmap_rmt.c
		187	+++ b/src/lib/rpc/pmap_rmt.c
		188	@@ -160,11 +160,12 @@ xdr_rmtcallres(
		189	caddr_t port_ptr;
		190
		191	port_ptr = (caddr_t)(void *)crp->port_ptr;
		192	- if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
		193	- xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) {
		194	- crp->port_ptr = (uint32_t )(void )port_ptr;
		195	+ if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
		196	+ (xdrproc_t)xdr_u_int32))
		197	+ return (FALSE);
		198	+ crp->port_ptr = (uint32_t )(void )port_ptr;
		199	+ if (xdr_u_int32(xdrs, &crp->resultslen))
		200	return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
		201	- }
		202	return (FALSE);
		203	}
		204
		205	--
		206	2.25.1
		207


diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb index ef256179fe..4c86bd94f5 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
36	file://CVE-2023-36054.patch;striplevel=2 \	36	file://CVE-2023-36054.patch;striplevel=2 \
37	file://CVE-2024-37370_37371-pre1.patch;striplevel=2 \	37	file://CVE-2024-37370_37371-pre1.patch;striplevel=2 \
38	file://CVE-2024-37370_37371.patch;striplevel=2 \	38	file://CVE-2024-37370_37371.patch;striplevel=2 \
		39	file://CVE-2024-26458_CVE-2024-26461.patch;striplevel=2 \
39	"	40	"
40	SRC_URI[md5sum] = "aa4337fffa3b61f22dbd0167f708818f"	41	SRC_URI[md5sum] = "aa4337fffa3b61f22dbd0167f708818f"
41	SRC_URI[sha256sum] = "1a4bba94df92f6d39a197a10687653e8bfbc9a2076e129f6eb92766974f86134"	42	SRC_URI[sha256sum] = "1a4bba94df92f6d39a197a10687653e8bfbc9a2076e129f6eb92766974f86134"