packages/gssntlmssp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!15 [sync] PR-14: Fix CVE-2023-25563,CVE-2023-25564,CVE-2023-25565 and CVE-2023-25567

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
This commit is contained in:
openeuler-ci-bot 2023-02-23 03:20:59 +00:00 committed by Gitee
commit 479c23422b
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
5 changed files with 217 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
CVE-2023-25563.patch Normal file
View File

@ -0,0 +1,67 @@
From 97c62c6167299028d80765080e74d91dfc99efbd Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Feb 2023 13:51:34 -0500
Subject: [PATCH] Out-of-bounds read in multiple decode functions
These were reported as:
- Out-of-bounds read in ntlm_decode_oem_str (GHSL-2023-019)
- Out-of-bounds read in ntlm_decode_u16l_str_hdr (GHSL-2023-020)
- Out-of-bounds read in ntlm_decode_field (GHSL-2023-021)
These are lall basically the same identical error replicated in 3
separate functions.
Fixes defects GHSL-2023-019, GHSL-2023-020, GHSL-2023-021 found by
the GitHub Security Lab team via oss-fuzz.
A 32-bit integer overflow condition can lead to incorrect checks of
consistency of length of internal buffers. This leads to a DoS
as the service may end up reading from unmapped memory and crashing.
Although most applications will error out before accepting a singe input
buffer of 4GB in lenght this could theoretically happen, and therefore
we fix it.
Fixes CVE-2023-25563
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/ntlm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/ntlm.c b/src/ntlm.c
index b2d84a2..df2458a 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -205,7 +205,6 @@ static int ntlm_str_convert(iconv_t cd,
return 0;
}
-
uint8_t ntlmssp_sig[8] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
static void ntlm_encode_header(struct wire_msg_hdr *hdr, uint32_t msg_type)
@@ -256,6 +255,7 @@ static int ntlm_decode_oem_str(struct wire_field_hdr *str_hdr,
str_offs = le32toh(str_hdr->offset);
if ((str_offs < payload_offs) ||
(str_offs > buffer->length) ||
+ (UINT32_MAX - str_offs < str_len) ||
(str_offs + str_len > buffer->length)) {
return ERR_DECODE;
}
@@ -308,6 +308,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
str_offs = le32toh(str_hdr->offset);
if ((str_offs < payload_offs) ||
(str_offs > buffer->length) ||
+ (UINT32_MAX - str_offs < str_len) ||
(str_offs + str_len > buffer->length)) {
return ERR_DECODE;
}
@@ -393,6 +394,7 @@ static int ntlm_decode_field(struct wire_field_hdr *hdr,
offs = le32toh(hdr->offset);
if ((offs < payload_offs) ||
(offs > buffer->length) ||
+ (UINT32_MAX - offs < len) ||
(offs + len > buffer->length)) {
return ERR_DECODE;
}

58
CVE-2023-25564.patch Normal file
View File

@ -0,0 +1,58 @@
From c753000eb31835c0664e528fbc99378ae0cbe950 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Feb 2023 12:14:20 -0500
Subject: [PATCH] GHSL-2023-013: Memory corruption decoding UTF16
Memory corruption when decoding UTF16 strings (GHSL-2023-013)
Fixes defect GHSL-2023-013 found by the GitHub Security Lab team via
oss-fuzz.
The variable outlen was not initialized and could cause writing a zero
to an arbitrary place in memory if ntlm_str_convert() were to fail,
which would leave outlen uninitialized.
This can lead to a DoS if the write hits unmapped memory or randomly
corrupting a byte in the application memory space.
Make sure to zero out only if ntlm_str_convert() succeeds, but for good
measure also initialize outlen to 0.
Fixes CVE-2023-25564
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/ntlm.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/ntlm.c b/src/ntlm.c
index df2458a..0ac1c03 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -299,7 +299,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
char *in, *out = NULL;
uint16_t str_len;
uint32_t str_offs;
- size_t outlen;
+ size_t outlen = 0;
int ret = 0;
str_len = le16toh(str_hdr->len);
@@ -320,13 +320,14 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
ret = ntlm_str_convert(ctx->to_oem, in, out, str_len, &outlen);
- /* make sure to terminate output string */
- out[outlen] = '\0';
-
done:
if (ret) {
safefree(out);
+ } else {
+ /* make sure to terminate output string */
+ out[outlen] = '\0';
}
+
*str = out;
return ret;
}

