Message ID | 20230825073923.1528500-1-soumya.sambu@windriver.com |
---|---|
State | New |
Headers | show |
Series | [meta-oe,master,mickledore,1/1] krb5: Fix CVE-2023-36054 | expand |
On Fri, 2023-08-25 at 07:39 +0000, Soumya via lists.openembedded.org wrote: > From: Soumya Sambu <soumya.sambu@windriver.com> > > lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 > and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote > authenticated user can trigger a kadmind crash. This occurs because > _xdr_kadm5_principal_ent_rec does not validate the relationship > between n_key_data and the key_data array count. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2023-36054 > > Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> > --- > .../krb5/krb5/CVE-2023-36054.patch | 68 > +++++++++++++++++++ > .../recipes-connectivity/krb5/krb5_1.20.1.bb | 1 + I think this recipe can be upgraded to 1.20.2 instead. Thanks, Anuj > 2 files changed, 69 insertions(+) > create mode 100644 meta-oe/recipes-connectivity/krb5/krb5/CVE-2023- > 36054.patch > > diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023- > 36054.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023- > 36054.patch > new file mode 100644 > index 000000000..160c090bc > --- /dev/null > +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch > @@ -0,0 +1,68 @@ > +From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 > 2001 > +From: Greg Hudson <ghudson@mit.edu> > +Date: Mon, 21 Aug 2023 03:08:15 +0000 > +Subject: [PATCH] Ensure array count consistency in kadm5 RPC > + > +In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches > the > +key_data array count when decoding. Otherwise when the structure is > +later freed, xdr_array() could iterate over the wrong number of > +elements, either leaking some memory or freeing uninitialized > +pointers. Reported by Robert Morris. > + > +CVE: CVE-2023-36054 > + > +An authenticated attacker can cause a kadmind process to crash by > +freeing uninitialized pointers. Remote code execution is unlikely. > +An attacker with control of a kadmin server can cause a kadmin > client > +to crash by freeing uninitialized pointers. > + > +ticket: 9099 (new) > +tags: pullup > +target_version: 1.21-next > +target_version: 1.20-next > + > +Upstream-Status: Backport > [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f15 > 83053cdd] > + > +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> > +--- > + src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++--- > + 1 file changed, 8 insertions(+), 3 deletions(-) > + > +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c > b/src/lib/kadm5/kadm_rpc_xdr.c > +index 2892d41..94b1ce8 100644 > +--- a/src/lib/kadm5/kadm_rpc_xdr.c > ++++ b/src/lib/kadm5/kadm_rpc_xdr.c > +@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, > kadm5_principal_ent_rec *objp, > + int v) > + { > + unsigned int n; > ++ bool_t r; > + > + if (!xdr_krb5_principal(xdrs, &objp->principal)) { > + return (FALSE); > +@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, > kadm5_principal_ent_rec *objp, > + if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) { > + return (FALSE); > + } > ++ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) { > ++ return (FALSE); > ++ } > + if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) { > + return (FALSE); > + } > +@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, > kadm5_principal_ent_rec *objp, > + return FALSE; > + } > + n = objp->n_key_data; > +- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, > +- &n, ~0, sizeof(krb5_key_data), > +- xdr_krb5_key_data_nocontents)) { > ++ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp- > >n_key_data, > ++ sizeof(krb5_key_data), > xdr_krb5_key_data_nocontents); > ++ objp->n_key_data = n; > ++ if (!r) { > + return (FALSE); > + } > + > +-- > +2.40.0 > diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb b/meta- > oe/recipes-connectivity/krb5/krb5_1.20.1.bb > index 10fff11c2..e353b58aa 100644 > --- a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb > +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb > @@ -29,6 +29,7 @@ SRC_URI = > "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ > file://etc/default/krb5-admin-server \ > file://krb5-kdc.service \ > file://krb5-admin-server.service \ > + file://CVE-2023-36054.patch;striplevel=2 \ > " > SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686" > SRC_URI[sha256sum] = > "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#104600): > https://lists.openembedded.org/g/openembedded-devel/message/104600 > Mute This Topic: https://lists.openembedded.org/mt/100951656/3616702 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-devel/unsub [ > anuj.mittal@intel.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Sent patch for master branch to upgrade krb5 1.20.1 -> 1.20.2 - https://lore.kernel.org/openembedded-devel/20230901171832.276070-1-soumya.sambu@windriver.com/T/#u Regards, Soumya
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch new file mode 100644 index 000000000..160c090bc --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch @@ -0,0 +1,68 @@ +From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Mon, 21 Aug 2023 03:08:15 +0000 +Subject: [PATCH] Ensure array count consistency in kadm5 RPC + +In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the +key_data array count when decoding. Otherwise when the structure is +later freed, xdr_array() could iterate over the wrong number of +elements, either leaking some memory or freeing uninitialized +pointers. Reported by Robert Morris. + +CVE: CVE-2023-36054 + +An authenticated attacker can cause a kadmind process to crash by +freeing uninitialized pointers. Remote code execution is unlikely. +An attacker with control of a kadmin server can cause a kadmin client +to crash by freeing uninitialized pointers. + +ticket: 9099 (new) +tags: pullup +target_version: 1.21-next +target_version: 1.20-next + +Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 2892d41..94b1ce8 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + int v) + { + unsigned int n; ++ bool_t r; + + if (!xdr_krb5_principal(xdrs, &objp->principal)) { + return (FALSE); +@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) { + return (FALSE); + } ++ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) { ++ return (FALSE); ++ } + if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) { + return (FALSE); + } +@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + return FALSE; + } + n = objp->n_key_data; +- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, +- &n, ~0, sizeof(krb5_key_data), +- xdr_krb5_key_data_nocontents)) { ++ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data, ++ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents); ++ objp->n_key_data = n; ++ if (!r) { + return (FALSE); + } + +-- +2.40.0 diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb index 10fff11c2..e353b58aa 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb @@ -29,6 +29,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ file://etc/default/krb5-admin-server \ file://krb5-kdc.service \ file://krb5-admin-server.service \ + file://CVE-2023-36054.patch;striplevel=2 \ " SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686" SRC_URI[sha256sum] = "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851"