From 411d6909dea79c3e1a066d224e5cb18d27f83c65 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mon, 28 Nov 2022 04:18:46 -0500 Subject: [PATCH] import krb5-1.19.1-24.el9_1 --- ...Fix-integer-overflows-in-PAC-parsing.patch | 106 ++++++++++++++++++ SPECS/krb5.spec | 7 +- 2 files changed, 112 insertions(+), 1 deletion(-) create mode 100644 SOURCES/Fix-integer-overflows-in-PAC-parsing.patch diff --git a/SOURCES/Fix-integer-overflows-in-PAC-parsing.patch b/SOURCES/Fix-integer-overflows-in-PAC-parsing.patch new file mode 100644 index 0000000..36e10f8 --- /dev/null +++ b/SOURCES/Fix-integer-overflows-in-PAC-parsing.patch @@ -0,0 +1,106 @@ +From 7d68cfc84cd7d0657c01afa52dfe69181b401a4a Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 17 Oct 2022 20:25:11 -0400 +Subject: [PATCH] Fix integer overflows in PAC parsing + +In krb5_parse_pac(), check for buffer counts large enough to threaten +integer overflow in the header length and memory length calculations. +Avoid potential integer overflows when checking the length of each +buffer. + +CVE-2022-42898: + +In MIT krb5 releases 1.8 and later, an authenticated attacker may be +able to cause a KDC or kadmind process to crash by reading beyond the +bounds of allocated memory, creating a denial of service. A +privileged attacker may similarly be able to cause a Kerberos or GSS +application service to crash. On 32-bit platforms, an attacker can +also cause insufficient memory to be allocated for the result, +potentially leading to remote code execution in a KDC, kadmind, or GSS +or Kerberos application server process. An attacker with the +privileges of a cross-realm KDC may be able to extract secrets from +the KDC process's memory by having them copied into the PAC of a new +ticket. + +ticket: 9074 (new) +tags: pullup +target_version: 1.20-next +target_version: 1.19-next +--- + src/lib/krb5/krb/pac.c | 9 +++++++-- + src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++ + 2 files changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index 950beda657..1b9ef12276 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -27,6 +27,8 @@ + #include "k5-int.h" + #include "authdata.h" + ++#define MAX_BUFFERS 4096 ++ + /* draft-brezak-win2k-krb-authz-00 */ + + /* +@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context, + if (version != 0) + return EINVAL; + ++ if (cbuffers < 1 || cbuffers > MAX_BUFFERS) ++ return ERANGE; ++ + header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); + if (len < header_len) + return ERANGE; +@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context, + krb5_pac_free(context, pac); + return EINVAL; + } +- if (buffer->Offset < header_len || +- buffer->Offset + buffer->cbBufferSize > len) { ++ if (buffer->Offset < header_len || buffer->Offset > len || ++ buffer->cbBufferSize > len - buffer->Offset) { + krb5_pac_free(context, pac); + return ERANGE; + } +diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c +index ee47152ee4..ccd165380d 100644 +--- a/src/lib/krb5/krb/t_pac.c ++++ b/src/lib/krb5/krb/t_pac.c +@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = { + 0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00 + }; + ++static const unsigned char fuzz1[] = { ++ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, ++ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5 ++}; ++ ++static const unsigned char fuzz2[] = { ++ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, ++ 0x20, 0x20 ++}; ++ + static const char *s4u_principal = "w2k8u@ACME.COM"; + static const char *s4u_enterprise = "w2k8u@abc@ACME.COM"; + +@@ -646,6 +656,14 @@ main(int argc, char **argv) + krb5_free_principal(context, sep); + } + ++ /* Check problematic PACs found by fuzzing. */ ++ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ + /* + * Test empty free + */ +-- +2.37.3 + diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index 89d1541..2d2d671 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -42,7 +42,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.19.1 -Release: %{?zdpd}23%{?dist} +Release: %{?zdpd}24%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz @@ -99,6 +99,7 @@ Patch34: krb5-krad-remote.patch Patch35: krb5-krad-larger-attrs.patch Patch36: Set-reasonable-supportedCMSTypes-in-PKINIT.patch Patch37: Make-kprop-work-for-dump-files-larger-than-4GB.patch +Patch38: Fix-integer-overflows-in-PAC-parsing.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -656,6 +657,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Nov 08 2022 Julien Rische - 1.19.1-24 +- Fix integer overflows in PAC parsing (CVE-2022-42898) +- Resolves: rhbz#2140970 + * Tue Oct 18 2022 Julien Rische - 1.19.1-23 - Fix kprop for propagating dump files larger than 4GB - Resolves: rhbz#2133014