krb5: CVE-2022-42898 integer overflow vulnerabilities in PAC parsing

Upstream-Status: Backport from https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-01-23 10:23:37 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-02-22 11:24:23 -0500
commit: 1172ebfa20a1353b33ad954eee8aff9c03ee35a8 (patch)
tree: a0f456c9e443eee33f98c708ae50223ecb3283d9
parent: d07c7f658fb63c21b172523972885348fc11d974 (diff)
download: meta-openembedded-1172ebfa20a1353b33ad954eee8aff9c03ee35a8.tar.gz
2 files changed, 111 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch
new file mode 100644
index 0000000000..6d04bf8980
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch
@@ -0,0 +1,110 @@
+From 4e661f0085ec5f969c76c0896a34322c6c432de4 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 17 Oct 2022 20:25:11 -0400
+Subject: [PATCH] Fix integer overflows in PAC parsing
+In krb5_parse_pac(), check for buffer counts large enough to threaten
+integer overflow in the header length and memory length calculations.
+Avoid potential integer overflows when checking the length of each
+buffer.  Credit to OSS-Fuzz for discovering one of the issues.
+CVE-2022-42898:
+In MIT krb5 releases 1.8 and later, an authenticated attacker may be
+able to cause a KDC or kadmind process to crash by reading beyond the
+bounds of allocated memory, creating a denial of service.  A
+privileged attacker may similarly be able to cause a Kerberos or GSS
+application service to crash.  On 32-bit platforms, an attacker can
+also cause insufficient memory to be allocated for the result,
+potentially leading to remote code execution in a KDC, kadmind, or GSS
+or Kerberos application server process.  An attacker with the
+privileges of a cross-realm KDC may be able to extract secrets from a
+KDC process's memory by having them copied into the PAC of a new
+ticket.
+(cherry picked from commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583)
+ticket: 9074
+version_fixed: 1.19.4
+Upstream-Status: Backport [https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4]
+CVE: CVE-2022-42898
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/lib/krb5/krb/pac.c   |  9 +++++++--
+ src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
+index cc74f37..70428a1 100644
+--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
+@@ -27,6 +27,8 @@
+ #include "k5-int.h"
+ #include "authdata.h"
+ 
+#define MAX_BUFFERS 4096
+
+ /* draft-brezak-win2k-krb-authz-00 */
+ 
+ /*
+@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context,
+     if (version != 0)
+         return EINVAL;
+ 
+    if (cbuffers < 1 || cbuffers > MAX_BUFFERS)
+        return ERANGE;
+
+     header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
+     if (len < header_len)
+         return ERANGE;
+@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context,
+             krb5_pac_free(context, pac);
+             return EINVAL;
+         }
+-        if (buffer->Offset < header_len ||
+-            buffer->Offset + buffer->cbBufferSize > len) {
+        if (buffer->Offset < header_len || buffer->Offset > len ||
+            buffer->cbBufferSize > len - buffer->Offset) {
+             krb5_pac_free(context, pac);
+             return ERANGE;
+         }
+diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
+index 7b756a2..2353e9f 100644
+--- a/src/lib/krb5/krb/t_pac.c
+++ b/src/lib/krb5/krb/t_pac.c
+@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {
+     0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00
+ };
+ 
+static const unsigned char fuzz1[] = {
+    0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
+    0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
+};
+
+static const unsigned char fuzz2[] = {
+    0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
+    0x20, 0x20
+};
+
+ static const char *s4u_principal = "w2k8u@ACME.COM";
+ static const char *s4u_enterprise = "w2k8u@abc@ACME.COM";
+ 
+@@ -646,6 +656,14 @@ main(int argc, char **argv)
+         krb5_free_principal(context, sep);
+     }
+ 
+    /* Check problematic PACs found by fuzzing. */
+    ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
+    if (!ret)
+        err(context, ret, "krb5_pac_parse should have failed");
+    ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
+    if (!ret)
+        err(context, ret, "krb5_pac_parse should have failed");
+
+     /*
+      * Test empty free
+      */
+-- 
+2.25.1
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb
index ae58e2df35..ebcfbc524c 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb
@@ -31,6 +31,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
           file://krb5-kdc.service \
           file://krb5-admin-server.service \
           file://CVE-2021-36222.patch \
+           file://CVE-2022-42898.patch;striplevel=2 \
 "
 SRC_URI[md5sum] = "417d654c72526ac51466e7fe84608878"
 SRC_URI[sha256sum] = "3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-01-23 10:23:37 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-02-22 11:24:23 -0500
commit	1172ebfa20a1353b33ad954eee8aff9c03ee35a8 (patch)
tree	a0f456c9e443eee33f98c708ae50223ecb3283d9
parent	d07c7f658fb63c21b172523972885348fc11d974 (diff)
download	meta-openembedded-1172ebfa20a1353b33ad954eee8aff9c03ee35a8.tar.gz

