From 5b9553d6583f1d14440cb6ba518ea9aaaac62ea5 Mon Sep 17 00:00:00 2001 From: xuraoqing Date: Tue, 29 Aug 2023 10:08:59 +0800 Subject: [PATCH] fix CVE-2023-39975 Signed-off-by: xuraoqing --- ...ix-double-free-in-KDC-TGS-processing.patch | 46 +++++++++++++++++++ krb5.spec | 4 ++ 2 files changed, 50 insertions(+) create mode 100644 fix-CVE-2023-39975-Fix-double-free-in-KDC-TGS-processing.patch diff --git a/fix-CVE-2023-39975-Fix-double-free-in-KDC-TGS-processing.patch b/fix-CVE-2023-39975-Fix-double-free-in-KDC-TGS-processing.patch new file mode 100644 index 0000000..f553ea0 --- /dev/null +++ b/fix-CVE-2023-39975-Fix-double-free-in-KDC-TGS-processing.patch @@ -0,0 +1,46 @@ +From 88a1701b423c13991a8064feeb26952d3641d840 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 4 Aug 2023 09:54:06 +0200 +Subject: [PATCH] Fix double-free in KDC TGS processing + +When issuing a ticket for a TGS renew or validate request, copy only +the server field from the outer part of the header ticket to the new +ticket. Copying the whole structure causes the enc_part pointer to be +aliased to the header ticket until krb5_encrypt_tkt_part() is called, +resulting in a double-free if handle_authdata() fails. + +[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather +than check for aliasing before freeing; rewrote commit message] + +CVE-2023-39975: + +In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to +free the same pointer twice if it can induce a failure in +authorization data handling. + +ticket: 9101 (new) +tags: pullup +target_version: 1.21-next +--- + src/kdc/do_tgs_req.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index 6e4c8fa9f..0acc45850 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -1010,8 +1010,9 @@ tgs_issue_ticket(kdc_realm_t *realm, struct tgs_req_info *t, + } + + if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) { +- /* Copy the whole header ticket except for authorization data. */ +- ticket_reply = *t->header_tkt; ++ /* Copy the header ticket server and all enc-part fields except for ++ * authorization data. */ ++ ticket_reply.server = t->header_tkt->server; + enc_tkt_reply = *t->header_tkt->enc_part2; + enc_tkt_reply.authorization_data = NULL; + } else { +-- +2.33.0 + diff --git a/krb5.spec b/krb5.spec index c844142..17279f9 100644 --- a/krb5.spec +++ b/krb5.spec @@ -26,6 +26,7 @@ Patch2: Adjust-build-configuration.patch Patch3: netlib-and-dns.patch Patch4: fix-debuginfo-with-y.tab.c.patch Patch5: Remove-3des-support.patch +Patch6: fix-CVE-2023-39975-Fix-double-free-in-KDC-TGS-processing.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -324,6 +325,9 @@ make -C src check || : %{_mandir}/man8/* %changelog +* Tue Aug 29 2023 wangyunjia - 1.21.1-2 +- fix CVE-2023-39975 + * Sat Jul 22 2023 wangyunjia - 1.21.1-1 - Update to 1.21.1 -- Gitee