38
CVE-2023-25565.patch Normal file
View File

@ -0,0 +1,38 @@
From c16100f60907a2de92bcb676f303b81facee0f64 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Feb 2023 12:04:11 -0500
Subject: [PATCH] GHSL-2023-012: Incorrect free when decoding target
Incorrect free when decoding target information (GHSL-2023-012)
Fixes defect GHSL-2023-012 found by the GitHub Security Lab team via
oss-fuzz.
The error condition incorrectly assumed the cb and sh buffers would
contain a copy of the data that needed to freed. However that is not the
case.
This will generally cause an assertion when trying to free a pointer
that was never allocated, and potentially memory corruption depending on
the contents fo the target_info buffer.
This may cause a DoS condition.
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/ntlm.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/ntlm.c b/src/ntlm.c
index 0ac1c03..d3d7d1b 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -731,8 +731,6 @@ int ntlm_decode_target_info(struct ntlm_ctx *ctx, struct ntlm_buffer *buffer,
done:
if (ret) {
- ntlm_free_buffer_data(&sh);
- ntlm_free_buffer_data(&cb);
safefree(nb_computer);
safefree(nb_domain);
safefree(dns_computer);

46
CVE-2023-25567.patch Normal file
View File

@ -0,0 +1,46 @@
From 025fbb756d44ffee8f847db4222ed6aa4bd1fbe4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Feb 2023 11:53:11 -0500
Subject: [PATCH] GHSL-2023-011: Out-of-bounds read when decoding
Out-of-bounds read when decoding target information (GHSL-2023-011)
Fixes defect GHSL-2023-011 found by the GitHub Security Lab team via
oss-fuzz.
The lenght of the av_pair is not checked properly for two of the
elements. In case the lenght is shorter than requires this may cause an
out-of-bound read that either reads garbage or may cause a crash by
reading unmapped memory.
This can be exploited to crash the service causing a DoS.
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/ntlm.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/ntlm.c b/src/ntlm.c
index d3d7d1b..0f71bfd 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -685,11 +685,19 @@ int ntlm_decode_target_info(struct ntlm_ctx *ctx, struct ntlm_buffer *buffer,
break;
case MSV_AV_TIMESTAMP:
if (!av_timestamp) continue;
+ if (av_len < sizeof(timestamp)) {
+ ret = ERR_DECODE;
+ goto done;
+ }
memcpy(&timestamp, av_pair->value, sizeof(timestamp));
timestamp = le64toh(timestamp);
break;
case MSV_AV_FLAGS:
if (!av_flags) continue;
+ if (av_len < sizeof(flags)) {
+ ret = ERR_DECODE;
+ goto done;
+ }
memcpy(&flags, av_pair->value, sizeof(flags));
flags = le32toh(flags);
break;

9
gssntlmssp.spec
View File

@ -1,11 +1,15 @@
Name: gssntlmssp
Version: 0.7.0
Release: 9
Release: 10
Summary: The mechanism of GSSAPI NTLMSSP
License: LGPLv3+
URL: https://pagure.io/gssntlmssp
Source0: https://pagure.io/%{name}/archive/v{version}/%{name}-v%{version}.tar.gz
Patch01: 0001-Add-compatibility-with-OpenSSL-1.1.0.patch
Patch02: CVE-2023-25567.patch
Patch03: CVE-2023-25563.patch
Patch04: CVE-2023-25564.patch
Patch05: CVE-2023-25565.patch
Requires: krb5-libs >= 1.12.1-9
@ -62,6 +66,9 @@ make test_gssntlmssp
%{_mandir}/man8/gssntlmssp.8*
%changelog
* Tue Feb 21 2023 yaoxin <yaoxin30@h-partners.com> - 0.7.0-10
- Fix CVE-2023-25563,CVE-2023-25564,CVE-2023-25565 and CVE-2023-25567
* Mon Nov 21 2022 xu_ping <xuping33@h-partners.com> - 0.7.0-9
- DESC:Modify invalid source