Skip to content

Commit 99c054a

Browse files
CBL-Mariner-Botnicogbg
CBL-Mariner-Bot
and
nicogbg
authored
[AUTO-CHERRYPICK] Revert to 1.19.4, add epoch and add patch for CVE-2024-37371 and CVE-2024-37370 - branch main (#10491)
Co-authored-by: nicolas guibourge <nicogbg@gmail.com>
1 parent fe555eb commit 99c054a

9 files changed

Lines changed: 662 additions & 19 deletions

File tree

SPECS/krb5/CVE-2023-36054.patch

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001
2+
From: Greg Hudson <ghudson@mit.edu>
3+
Date: Wed, 21 Jun 2023 10:57:39 -0400
4+
Subject: [PATCH] Ensure array count consistency in kadm5 RPC
5+
6+
In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
7+
key_data array count when decoding. Otherwise when the structure is
8+
later freed, xdr_array() could iterate over the wrong number of
9+
elements, either leaking some memory or freeing uninitialized
10+
pointers. Reported by Robert Morris.
11+
12+
CVE-2023-36054:
13+
14+
An authenticated attacker can cause a kadmind process to crash by
15+
freeing uninitialized pointers. Remote code execution is unlikely.
16+
An attacker with control of a kadmin server can cause a kadmin client
17+
to crash by freeing uninitialized pointers.
18+
19+
ticket: 9099 (new)
20+
tags: pullup
21+
target_version: 1.21-next
22+
target_version: 1.20-next
23+
---
24+
src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
25+
1 file changed, 8 insertions(+), 3 deletions(-)
26+
27+
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
28+
index 0411c3fd3f4..287cae750f9 100644
29+
--- a/src/lib/kadm5/kadm_rpc_xdr.c
30+
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
31+
@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
32+
int v)
33+
{
34+
unsigned int n;
35+
+ bool_t r;
36+
37+
if (!xdr_krb5_principal(xdrs, &objp->principal)) {
38+
return (FALSE);
39+
@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
40+
if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
41+
return (FALSE);
42+
}
43+
+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
44+
+ return (FALSE);
45+
+ }
46+
if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
47+
return (FALSE);
48+
}
49+
@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
50+
return FALSE;
51+
}
52+
n = objp->n_key_data;
53+
- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
54+
- &n, ~0, sizeof(krb5_key_data),
55+
- xdr_krb5_key_data_nocontents)) {
56+
+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
57+
+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
58+
+ objp->n_key_data = n;
59+
+ if (!r) {
60+
return (FALSE);
61+
}

0 commit comments

Comments
 (0)