Codebase list krb5 / 3e60938
Fixes CVE-2023-36054: a remote authenticated attacker can cause kadmind to free an uninitialized pointer. Upstream believes remote code execusion is unlikely, Closes: #1043431 Sam Hartman 8 months ago
3 changed file(s) with 72 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+8
-0
debian/changelog less more
0 krb5 (1.20.1-3) unstable; urgency=high
1
2 * Fixes CVE-2023-36054: a remote authenticated attacker can cause
3 kadmind to free an uninitialized pointer. Upstream believes remote
4 code execusion is unlikely, Closes: #1043431
5
6 -- Sam Hartman <hartmans@debian.org> Mon, 14 Aug 2023 14:06:53 -0600
7
08 krb5 (1.20.1-2) unstable; urgency=medium
19
210 * Tighten dependencies on libkrb5support0. This means that the entire
+1
-0
debian/patches/series less more
66 debian-local/0007-Fix-pkg-config-library-include-paths.patch
77 debian-local/0008-Use-isystem-for-include-paths.patch
88 0009-Add-.gitignore.patch
9 upstream/0010-Ensure-array-count-consistency-in-kadm5-RPC.patch
+63
-0
debian/patches/upstream/0010-Ensure-array-count-consistency-in-kadm5-RPC.patch less more
0 From: Greg Hudson <ghudson@mit.edu>
1 Date: Wed, 21 Jun 2023 10:57:39 -0400
2 Subject: Ensure array count consistency in kadm5 RPC
3
4 In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
5 key_data array count when decoding. Otherwise when the structure is
6 later freed, xdr_array() could iterate over the wrong number of
7 elements, either leaking some memory or freeing uninitialized
8 pointers. Reported by Robert Morris.
9
10 CVE-2023-36054:
11
12 An authenticated attacker can cause a kadmind process to crash by
13 freeing uninitialized pointers. Remote code execution is unlikely.
14 An attacker with control of a kadmin server can cause a kadmin client
15 to crash by freeing uninitialized pointers.
16
17 ticket: 9099 (new)
18 tags: pullup
19 target_version: 1.21-next
20 target_version: 1.20-next
21
22 (cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd)
23 ---
24 src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
25 1 file changed, 8 insertions(+), 3 deletions(-)
26
27 diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
28 index 0411c3f..287cae7 100644
29 --- a/src/lib/kadm5/kadm_rpc_xdr.c
30 +++ b/src/lib/kadm5/kadm_rpc_xdr.c
31 @@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
32 int v)
33 {
34 unsigned int n;
35 + bool_t r;
36
37 if (!xdr_krb5_principal(xdrs, &objp->principal)) {
38 return (FALSE);
39 @@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
40 if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
41 return (FALSE);
42 }
43 + if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
44 + return (FALSE);
45 + }
46 if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
47 return (FALSE);
48 }
49 @@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
50 return FALSE;
51 }
52 n = objp->n_key_data;
53 - if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
54 - &n, ~0, sizeof(krb5_key_data),
55 - xdr_krb5_key_data_nocontents)) {
56 + r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
57 + sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
58 + objp->n_key_data = n;
59 + if (!r) {
60 return (FALSE);
61 }
62