diff mbox series

[meta-oe,master,mickledore,1/1] krb5: Fix CVE-2023-36054

Message ID 20230825073923.1528500-1-soumya.sambu@windriver.com
State New
Headers show
Series [meta-oe,master,mickledore,1/1] krb5: Fix CVE-2023-36054 | expand

Commit Message

Sambu, Soumya Aug. 25, 2023, 7:39 a.m. UTC 
From: Soumya Sambu <soumya.sambu@windriver.com>

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2
and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote
authenticated user can trigger a kadmind crash. This occurs because
_xdr_kadm5_principal_ent_rec does not validate the relationship
between n_key_data and the key_data array count.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-36054

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
 .../krb5/krb5/CVE-2023-36054.patch            | 68 +++++++++++++++++++
 .../recipes-connectivity/krb5/krb5_1.20.1.bb  |  1 +
 2 files changed, 69 insertions(+)
 create mode 100644 meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch

Comments

Mittal, Anuj Aug. 25, 2023, 8:08 a.m. UTC | #1 
On Fri, 2023-08-25 at 07:39 +0000, Soumya via lists.openembedded.org
wrote:
> From: Soumya Sambu <soumya.sambu@windriver.com>
> 
> lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2
> and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote
> authenticated user can trigger a kadmind crash. This occurs because
> _xdr_kadm5_principal_ent_rec does not validate the relationship
> between n_key_data and the key_data array count.
> 
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-36054
> 
> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
> ---
>  .../krb5/krb5/CVE-2023-36054.patch            | 68
> +++++++++++++++++++
>  .../recipes-connectivity/krb5/krb5_1.20.1.bb  |  1 +

I think this recipe can be upgraded to 1.20.2 instead.

Thanks,

Anuj

>  2 files changed, 69 insertions(+)
>  create mode 100644 meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-
> 36054.patch
> 
> diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-
> 36054.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-
> 36054.patch
> new file mode 100644
> index 000000000..160c090bc
> --- /dev/null
> +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch
> @@ -0,0 +1,68 @@
> +From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00
> 2001
> +From: Greg Hudson <ghudson@mit.edu>
> +Date: Mon, 21 Aug 2023 03:08:15 +0000
> +Subject: [PATCH] Ensure array count consistency in kadm5 RPC
> +
> +In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches
> the
> +key_data array count when decoding.  Otherwise when the structure is
> +later freed, xdr_array() could iterate over the wrong number of
> +elements, either leaking some memory or freeing uninitialized
> +pointers.  Reported by Robert Morris.
> +
> +CVE: CVE-2023-36054
> +
> +An authenticated attacker can cause a kadmind process to crash by
> +freeing uninitialized pointers.  Remote code execution is unlikely.
> +An attacker with control of a kadmin server can cause a kadmin
> client
> +to crash by freeing uninitialized pointers.
> +
> +ticket: 9099 (new)
> +tags: pullup
> +target_version: 1.21-next
> +target_version: 1.20-next
> +
> +Upstream-Status: Backport
> [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f15
> 83053cdd]
> +
> +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
> +---
> + src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
> + 1 file changed, 8 insertions(+), 3 deletions(-)
> +
> +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c
> b/src/lib/kadm5/kadm_rpc_xdr.c
> +index 2892d41..94b1ce8 100644
> +--- a/src/lib/kadm5/kadm_rpc_xdr.c
> ++++ b/src/lib/kadm5/kadm_rpc_xdr.c
> +@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs,
> kadm5_principal_ent_rec *objp,
> +                            int v)
> + {
> +       unsigned int n;
> ++      bool_t r;
> +
> +       if (!xdr_krb5_principal(xdrs, &objp->principal)) {
> +               return (FALSE);
> +@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs,
> kadm5_principal_ent_rec *objp,
> +       if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
> +               return (FALSE);
> +       }
> ++      if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
> ++              return (FALSE);
> ++      }
> +       if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
> +               return (FALSE);
> +       }
> +@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs,
> kadm5_principal_ent_rec *objp,
> +               return FALSE;
> +       }
> +       n = objp->n_key_data;
> +-      if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
> +-                     &n, ~0, sizeof(krb5_key_data),
> +-                     xdr_krb5_key_data_nocontents)) {
> ++      r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp-
> >n_key_data,
> ++                    sizeof(krb5_key_data),
> xdr_krb5_key_data_nocontents);
> ++      objp->n_key_data = n;
> ++      if (!r) {
> +               return (FALSE);
> +       }
> +
> +--
> +2.40.0
> diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb b/meta-
> oe/recipes-connectivity/krb5/krb5_1.20.1.bb
> index 10fff11c2..e353b58aa 100644
> --- a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
> +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
> @@ -29,6 +29,7 @@ SRC_URI =
> "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
>             file://etc/default/krb5-admin-server \
>             file://krb5-kdc.service \
>             file://krb5-admin-server.service \
> +           file://CVE-2023-36054.patch;striplevel=2 \
>  "
>  SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686"
>  SRC_URI[sha256sum] =
> "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851"
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#104600):
> https://lists.openembedded.org/g/openembedded-devel/message/104600
> Mute This Topic: https://lists.openembedded.org/mt/100951656/3616702
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-devel/unsub [
> anuj.mittal@intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Sambu, Soumya Sept. 1, 2023, 5:53 p.m. UTC | #2 
Sent patch for master branch to upgrade krb5 1.20.1 -> 1.20.2 - https://lore.kernel.org/openembedded-devel/20230901171832.276070-1-soumya.sambu@windriver.com/T/#u

Regards,
Soumya
diff mbox series

Patch

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch
new file mode 100644
index 000000000..160c090bc
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch
@@ -0,0 +1,68 @@ 
+From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 21 Aug 2023 03:08:15 +0000
+Subject: [PATCH] Ensure array count consistency in kadm5 RPC
+
+In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
+key_data array count when decoding.  Otherwise when the structure is
+later freed, xdr_array() could iterate over the wrong number of
+elements, either leaking some memory or freeing uninitialized
+pointers.  Reported by Robert Morris.
+
+CVE: CVE-2023-36054
+
+An authenticated attacker can cause a kadmind process to crash by
+freeing uninitialized pointers.  Remote code execution is unlikely.
+An attacker with control of a kadmin server can cause a kadmin client
+to crash by freeing uninitialized pointers.
+
+ticket: 9099 (new)
+tags: pullup
+target_version: 1.21-next
+target_version: 1.20-next
+
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 2892d41..94b1ce8 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
++++ b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+			     int v)
+ {
+	unsigned int n;
++	bool_t r;
+
+	if (!xdr_krb5_principal(xdrs, &objp->principal)) {
+		return (FALSE);
+@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+	if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
+		return (FALSE);
+	}
++	if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
++		return (FALSE);
++	}
+	if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
+		return (FALSE);
+	}
+@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+		return FALSE;
+	}
+	n = objp->n_key_data;
+-	if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
+-		       &n, ~0, sizeof(krb5_key_data),
+-		       xdr_krb5_key_data_nocontents)) {
++	r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
++		      sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
++	objp->n_key_data = n;
++	if (!r) {
+		return (FALSE);
+	}
+
+--
+2.40.0
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
index 10fff11c2..e353b58aa 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.20.1.bb
@@ -29,6 +29,7 @@  SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
            file://etc/default/krb5-admin-server \
            file://krb5-kdc.service \
            file://krb5-admin-server.service \
+           file://CVE-2023-36054.patch;striplevel=2 \
 "
 SRC_URI[md5sum] = "73f5780e7b587ccd8b8cfc10c965a686"
 SRC_URI[sha256sum] = "704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851"