git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Fri, 14 Jun 2024 14:56:12 +0000 (10:56 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Wed, 26 Jun 2024 16:32:23 +0000 (12:32 -0400)
commit	b0a2f8a5365f2eec3e27d78907de9f9d2c80505a
tree	54b1d106bc1bc43247601f224b84606bf1dfa46b	tree
parent	78f38ca89a6e80cd17bd3ba2f9c5482981206ad5	commit \| diff

Fix vulnerabilities in GSS message token handling

In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
verify the Extra Count field of CFX wrap tokens against the encrypted
header.  Reported by Jacob Champion.

In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
length too short to contain the encrypted header and extra count
bytes.  Reported by Jacob Champion.

In kg_unseal_iov_token(), separately track the header IOV length and
complete token length when parsing the token's ASN.1 wrapper.  This
fix contains modified versions of functions from k5-der.h and
util_token.c; this duplication will be cleaned up in a future commit.

CVE-2024-37370:

In MIT krb5 release 1.3 and later, an attacker can modify the
plaintext Extra Count field of a confidential GSS krb5 wrap token,
causing the unwrapped token to appear truncated to the application.

CVE-2024-37371:

In MIT krb5 release 1.3 and later, an attacker can cause invalid
memory reads by sending message tokens with invalid length fields.

ticket: 9128 (new)
tags: pullup
target_version: 1.21-next

src/lib/gssapi/krb5/k5sealv3.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/k5sealv3iov.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/k5unsealiov.c		diff \| blob \| blame \| history
src/tests/gssapi/t_invalid.c		diff \| blob \| blame \| history