Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:GA
krb5.34552
0013-Fix-integer-overflows-in-PAC-parsing.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0013-Fix-integer-overflows-in-PAC-parsing.patch of Package krb5.34552
From f18f3fe6d52e335447ea4f32752db64c966d2b44 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <scabrero@suse.de> Date: Mon, 7 Nov 2022 15:29:41 +0100 Subject: [PATCH] Fix integer overflows in PAC parsing In krb5_parse_pac(), check for buffer counts large enough to threaten integer overflow in the header length and memory length calculations. Avoid potential integer overflows when checking the length of each buffer. Credit to OSS-Fuzz for discovering one of the issues. CVE-2022-42898: In MIT krb5 releases 1.8 and later, an authenticated attacker may be able to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service. A privileged attacker may similarly be able to cause a Kerberos or GSS application service to crash. On 32-bit platforms, an attacker can also cause insufficient memory to be allocated for the result, potentially leading to remote code execution in a KDC, kadmind, or GSS or Kerberos application server process. An attacker with the privileges of a cross-realm KDC may be able to extract secrets from a KDC process's memory by having them copied into the PAC of a new ticket. ticket: 9074 (new) tags: pullup target_version: 1.20-next target_version: 1.19-next --- src/lib/krb5/krb/pac.c | 9 +++++++-- src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++ 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index c9b5de30a..ff32092d1 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -27,6 +27,8 @@ #include "k5-int.h" #include "authdata.h" +#define MAX_BUFFERS 4096 + /* draft-brezak-win2k-krb-authz-00 */ /* @@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context, if (version != 0) return EINVAL; + if (cbuffers < 1 || cbuffers > MAX_BUFFERS) + return ERANGE; + header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); if (len < header_len) return ERANGE; @@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context, krb5_pac_free(context, pac); return EINVAL; } - if (buffer->Offset < header_len || - buffer->Offset + buffer->cbBufferSize > len) { + if (buffer->Offset < header_len || buffer->Offset > len || + buffer->cbBufferSize > len - buffer->Offset) { krb5_pac_free(context, pac); return ERANGE; } diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c index 61fb51a98..f015e7d8a 100644 --- a/src/lib/krb5/krb/t_pac.c +++ b/src/lib/krb5/krb/t_pac.c @@ -81,6 +81,16 @@ static const unsigned char saved_pac[] = { 0x83, 0xb3, 0x13, 0x3f, 0xfc, 0x5c, 0x41, 0xad, 0xe2, 0x64, 0x83, 0xe0, 0x00, 0x00, 0x00, 0x00 }; +static const unsigned char fuzz1[] = { + 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, + 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5 +}; + +static const unsigned char fuzz2[] = { + 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, + 0x20, 0x20 +}; + static unsigned int type_1_length = 472; static const krb5_keyblock kdc_keyblock = { @@ -227,6 +237,14 @@ main(int argc, char **argv) krb5_pac_free(context, pac); + /* Check problematic PACs found by fuzzing. */ + ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac); + if (!ret) + err(context, ret, "krb5_pac_parse should have failed"); + ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac); + if (!ret) + err(context, ret, "krb5_pac_parse should have failed"); + /* * Test empty free */ -- 2.38.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor