packages/krb5
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

modiyf

Browse Source
This commit is contained in:
fangxiuning 2022-12-17 17:25:03 +08:00
parent 17e5936f4c
commit 5e8feb6a23
2 changed files with 112 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
Fix-CVE-2022-42898-integer-overflows-in-PAC-parsing.patch Normal file
View File

@ -0,0 +1,106 @@
From ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 17 Oct 2022 20:25:11 -0400
Subject: [PATCH] Fix integer overflows in PAC parsing
In krb5_parse_pac(), check for buffer counts large enough to threaten
integer overflow in the header length and memory length calculations.
Avoid potential integer overflows when checking the length of each
buffer. Credit to OSS-Fuzz for discovering one of the issues.
CVE-2022-42898:
In MIT krb5 releases 1.8 and later, an authenticated attacker may be
able to cause a KDC or kadmind process to crash by reading beyond the
bounds of allocated memory, creating a denial of service. A
privileged attacker may similarly be able to cause a Kerberos or GSS
application service to crash. On 32-bit platforms, an attacker can
also cause insufficient memory to be allocated for the result,
potentially leading to remote code execution in a KDC, kadmind, or GSS
or Kerberos application server process. An attacker with the
privileges of a cross-realm KDC may be able to extract secrets from a
KDC process's memory by having them copied into the PAC of a new
ticket.
ticket: 9074 (new)
tags: pullup
target_version: 1.20-next
target_version: 1.19-next
---
src/lib/krb5/krb/pac.c | 9 +++++++--
src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++
2 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 2f1df8d42..f6c4373de 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -28,6 +28,8 @@
#include "k5-int.h"
#include "authdata.h"
+#define MAX_BUFFERS 4096
+
/* draft-brezak-win2k-krb-authz-00 */
/*
@@ -317,6 +319,9 @@ krb5_pac_parse(krb5_context context,
if (version != 0)
return EINVAL;
+ if (cbuffers < 1 || cbuffers > MAX_BUFFERS)
+ return ERANGE;
+
header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
if (len < header_len)
return ERANGE;
@@ -349,8 +354,8 @@ krb5_pac_parse(krb5_context context,
krb5_pac_free(context, pac);
return EINVAL;
}
- if (buffer->Offset < header_len ||
- buffer->Offset + buffer->cbBufferSize > len) {
+ if (buffer->Offset < header_len || buffer->Offset > len ||
+ buffer->cbBufferSize > len - buffer->Offset) {
krb5_pac_free(context, pac);
return ERANGE;
}
diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
index 0b1b1f056..173bde7ba 100644
--- a/src/lib/krb5/krb/t_pac.c
+++ b/src/lib/krb5/krb/t_pac.c
@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {
0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00
};
+static const unsigned char fuzz1[] = {
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
+ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
+};
+
+static const unsigned char fuzz2[] = {
+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
+ 0x20, 0x20
+};
+
static const char *s4u_principal = "w2k8u@ACME.COM";
static const char *s4u_enterprise = "w2k8u@abc@ACME.COM";
@@ -828,6 +838,14 @@ main(int argc, char **argv)
krb5_free_principal(context, sep);
}
+ /* Check problematic PACs found by fuzzing. */
+ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
+ if (!ret)
+ err(context, ret, "krb5_pac_parse should have failed");
+ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
+ if (!ret)
+ err(context, ret, "krb5_pac_parse should have failed");
+
/*
* Test empty free
*/
--
2.27.0

7
krb5.spec
View File

@ -3,7 +3,7 @@
Name: krb5 Name: krb5
Version: 1.19.2 Version: 1.19.2
Release: 3 Release: 4
Summary: The Kerberos network authentication protocol Summary: The Kerberos network authentication protocol
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -27,6 +27,7 @@ Patch4: fix-debuginfo-with-y.tab.c.patch
Patch5: Remove-3des-support.patch Patch5: Remove-3des-support.patch
Patch6: FIPS-with-PRNG-and-RADIUS-and-MD4.patch Patch6: FIPS-with-PRNG-and-RADIUS-and-MD4.patch
Patch7: backport-CVE-2021-37750.patch Patch7: backport-CVE-2021-37750.patch
Patch8: Fix-CVE-2022-42898-integer-overflows-in-PAC-parsing.patch
BuildRequires: gettext BuildRequires: gettext
BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@ -317,7 +318,11 @@ make -C src check || :
%{_mandir}/man7/* %{_mandir}/man7/*
%{_mandir}/man8/* %{_mandir}/man8/*
%changelog %changelog
* Sat Dec 17 2022 fangxiuning <fangxiuning@huawei.com> - 1.19.2-4
- fix CVE-2022-42898
* Wed Oct 19 2022 zhouchenchen <zhouchenchen@huawei.com> - 1.19.2-3 * Wed Oct 19 2022 zhouchenchen <zhouchenchen@huawei.com> - 1.19.2-3
- update version to 1.19.2.3 - update version to 1.19.2.3