From 3f79a0898583ac0e69e17968e0f1a2304f75342c Mon Sep 17 00:00:00 2001 From: liningjie Date: Tue, 15 Aug 2023 12:12:15 +0800 Subject: [PATCH] fix CVE-2023-36054 --- CVE-2023-36054.patch | 65 ++++++++++++++++++++++++++++++++++++++++++++ krb5.spec | 6 +++- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-36054.patch diff --git a/CVE-2023-36054.patch b/CVE-2023-36054.patch new file mode 100644 index 0000000..3c2aa3d --- /dev/null +++ b/CVE-2023-36054.patch @@ -0,0 +1,65 @@ +From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 21 Jun 2023 10:57:39 -0400 +Subject: [PATCH] Ensure array count consistency in kadm5 RPC + +In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the +key_data array count when decoding. Otherwise when the structure is +later freed, xdr_array() could iterate over the wrong number of +elements, either leaking some memory or freeing uninitialized +pointers. Reported by Robert Morris. + +CVE-2023-36054: + +An authenticated attacker can cause a kadmind process to crash by +freeing uninitialized pointers. Remote code execution is unlikely. +An attacker with control of a kadmin server can cause a kadmin client +to crash by freeing uninitialized pointers. + +ticket: 9099 (new) +tags: pullup +target_version: 1.21-next +target_version: 1.20-next +--- + src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 0411c3fd3..287cae750 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + int v) + { + unsigned int n; ++ bool_t r; + + if (!xdr_krb5_principal(xdrs, &objp->principal)) { + return (FALSE); +@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) { + return (FALSE); + } ++ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) { ++ return (FALSE); ++ } + if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) { + return (FALSE); + } +@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + return FALSE; + } + n = objp->n_key_data; +- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, +- &n, ~0, sizeof(krb5_key_data), +- xdr_krb5_key_data_nocontents)) { ++ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data, ++ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents); ++ objp->n_key_data = n; ++ if (!r) { + return (FALSE); + } + +-- +2.41.0.windows.3 + diff --git a/krb5.spec b/krb5.spec index 962b695..455dcd8 100644 --- a/krb5.spec +++ b/krb5.spec @@ -3,7 +3,7 @@ Name: krb5 Version: 1.19.2 -Release: 8 +Release: 9 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -35,6 +35,7 @@ Patch11: backport-Fix-gic_keytab-crash-on-memory-exhaustion.patch Patch12: backport-Fix-many-unlikely-memory-leaks.patch Patch13: backport-Free-verto-context-later-in-KDC-cleanup.patch Patch14: backport-Squash-unused-variable-warnings-in-kdb5_ldap_util.patch +Patch15: CVE-2023-36054.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -327,6 +328,9 @@ make -C src check || : %changelog +* Tue Aug 15 2023 liningjie - 1.19.2-9 +- fix CVE-2023-36054 + * Thu Jun 15 2023 xuraoqing - 1.19.2-8 - add version for Obsoletes and Provides of workstation -- Gitee