!64 fix bug cve-2022-42898
From: @fangxiuning Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee
This commit is contained in:
openeuler-ci-bot
Gitee
commit
6cd39f31a6
106
Fix-CVE-2022-42898-integer-overflows-in-PAC-parsing.patch
Normal file
106
Fix-CVE-2022-42898-integer-overflows-in-PAC-parsing.patch
Normal file
@ -0,0 +1,106 @@
|
||||
From ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 17 Oct 2022 20:25:11 -0400
|
||||
Subject: [PATCH] Fix integer overflows in PAC parsing
|
||||
|
||||
In krb5_parse_pac(), check for buffer counts large enough to threaten
|
||||
integer overflow in the header length and memory length calculations.
|
||||
Avoid potential integer overflows when checking the length of each
|
||||
buffer. Credit to OSS-Fuzz for discovering one of the issues.
|
||||
|
||||
CVE-2022-42898:
|
||||
|
||||
In MIT krb5 releases 1.8 and later, an authenticated attacker may be
|
||||
able to cause a KDC or kadmind process to crash by reading beyond the
|
||||
bounds of allocated memory, creating a denial of service. A
|
||||
privileged attacker may similarly be able to cause a Kerberos or GSS
|
||||
application service to crash. On 32-bit platforms, an attacker can
|
||||
also cause insufficient memory to be allocated for the result,
|
||||
potentially leading to remote code execution in a KDC, kadmind, or GSS
|
||||
or Kerberos application server process. An attacker with the
|
||||
privileges of a cross-realm KDC may be able to extract secrets from a
|
||||
KDC process's memory by having them copied into the PAC of a new
|
||||
ticket.
|
||||
|
||||
ticket: 9074 (new)
|
||||
tags: pullup
|
||||
target_version: 1.20-next
|
||||
target_version: 1.19-next
|
||||
---
|
||||
src/lib/krb5/krb/pac.c | 9 +++++++--
|
||||
src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++
|
||||
2 files changed, 25 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
||||
index 2f1df8d42..f6c4373de 100644
|
||||
--- a/src/lib/krb5/krb/pac.c
|
||||
+++ b/src/lib/krb5/krb/pac.c
|
||||
@@ -28,6 +28,8 @@
|
||||
#include "k5-int.h"
|
||||
#include "authdata.h"
|
||||
|
||||
+#define MAX_BUFFERS 4096
|
||||
+
|
||||
/* draft-brezak-win2k-krb-authz-00 */
|
||||
|
||||
/*
|
||||
@@ -317,6 +319,9 @@ krb5_pac_parse(krb5_context context,
|
||||
if (version != 0)
|
||||
return EINVAL;
|
||||
|
||||
+ if (cbuffers < 1 || cbuffers > MAX_BUFFERS)
|
||||
+ return ERANGE;
|
||||
+
|
||||
header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
|
||||
if (len < header_len)
|
||||
return ERANGE;
|
||||
@@ -349,8 +354,8 @@ krb5_pac_parse(krb5_context context,
|
||||
krb5_pac_free(context, pac);
|
||||
return EINVAL;
|
||||
}
|
||||
- if (buffer->Offset < header_len ||
|
||||
- buffer->Offset + buffer->cbBufferSize > len) {
|
||||
+ if (buffer->Offset < header_len || buffer->Offset > len ||
|
||||
+ buffer->cbBufferSize > len - buffer->Offset) {
|
||||
krb5_pac_free(context, pac);
|
||||
return ERANGE;
|
||||
}
|
||||
diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
|
||||
index 0b1b1f056..173bde7ba 100644
|
||||
--- a/src/lib/krb5/krb/t_pac.c
|
||||
+++ b/src/lib/krb5/krb/t_pac.c
|
||||
@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {
|
||||
0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00
|
||||
};
|
||||
|
||||
+static const unsigned char fuzz1[] = {
|
||||
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
|
||||
+ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
|
||||
+};
|
||||
+
|
||||
+static const unsigned char fuzz2[] = {
|
||||
+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
|
||||
+ 0x20, 0x20
|
||||
+};
|
||||
+
|
||||
static const char *s4u_principal = "w2k8u@ACME.COM";
|
||||
static const char *s4u_enterprise = "w2k8u@abc@ACME.COM";
|
||||
|
||||
@@ -828,6 +838,14 @@ main(int argc, char **argv)
|
||||
krb5_free_principal(context, sep);
|
||||
}
|
||||
|
||||
+ /* Check problematic PACs found by fuzzing. */
|
||||
+ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
|
||||
+ if (!ret)
|
||||
+ err(context, ret, "krb5_pac_parse should have failed");
|
||||
+ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
|
||||
+ if (!ret)
|
||||
+ err(context, ret, "krb5_pac_parse should have failed");
|
||||
+
|
||||
/*
|
||||
* Test empty free
|
||||
*/
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
Name: krb5
|
||||
Version: 1.19.2
|
||||
Release: 3
|
||||
Release: 4
|
||||
Summary: The Kerberos network authentication protocol
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -27,6 +27,7 @@ Patch4: fix-debuginfo-with-y.tab.c.patch
|
||||
Patch5: Remove-3des-support.patch
|
||||
Patch6: FIPS-with-PRNG-and-RADIUS-and-MD4.patch
|
||||
Patch7: backport-CVE-2021-37750.patch
|
||||
Patch8: Fix-CVE-2022-42898-integer-overflows-in-PAC-parsing.patch
|
||||
|
||||
BuildRequires: gettext
|
||||
BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
|
||||
@ -317,7 +318,11 @@ make -C src check || :
|
||||
%{_mandir}/man7/*
|
||||
%{_mandir}/man8/*
|
||||
|
||||
|
||||
%changelog
|
||||
* Sat Dec 17 2022 fangxiuning <fangxiuning@huawei.com> - 1.19.2-4
|
||||
- fix CVE-2022-42898
|
||||
|
||||
* Wed Oct 19 2022 zhouchenchen <zhouchenchen@huawei.com> - 1.19.2-3
|
||||
- update version to 1.19.2.3
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user