Version in base suite: 1.18.3-6+deb11u3 Base version: krb5_1.18.3-6+deb11u3 Target version: krb5_1.18.3-6+deb11u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/k/krb5/krb5_1.18.3-6+deb11u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/k/krb5/krb5_1.18.3-6+deb11u4.dsc changelog | 8 + patches/0015-Ensure-array-count-consistency-in-kadm5-RPC.patch | 63 ++++++++++ patches/series | 1 3 files changed, 72 insertions(+) diff -Nru krb5-1.18.3/debian/changelog krb5-1.18.3/debian/changelog --- krb5-1.18.3/debian/changelog 2022-11-17 19:41:46.000000000 +0000 +++ krb5-1.18.3/debian/changelog 2023-08-14 20:42:46.000000000 +0000 @@ -1,3 +1,11 @@ +krb5 (1.18.3-6+deb11u4) bullseye; urgency=medium + + * Fixes CVE-2023-36054: a remote authenticated attacker can cause + kadmind to free an uninitialized pointer. Upstream believes remote + code execusion is unlikely, Closes: #1043431 + + -- Sam Hartman Mon, 14 Aug 2023 14:42:46 -0600 + krb5 (1.18.3-6+deb11u3) bullseye-security; urgency=high * Integer overflows in PAC parsing; potentially critical for 32-bit diff -Nru krb5-1.18.3/debian/patches/0015-Ensure-array-count-consistency-in-kadm5-RPC.patch krb5-1.18.3/debian/patches/0015-Ensure-array-count-consistency-in-kadm5-RPC.patch --- krb5-1.18.3/debian/patches/0015-Ensure-array-count-consistency-in-kadm5-RPC.patch 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.18.3/debian/patches/0015-Ensure-array-count-consistency-in-kadm5-RPC.patch 2023-08-14 20:42:46.000000000 +0000 @@ -0,0 +1,63 @@ +From: Greg Hudson +Date: Wed, 21 Jun 2023 10:57:39 -0400 +Subject: Ensure array count consistency in kadm5 RPC + +In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the +key_data array count when decoding. Otherwise when the structure is +later freed, xdr_array() could iterate over the wrong number of +elements, either leaking some memory or freeing uninitialized +pointers. Reported by Robert Morris. + +CVE-2023-36054: + +An authenticated attacker can cause a kadmind process to crash by +freeing uninitialized pointers. Remote code execution is unlikely. +An attacker with control of a kadmin server can cause a kadmin client +to crash by freeing uninitialized pointers. + +ticket: 9099 (new) +tags: pullup +target_version: 1.21-next +target_version: 1.20-next + +(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd) +--- + src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 8383e4e..9585080 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + int v) + { + unsigned int n; ++ bool_t r; + + if (!xdr_krb5_principal(xdrs, &objp->principal)) { + return (FALSE); +@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) { + return (FALSE); + } ++ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) { ++ return (FALSE); ++ } + if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) { + return (FALSE); + } +@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + return FALSE; + } + n = objp->n_key_data; +- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, +- &n, ~0, sizeof(krb5_key_data), +- xdr_krb5_key_data_nocontents)) { ++ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data, ++ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents); ++ objp->n_key_data = n; ++ if (!r) { + return (FALSE); + } + diff -Nru krb5-1.18.3/debian/patches/series krb5-1.18.3/debian/patches/series --- krb5-1.18.3/debian/patches/series 2022-11-17 19:41:46.000000000 +0000 +++ krb5-1.18.3/debian/patches/series 2023-08-14 20:42:46.000000000 +0000 @@ -12,3 +12,4 @@ 0012-Fix-defcred-leak-in-krb5-gss_inquire_cred.patch 0013-Use-SHA-256-instead-of-SHA-1-for-PKINIT-CMS-digest.patch 0014-Fix-integer-overflows-in-PAC-parsing.patch +0015-Ensure-array-count-consistency-in-kadm5-RPC.patch