!90 [sync] PR-86: fix CVE-2023-36054

From: @openeuler-sync-bot Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee
2023-08-29 02:40:17 +00:00 · 2023-08-29 02:40:17 +00:00 · 7b8cb1052d
commit 7b8cb1052d
parent c0e2bf2cd1 9f99da57a6
2 changed files with 70 additions and 1 deletions
--- a/CVE-2023-36054.patch
+++ b/CVE-2023-36054.patch
@ -0,0 +1,65 @@
 From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Wed, 21 Jun 2023 10:57:39 -0400
 Subject: [PATCH] Ensure array count consistency in kadm5 RPC
 In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
 key_data array count when decoding.  Otherwise when the structure is
 later freed, xdr_array() could iterate over the wrong number of
 elements, either leaking some memory or freeing uninitialized
 pointers.  Reported by Robert Morris.
 CVE-2023-36054:
 An authenticated attacker can cause a kadmind process to crash by
 freeing uninitialized pointers.  Remote code execution is unlikely.
 An attacker with control of a kadmin server can cause a kadmin client
 to crash by freeing uninitialized pointers.
 ticket: 9099 (new)
 tags: pullup
 target_version: 1.21-next
 target_version: 1.20-next
 ---
 src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)
 diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
 index 0411c3fd3..287cae750 100644
 --- a/src/lib/kadm5/kadm_rpc_xdr.c
 +++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
 			     int v)
 {
 	unsigned int n;
 +	bool_t r;
 	if (!xdr_krb5_principal(xdrs, &objp->principal)) {
 		return (FALSE);
@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
 	if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
 		return (FALSE);
 	}
 +	if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
 +		return (FALSE);
 +	}
 	if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
 		return (FALSE);
 	}
@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
 		return FALSE;
 	}
 	n = objp->n_key_data;
 -	if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
 -		       &n, ~0, sizeof(krb5_key_data),
 -		       xdr_krb5_key_data_nocontents)) {
 +	r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
 +		      sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
 +	objp->n_key_data = n;
 +	if (!r) {
 		return (FALSE);
 	}
 -- 
 2.41.0.windows.3
--- a/krb5.spec
+++ b/krb5.spec
@ -3,7 +3,7 @@
 Name:     krb5
 Version:  1.19.2
-Release:  8
+Release:  9
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@ -35,6 +35,7 @@ Patch11: backport-Fix-gic_keytab-crash-on-memory-exhaustion.patch
 Patch12: backport-Fix-many-unlikely-memory-leaks.patch
 Patch13: backport-Free-verto-context-later-in-KDC-cleanup.patch
 Patch14: backport-Squash-unused-variable-warnings-in-kdb5_ldap_util.patch
 Patch15: CVE-2023-36054.patch
 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@ -327,6 +328,9 @@ make -C src check || :
 %changelog
 * Tue Aug 15 2023 liningjie <liningjie@xfusion.com> - 1.19.2-9
 - fix CVE-2023-36054
 * Thu Jun 15 2023 xuraoqing <xuraoqing@huawei.com> - 1.19.2-8
 - add version for Obsoletes and Provides of workstation