From b8edfa7ad568f0e50ccd22454be0113f376a6e70 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 21 Feb 2023 17:57:09 +0800
Subject: [PATCH] Fix CVE-2023-25563,CVE-2023-25564,CVE-2023-25565 and
 CVE-2023-25567

(cherry picked from commit f3bbca8f340260046ba0f4bda7546e45a27b4ce1)
---
 CVE-2023-25563.patch | 67 ++++++++++++++++++++++++++++++++++++++++++++
 CVE-2023-25564.patch | 58 ++++++++++++++++++++++++++++++++++++++
 CVE-2023-25565.patch | 38 +++++++++++++++++++++++++
 CVE-2023-25567.patch | 46 ++++++++++++++++++++++++++++++
 gssntlmssp.spec      |  9 +++++-
 5 files changed, 217 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-25563.patch
 create mode 100644 CVE-2023-25564.patch
 create mode 100644 CVE-2023-25565.patch
 create mode 100644 CVE-2023-25567.patch

diff --git a/CVE-2023-25563.patch b/CVE-2023-25563.patch
new file mode 100644
index 0000000..04ad195
--- /dev/null
+++ b/CVE-2023-25563.patch
@@ -0,0 +1,67 @@
+From 97c62c6167299028d80765080e74d91dfc99efbd Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 7 Feb 2023 13:51:34 -0500
+Subject: [PATCH] Out-of-bounds read in multiple decode functions
+
+These were reported as:
+- Out-of-bounds read in ntlm_decode_oem_str (GHSL-2023-019)
+- Out-of-bounds read in ntlm_decode_u16l_str_hdr (GHSL-2023-020)
+- Out-of-bounds read in ntlm_decode_field (GHSL-2023-021)
+
+These are lall basically the same identical error replicated in 3
+separate functions.
+
+Fixes defects GHSL-2023-019, GHSL-2023-020, GHSL-2023-021 found by
+the GitHub Security Lab team via oss-fuzz.
+
+A 32-bit integer overflow condition can lead to incorrect checks of
+consistency of length of internal buffers. This leads to a DoS
+as the service may end up reading from unmapped memory and crashing.
+
+Although most applications will error out before accepting a singe input
+buffer of 4GB in lenght this could theoretically happen, and therefore
+we fix it.
+
+Fixes CVE-2023-25563
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ src/ntlm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/ntlm.c b/src/ntlm.c
+index b2d84a2..df2458a 100644
+--- a/src/ntlm.c
++++ b/src/ntlm.c
+@@ -205,7 +205,6 @@ static int ntlm_str_convert(iconv_t cd,
+     return 0;
+ }
+ 
+-
+ uint8_t ntlmssp_sig[8] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
+ 
+ static void ntlm_encode_header(struct wire_msg_hdr *hdr, uint32_t msg_type)
+@@ -256,6 +255,7 @@ static int ntlm_decode_oem_str(struct wire_field_hdr *str_hdr,
+     str_offs = le32toh(str_hdr->offset);
+     if ((str_offs < payload_offs) ||
+         (str_offs > buffer->length) ||
++        (UINT32_MAX - str_offs < str_len) ||
+         (str_offs + str_len > buffer->length)) {
+         return ERR_DECODE;
+     }
+@@ -308,6 +308,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
+     str_offs = le32toh(str_hdr->offset);
+     if ((str_offs < payload_offs) ||
+         (str_offs > buffer->length) ||
++        (UINT32_MAX - str_offs < str_len) ||
+         (str_offs + str_len > buffer->length)) {
+         return ERR_DECODE;
+     }
+@@ -393,6 +394,7 @@ static int ntlm_decode_field(struct wire_field_hdr *hdr,
+     offs = le32toh(hdr->offset);
+     if ((offs < payload_offs) ||
+         (offs > buffer->length) ||
++        (UINT32_MAX - offs < len) ||
+         (offs + len > buffer->length)) {
+         return ERR_DECODE;
+     }
diff --git a/CVE-2023-25564.patch b/CVE-2023-25564.patch
new file mode 100644
index 0000000..9d0bf7a
--- /dev/null
+++ b/CVE-2023-25564.patch
@@ -0,0 +1,58 @@
+From c753000eb31835c0664e528fbc99378ae0cbe950 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 7 Feb 2023 12:14:20 -0500
+Subject: [PATCH] GHSL-2023-013: Memory corruption decoding UTF16
+
+Memory corruption when decoding UTF16 strings (GHSL-2023-013)
+
+Fixes defect GHSL-2023-013 found by the GitHub Security Lab team via
+oss-fuzz.
+
+The variable outlen was not initialized and could cause writing a zero
+to an arbitrary place in memory if ntlm_str_convert() were to fail,
+which would leave outlen uninitialized.
+
+This can lead to a DoS if the write hits unmapped memory or randomly
+corrupting a byte in the application memory space.
+
+Make sure to zero out only if ntlm_str_convert() succeeds, but for good
+measure also initialize outlen to 0.
+
+Fixes CVE-2023-25564
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ src/ntlm.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/src/ntlm.c b/src/ntlm.c
+index df2458a..0ac1c03 100644
+--- a/src/ntlm.c
++++ b/src/ntlm.c
+@@ -299,7 +299,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
+     char *in, *out = NULL;
+     uint16_t str_len;
+     uint32_t str_offs;
