PR#24: Fix integer overflows in PAC parsing (CVE-2022-42898) [f36] - rpms/krb5

rpms / krb5

#24 Fix integer overflows in PAC parsing (CVE-2022-42898) [f36]

Merged a year ago by jrische. Opened a year ago by jrische.

rpms/ jrische/krb5 f36-cve-2022-42898 into f36

Fix integer overflows in PAC parsing (CVE-2022-42898)

Julien Rische • a year ago

f20fff9

Fix-integer-overflows-in-PAC-parsing.patch

file added

+106

		`@@ -0,0 +1,106 @@`
		`+ From c0f643a96272d11ae1255bc361f24133d1e58b74 Mon Sep 17 00:00:00 2001`
		`+ From: Greg Hudson <ghudson@mit.edu>`
		`+ Date: Mon, 17 Oct 2022 20:25:11 -0400`
		`+ Subject: [PATCH] Fix integer overflows in PAC parsing`
		`+`
		`+ In krb5_parse_pac(), check for buffer counts large enough to threaten`
		`+ integer overflow in the header length and memory length calculations.`
		`+ Avoid potential integer overflows when checking the length of each`
		`+ buffer.`
		`+`
		`+ CVE-2022-42898:`
		`+`
		`+ In MIT krb5 releases 1.8 and later, an authenticated attacker may be`
		`+ able to cause a KDC or kadmind process to crash by reading beyond the`
		`+ bounds of allocated memory, creating a denial of service. A`
		`+ privileged attacker may similarly be able to cause a Kerberos or GSS`
		`+ application service to crash. On 32-bit platforms, an attacker can`
		`+ also cause insufficient memory to be allocated for the result,`
		`+ potentially leading to remote code execution in a KDC, kadmind, or GSS`
		`+ or Kerberos application server process. An attacker with the`
		`+ privileges of a cross-realm KDC may be able to extract secrets from`
		`+ the KDC process's memory by having them copied into the PAC of a new`
		`+ ticket.`
		`+`
		`+ ticket: 9074 (new)`
		`+ tags: pullup`
		`+ target_version: 1.20-next`
		`+ target_version: 1.19-next`
		`+ ---`
		`+ src/lib/krb5/krb/pac.c \| 9 +++++++--`
		`+ src/lib/krb5/krb/t_pac.c \| 18 ++++++++++++++++++`
		`+ 2 files changed, 25 insertions(+), 2 deletions(-)`
		`+`
		`+ diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c`
		`+ index 950beda657..1b9ef12276 100644`
		`+ --- a/src/lib/krb5/krb/pac.c`
		`+ +++ b/src/lib/krb5/krb/pac.c`
		`+ @@ -27,6 +27,8 @@`
		`+ #include "k5-int.h"`
		`+ #include "authdata.h"`
		`+`
		`+ +#define MAX_BUFFERS 4096`
		`+ +`
		`+ /* draft-brezak-win2k-krb-authz-00 */`
		`+`
		`+ /*`
		`+ @@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context,`
		`+ if (version != 0)`
		`+ return EINVAL;`
		`+`
		`+ + if (cbuffers < 1 \|\| cbuffers > MAX_BUFFERS)`
		`+ + return ERANGE;`
		`+ +`
		`+ header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);`
		`+ if (len < header_len)`
		`+ return ERANGE;`
		`+ @@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context,`
		`+ krb5_pac_free(context, pac);`
		`+ return EINVAL;`
		`+ }`
		`+ - if (buffer->Offset < header_len \|\|`
		`+ - buffer->Offset + buffer->cbBufferSize > len) {`
		`+ + if (buffer->Offset < header_len \|\| buffer->Offset > len \|\|`
		`+ + buffer->cbBufferSize > len - buffer->Offset) {`
		`+ krb5_pac_free(context, pac);`
		`+ return ERANGE;`
		`+ }`
		`+ diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c`
		`+ index ee47152ee4..ccd165380d 100644`
		`+ --- a/src/lib/krb5/krb/t_pac.c`
		`+ +++ b/src/lib/krb5/krb/t_pac.c`
		`+ @@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {`
		`+ 0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00`
		`+ };`
		`+`
		`+ +static const unsigned char fuzz1[] = {`
		`+ + 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,`
		`+ + 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5`
		`+ +};`
		`+ +`
		`+ +static const unsigned char fuzz2[] = {`
		`+ + 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,`
		`+ + 0x20, 0x20`
		`+ +};`
		`+ +`
		`+ static const char *s4u_principal = "w2k8u@ACME.COM";`
		`+ static const char *s4u_enterprise = "w2k8u@abc@ACME.COM";`
		`+`
		`+ @@ -646,6 +656,14 @@ main(int argc, char **argv)`
		`+ krb5_free_principal(context, sep);`
		`+ }`
		`+`
		`+ + /* Check problematic PACs found by fuzzing. */`
		`+ + ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);`
		`+ + if (!ret)`
		`+ + err(context, ret, "krb5_pac_parse should have failed");`
		`+ + ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);`
		`+ + if (!ret)`
		`+ + err(context, ret, "krb5_pac_parse should have failed");`
		`+ +`
		`+ /*`
		`+ * Test empty free`
		`+ */`
		`+ --`
		`+ 2.37.3`
		`+`

krb5.spec

file modified

+6 -1

		`@@ -42,7 +42,7 @@`
		`Summary: The Kerberos network authentication system`
		`Name: krb5`
		`Version: 1.19.2`
		`- Release: %{?zdpd}11%{?dist}`
		`+ Release: %{?zdpd}12%{?dist}`

		`# rharwood has trust path to signing key and verifies on check-in`
		`Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz`
		`@@ -101,6 +101,7 @@`
		`Patch41: Add-configure-variable-for-default-PKCS-11-module.patch`
		`Patch42: downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch`
		`Patch43: Read-GSS-configuration-files-with-mtime-0.patch`
		`+ Patch44: Fix-integer-overflows-in-PAC-parsing.patch`

		`License: MIT`
		`URL: https://web.mit.edu/kerberos/www/`
		`@@ -651,6 +652,10 @@`
		`%{_libdir}/libkadm5srv_mit.so.*`

		`%changelog`
		`+ * Wed Nov 09 2022 Julien Rische <jrische@redhat.com> - 1.19.2-12`
		`+ - Fix integer overflows in PAC parsing (CVE-2022-42898)`
		`+ - Resolves: rhbz#2143010`
		`+`
		`* Wed Jun 15 2022 Julien Rische <jrische@redhat.com> - 1.19.2-11`
		`- Allow libkrad UDP/TCP connection to localhost in FIPS mode`
		`- Resolves: rhbz#2082189`

jrische commented a year ago

In krb5_parse_pac(), check for buffer counts large enough to threaten integer overflow in the header length and memory length calculations. Avoid potential integer overflows when checking the length of each buffer.

Resolves: rhbz#2143010

Metadata Update from @jrische:
- Request assigned

a year ago

rebased onto 0da2a0342544a84fc1ad918c2e1f7d59a4ee305a

a year ago

rebased onto f20fff9

a year ago

jrische commented a year ago

Scratch build actually succeeded.

Pull-Request has been merged by jrische

a year ago