mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-17 04:37:19 +00:00
krb5: Fix CVE-2023-36054
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count. References: https://nvd.nist.gov/vuln/detail/CVE-2023-36054 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
7c127728e7
commit
39d15cf5cb
@@ -0,0 +1,68 @@
|
|||||||
|
From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Mon, 21 Aug 2023 03:08:15 +0000
|
||||||
|
Subject: [PATCH] Ensure array count consistency in kadm5 RPC
|
||||||
|
|
||||||
|
In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
|
||||||
|
key_data array count when decoding. Otherwise when the structure is
|
||||||
|
later freed, xdr_array() could iterate over the wrong number of
|
||||||
|
elements, either leaking some memory or freeing uninitialized
|
||||||
|
pointers. Reported by Robert Morris.
|
||||||
|
|
||||||
|
CVE: CVE-2023-36054
|
||||||
|
|
||||||
|
An authenticated attacker can cause a kadmind process to crash by
|
||||||
|
freeing uninitialized pointers. Remote code execution is unlikely.
|
||||||
|
An attacker with control of a kadmin server can cause a kadmin client
|
||||||
|
to crash by freeing uninitialized pointers.
|
||||||
|
|
||||||
|
ticket: 9099 (new)
|
||||||
|
tags: pullup
|
||||||
|
target_version: 1.21-next
|
||||||
|
target_version: 1.20-next
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd]
|
||||||
|
|
||||||
|
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
|
||||||
|
---
|
||||||
|
src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
|
||||||
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
|
||||||
|
index 2892d41..94b1ce8 100644
|
||||||
|
--- a/src/lib/kadm5/kadm_rpc_xdr.c
|
||||||
|
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
|
||||||
|
@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
||||||
|
int v)
|
||||||
|
{
|
||||||
|
unsigned int n;
|
||||||
|
+ bool_t r;
|
||||||
|
|
||||||
|
if (!xdr_krb5_principal(xdrs, &objp->principal)) {
|
||||||
|
return (FALSE);
|
||||||
|
@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
||||||
|
if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
|
||||||
|
return (FALSE);
|
||||||
|
}
|
||||||
|
+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
|
||||||
|
+ return (FALSE);
|
||||||
|
+ }
|
||||||
|
if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
|
||||||
|
return (FALSE);
|
||||||
|
}
|
||||||
|
@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
n = objp->n_key_data;
|
||||||
|
- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
|
||||||
|
- &n, ~0, sizeof(krb5_key_data),
|
||||||
|
- xdr_krb5_key_data_nocontents)) {
|
||||||
|
+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
|
||||||
|
+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
|
||||||
|
+ objp->n_key_data = n;
|
||||||
|
+ if (!r) {
|
||||||
|
return (FALSE);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
@@ -33,6 +33,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
|
|||||||
file://CVE-2021-36222.patch;striplevel=2 \
|
file://CVE-2021-36222.patch;striplevel=2 \
|
||||||
file://CVE-2021-37750.patch;striplevel=2 \
|
file://CVE-2021-37750.patch;striplevel=2 \
|
||||||
file://CVE-2022-42898.patch;striplevel=2 \
|
file://CVE-2022-42898.patch;striplevel=2 \
|
||||||
|
file://CVE-2023-36054.patch;striplevel=2 \
|
||||||
"
|
"
|
||||||
SRC_URI[md5sum] = "aa4337fffa3b61f22dbd0167f708818f"
|
SRC_URI[md5sum] = "aa4337fffa3b61f22dbd0167f708818f"
|
||||||
SRC_URI[sha256sum] = "1a4bba94df92f6d39a197a10687653e8bfbc9a2076e129f6eb92766974f86134"
|
SRC_URI[sha256sum] = "1a4bba94df92f6d39a197a10687653e8bfbc9a2076e129f6eb92766974f86134"
|
||||||
|
|||||||
Reference in New Issue
Block a user