diff --git a/SOURCES/Fix-integer-overflows-in-PAC-parsing.patch b/SOURCES/Fix-integer-overflows-in-PAC-parsing.patch new file mode 100644 index 0000000..3138b3a --- /dev/null +++ b/SOURCES/Fix-integer-overflows-in-PAC-parsing.patch @@ -0,0 +1,106 @@ +From 5741c46c084513d4d6b04e1e6abf810dbd996591 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 17 Oct 2022 20:25:11 -0400 +Subject: [PATCH] Fix integer overflows in PAC parsing + +In krb5_parse_pac(), check for buffer counts large enough to threaten +integer overflow in the header length and memory length calculations. +Avoid potential integer overflows when checking the length of each +buffer. + +CVE-2022-42898: + +In MIT krb5 releases 1.8 and later, an authenticated attacker may be +able to cause a KDC or kadmind process to crash by reading beyond the +bounds of allocated memory, creating a denial of service. A +privileged attacker may similarly be able to cause a Kerberos or GSS +application service to crash. On 32-bit platforms, an attacker can +also cause insufficient memory to be allocated for the result, +potentially leading to remote code execution in a KDC, kadmind, or GSS +or Kerberos application server process. An attacker with the +privileges of a cross-realm KDC may be able to extract secrets from +the KDC process's memory by having them copied into the PAC of a new +ticket. + +ticket: 9074 (new) +tags: pullup +target_version: 1.20-next +target_version: 1.19-next +--- + src/lib/krb5/krb/pac.c | 9 +++++++-- + src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++ + 2 files changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index c70585a9eb..b0baa01930 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -27,6 +27,8 @@ + #include "k5-int.h" + #include "authdata.h" + ++#define MAX_BUFFERS 4096 ++ + /* draft-brezak-win2k-krb-authz-00 */ + + /* +@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context, + if (version != 0) + return EINVAL; + ++ if (cbuffers < 1 || cbuffers > MAX_BUFFERS) ++ return ERANGE; ++ + header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); + if (len < header_len) + return ERANGE; +@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context, + krb5_pac_free(context, pac); + return EINVAL; + } +- if (buffer->Offset < header_len || +- buffer->Offset + buffer->cbBufferSize > len) { ++ if (buffer->Offset < header_len || buffer->Offset > len || ++ buffer->cbBufferSize > len - buffer->Offset) { + krb5_pac_free(context, pac); + return ERANGE; + } +diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c +index 61fb51a98a..d7342bff9c 100644 +--- a/src/lib/krb5/krb/t_pac.c ++++ b/src/lib/krb5/krb/t_pac.c +@@ -96,6 +96,16 @@ static const krb5_keyblock member_keyblock = { + static time_t authtime = 1120440609; + static const char *user = "w2003final$@WIN2K3.THINKER.LOCAL"; + ++static const unsigned char fuzz1[] = { ++ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, ++ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5 ++}; ++ ++static const unsigned char fuzz2[] = { ++ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, ++ 0x20, 0x20 ++}; ++ + #if !defined(__cplusplus) && (__GNUC__ > 2) + static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) + __attribute__((__format__(__printf__, 3, 0))); +@@ -227,6 +237,14 @@ main(int argc, char **argv) + + krb5_pac_free(context, pac); + ++ /* Check problematic PACs found by fuzzing. */ ++ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ + /* + * Test empty free + */ +-- +2.37.3 + diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index b94d8da..f1517eb 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -12,7 +12,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.15.1 -Release: 54%{?dist} +Release: 55%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar @@ -143,6 +143,7 @@ Patch230: Fix-LDAP-policy-enforcement-of-pw_expiration.patch Patch231: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch Patch232: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch Patch233: Try-harder-to-avoid-password-change-replay-errors.patch +Patch234: Fix-integer-overflows-in-PAC-parsing.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -419,6 +420,7 @@ ONLY by kerberos itself. Do not depend on this package. %patch231 -p1 -b .Fix-KDC-null-deref-on-TGS-inner-body-null-server %patch232 -p1 -b .Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest %patch233 -p1 -b .Try-harder-to-avoid-password-change-replay-errors +%patch234 -p1 -b .Fix-integer-overflows-in-PAC-parsing ln NOTICE LICENSE @@ -926,6 +928,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Nov 08 2022 Julien Rische - 1.15.1-55 +- Fix integer overflows in PAC parsing (CVE-2022-42898) +- Resolves: rhbz#2140961 + * Wed Apr 27 2022 Julien Rische - 1.15.1-54 - Try harder to avoid password change replay errors - Resolves: #2063163