+-    size_t outlen;
++    size_t outlen = 0;
+     int ret = 0;
+ 
+     str_len = le16toh(str_hdr->len);
+@@ -320,13 +320,14 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
+ 
+     ret = ntlm_str_convert(ctx->to_oem, in, out, str_len, &outlen);
+ 
+-    /* make sure to terminate output string */
+-    out[outlen] = '\0';
+-
+ done:
+     if (ret) {
+         safefree(out);
++    } else {
++        /* make sure to terminate output string */
++        out[outlen] = '\0';
+     }
++
+     *str = out;
+     return ret;
+ }
diff --git a/CVE-2023-25565.patch b/CVE-2023-25565.patch
new file mode 100644
index 0000000..c13a0a9
--- /dev/null
+++ b/CVE-2023-25565.patch
@@ -0,0 +1,38 @@
+From c16100f60907a2de92bcb676f303b81facee0f64 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 7 Feb 2023 12:04:11 -0500
+Subject: [PATCH] GHSL-2023-012: Incorrect free when decoding target
+
+Incorrect free when decoding target information (GHSL-2023-012)
+
+Fixes defect GHSL-2023-012 found by the GitHub Security Lab team via
+oss-fuzz.
+
+The error condition incorrectly assumed the cb and sh buffers would
+contain a copy of the data that needed to freed. However that is not the
+case.
+
+This will generally cause an assertion when trying to free a pointer
+that was never allocated, and potentially memory corruption depending on
+the contents fo the target_info buffer.
+
+This may cause a DoS condition.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ src/ntlm.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/ntlm.c b/src/ntlm.c
+index 0ac1c03..d3d7d1b 100644
+--- a/src/ntlm.c
++++ b/src/ntlm.c
+@@ -731,8 +731,6 @@ int ntlm_decode_target_info(struct ntlm_ctx *ctx, struct ntlm_buffer *buffer,
+ 
+ done:
+     if (ret) {
+-        ntlm_free_buffer_data(&sh);
+-        ntlm_free_buffer_data(&cb);
+         safefree(nb_computer);
+         safefree(nb_domain);
+         safefree(dns_computer);
diff --git a/CVE-2023-25567.patch b/CVE-2023-25567.patch
new file mode 100644
index 0000000..7a7ac43
--- /dev/null
+++ b/CVE-2023-25567.patch
@@ -0,0 +1,46 @@
+From 025fbb756d44ffee8f847db4222ed6aa4bd1fbe4 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 7 Feb 2023 11:53:11 -0500
+Subject: [PATCH] GHSL-2023-011: Out-of-bounds read when decoding
+
+Out-of-bounds read when decoding target information (GHSL-2023-011)
+
+Fixes defect GHSL-2023-011 found by the GitHub Security Lab team via
+oss-fuzz.
+
+The lenght of the av_pair is not checked properly for two of the
+elements. In case the lenght is shorter than requires this may cause an
+out-of-bound read that either reads garbage or may cause a crash by
+reading unmapped memory.
+
+This can be exploited to crash the service causing a DoS.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ src/ntlm.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/ntlm.c b/src/ntlm.c
+index d3d7d1b..0f71bfd 100644
+--- a/src/ntlm.c
++++ b/src/ntlm.c
+@@ -685,11 +685,19 @@ int ntlm_decode_target_info(struct ntlm_ctx *ctx, struct ntlm_buffer *buffer,
+             break;
+         case MSV_AV_TIMESTAMP:
+             if (!av_timestamp) continue;
++            if (av_len < sizeof(timestamp)) {
++                ret = ERR_DECODE;
++                goto done;
++            }
+             memcpy(&timestamp, av_pair->value, sizeof(timestamp));
+             timestamp = le64toh(timestamp);
+             break;
+         case MSV_AV_FLAGS:
+             if (!av_flags) continue;
++            if (av_len < sizeof(flags)) {
++                ret = ERR_DECODE;
++                goto done;
++            }
+             memcpy(&flags, av_pair->value, sizeof(flags));
+             flags = le32toh(flags);
+             break;
diff --git a/gssntlmssp.spec b/gssntlmssp.spec
index 07f69c1..e2347a9 100644
--- a/gssntlmssp.spec
+++ b/gssntlmssp.spec
@@ -1,11 +1,15 @@
 Name:       gssntlmssp
 Version:    0.7.0
-Release:    9
+Release:    10
 Summary:    The mechanism of GSSAPI NTLMSSP
 License:    LGPLv3+
 URL:        https://pagure.io/gssntlmssp
 Source0:    https://pagure.io/%{name}/archive/v{version}/%{name}-v%{version}.tar.gz
 Patch01:    0001-Add-compatibility-with-OpenSSL-1.1.0.patch
+Patch02:    CVE-2023-25567.patch
+Patch03:    CVE-2023-25563.patch
+Patch04:    CVE-2023-25564.patch
+Patch05:    CVE-2023-25565.patch
 
 Requires:   krb5-libs >= 1.12.1-9
 
@@ -62,6 +66,9 @@ make test_gssntlmssp
 %{_mandir}/man8/gssntlmssp.8*
 
 %changelog
+* Tue Feb 21 2023 yaoxin <yaoxin30@h-partners.com> - 0.7.0-10
+- Fix CVE-2023-25563,CVE-2023-25564,CVE-2023-25565 and CVE-2023-25567
+
 * Mon Nov 21 2022 xu_ping <xuping33@h-partners.com> - 0.7.0-9
 - DESC:Modify invalid source