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch new file mode 100644 index 0000000000..6d04bf8980 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch
@@ -0,0 +1,110 @@
		1	From 4e661f0085ec5f969c76c0896a34322c6c432de4 Mon Sep 17 00:00:00 2001
		2	From: Greg Hudson <ghudson@mit.edu>
		3	Date: Mon, 17 Oct 2022 20:25:11 -0400
		4	Subject: [PATCH] Fix integer overflows in PAC parsing
		5
		6	In krb5_parse_pac(), check for buffer counts large enough to threaten
		7	integer overflow in the header length and memory length calculations.
		8	Avoid potential integer overflows when checking the length of each
		9	buffer. Credit to OSS-Fuzz for discovering one of the issues.
		10
		11	CVE-2022-42898:
		12
		13	In MIT krb5 releases 1.8 and later, an authenticated attacker may be
		14	able to cause a KDC or kadmind process to crash by reading beyond the
		15	bounds of allocated memory, creating a denial of service. A
		16	privileged attacker may similarly be able to cause a Kerberos or GSS
		17	application service to crash. On 32-bit platforms, an attacker can
		18	also cause insufficient memory to be allocated for the result,
		19	potentially leading to remote code execution in a KDC, kadmind, or GSS
		20	or Kerberos application server process. An attacker with the
		21	privileges of a cross-realm KDC may be able to extract secrets from a
		22	KDC process's memory by having them copied into the PAC of a new
		23	ticket.
		24
		25	(cherry picked from commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583)
		26
		27	ticket: 9074
		28	version_fixed: 1.19.4
		29
		30	Upstream-Status: Backport [https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4]
		31	CVE: CVE-2022-42898
		32	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		33	---
		34	src/lib/krb5/krb/pac.c \| 9 +++++++--
		35	src/lib/krb5/krb/t_pac.c \| 18 ++++++++++++++++++
		36	2 files changed, 25 insertions(+), 2 deletions(-)
		37
		38	diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
		39	index cc74f37..70428a1 100644
		40	--- a/src/lib/krb5/krb/pac.c
		41	+++ b/src/lib/krb5/krb/pac.c
		42	@@ -27,6 +27,8 @@
		43	#include "k5-int.h"
		44	#include "authdata.h"
		45
		46	+#define MAX_BUFFERS 4096
		47	+
		48	/* draft-brezak-win2k-krb-authz-00 */
		49
		50	/*
		51	@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context,
		52	if (version != 0)
		53	return EINVAL;
		54
		55	+ if (cbuffers < 1 \|\| cbuffers > MAX_BUFFERS)
		56	+ return ERANGE;
		57	+
		58	header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
		59	if (len < header_len)
		60	return ERANGE;
		61	@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context,
		62	krb5_pac_free(context, pac);
		63	return EINVAL;
		64	}
		65	- if (buffer->Offset < header_len \|\|
		66	- buffer->Offset + buffer->cbBufferSize > len) {
		67	+ if (buffer->Offset < header_len \|\| buffer->Offset > len \|\|
		68	+ buffer->cbBufferSize > len - buffer->Offset) {
		69	krb5_pac_free(context, pac);
		70	return ERANGE;
		71	}
		72	diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
		73	index 7b756a2..2353e9f 100644
		74	--- a/src/lib/krb5/krb/t_pac.c
		75	+++ b/src/lib/krb5/krb/t_pac.c
		76	@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {
		77	0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00
		78	};
		79
		80	+static const unsigned char fuzz1[] = {
		81	+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
		82	+ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
		83	+};
		84	+
		85	+static const unsigned char fuzz2[] = {
		86	+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
		87	+ 0x20, 0x20
		88	+};
		89	+
		90	static const char *s4u_principal = "w2k8u@ACME.COM";
		91	static const char *s4u_enterprise = "w2k8u@abc@ACME.COM";
		92
		93	@@ -646,6 +656,14 @@ main(int argc, char **argv)
		94	krb5_free_principal(context, sep);
		95	}
		96
		97	+ /* Check problematic PACs found by fuzzing. */
		98	+ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
		99	+ if (!ret)
		100	+ err(context, ret, "krb5_pac_parse should have failed");
		101	+ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
		102	+ if (!ret)
		103	+ err(context, ret, "krb5_pac_parse should have failed");
		104	+
		105	/*
		106	* Test empty free
		107	*/
		108	--
		109	2.25.1
		110


diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb index ae58e2df35..ebcfbc524c 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb
@@ -31,6 +31,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
31	file://krb5-kdc.service \	31	file://krb5-kdc.service \
32	file://krb5-admin-server.service \	32	file://krb5-admin-server.service \
33	file://CVE-2021-36222.patch \	33	file://CVE-2021-36222.patch \
		34	file://CVE-2022-42898.patch;striplevel=2 \
34	"	35	"
35	SRC_URI[md5sum] = "417d654c72526ac51466e7fe84608878"	36	SRC_URI[md5sum] = "417d654c72526ac51466e7fe84608878"
36	SRC_URI[sha256sum] = "3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181"	37	SRC_URI[sha256sum] = "3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181"