Bug#1049373: bookworm-pu: package krb5/1.20.1-2+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1049373: bookworm-pu: package krb5/1.20.1-2+deb12u1
From: Sam Hartman <hartmans@debian.org>
Date: Mon, 14 Aug 2023 14:34:49 -0600
Message-id: <[🔎] 169204528990.2407849.12950132504211962640.reportbug@industrial-algebra.suchdamage.org>
Reply-to: Sam Hartman <hartmans@debian.org>, 1049373@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: krb5@packages.debian.org
Control: affects -1 + src:krb5


[ Reason ]
Non-DSA security update for a DOS


[ Impact ]
A remote authenticated attacker can crash kadmind.

[ Tests ]
autopkgtest  should cover this code path; tested upstream.

[ Risks ]

Simple obvious patch.



[ Checklist ]
  [x ] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [ x] the issue is verified as fixed in unstable

[ Changes ]
diff --git a/debian/changelog b/debian/changelog
index 39cc059e25..a22fe91f26 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+krb5 (1.20.1-2+deb12u1) bookworm; urgency=high
+
+  * Fixes CVE-2023-36054: a  remote authenticated attacker can cause
+    kadmind to free an uninitialized pointer.  Upstream believes remote
+    code execusion is unlikely, Closes: #1043431 
+
+ -- Sam Hartman <hartmans@debian.org>  Mon, 14 Aug 2023 14:06:53 -0600
+
 krb5 (1.20.1-2) unstable; urgency=medium
 
   * Tighten dependencies on libkrb5support0.  This means that the entire
diff --git a/debian/patches/series b/debian/patches/series
index 3e5f0ef336..1b79d4b90e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ debian-local/0006-Add-substpdf-target.patch
 debian-local/0007-Fix-pkg-config-library-include-paths.patch
 debian-local/0008-Use-isystem-for-include-paths.patch
 0009-Add-.gitignore.patch
+upstream/0010-Ensure-array-count-consistency-in-kadm5-RPC.patch
diff --git a/debian/patches/upstream/0010-Ensure-array-count-consistency-in-kadm5-RPC.patch b/debian/patches/upstream/0010-Ensure-array-count-consistency-in-kadm5-RPC.patch
new file mode 100644
index 0000000000..f3378aac51
--- /dev/null
+++ b/debian/patches/upstream/0010-Ensure-array-count-consistency-in-kadm5-RPC.patch
@@ -0,0 +1,63 @@
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 21 Jun 2023 10:57:39 -0400
+Subject: Ensure array count consistency in kadm5 RPC
+
+In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
+key_data array count when decoding.  Otherwise when the structure is
+later freed, xdr_array() could iterate over the wrong number of
+elements, either leaking some memory or freeing uninitialized
+pointers.  Reported by Robert Morris.
+
+CVE-2023-36054:
+
+An authenticated attacker can cause a kadmind process to crash by
+freeing uninitialized pointers.  Remote code execution is unlikely.
+An attacker with control of a kadmin server can cause a kadmin client
+to crash by freeing uninitialized pointers.
+
+ticket: 9099 (new)
+tags: pullup
+target_version: 1.21-next
+target_version: 1.20-next
+
+(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd)
+---
+ src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 0411c3f..287cae7 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
++++ b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ 			     int v)
+ {
+ 	unsigned int n;
++	bool_t r;
+ 
+ 	if (!xdr_krb5_principal(xdrs, &objp->principal)) {
+ 		return (FALSE);
+@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ 	if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
+ 		return (FALSE);
+ 	}
++	if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
++		return (FALSE);
++	}
+ 	if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
+ 		return (FALSE);
+ 	}
+@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ 		return FALSE;
+ 	}
+ 	n = objp->n_key_data;
+-	if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
+-		       &n, ~0, sizeof(krb5_key_data),
+-		       xdr_krb5_key_data_nocontents)) {
++	r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
++		      sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
++	objp->n_key_data = n;
++	if (!r) {
+ 		return (FALSE);
+ 	}
+

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package krb5/1.20.1-2+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1049373: krb5 1.20.1-2+deb12u1 flagged for acceptance
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Bug#1049364: transition: gnome-panel
Next by Date: Processed: bookworm-pu: package krb5/1.20.1-2+deb12u1
Previous by thread: Processed: Re: Bug#1049364: transition: gnome-panel
Next by thread: Processed: bookworm-pu: package krb5/1.20.1-2+deb12u1
Index(es):
- Date
- Thread