Hi Sam,
On Thu, Nov 17, 2022 at 01:11:44PM -0700, Sam Hartman wrote:
> >>>>> "Salvatore" == Salvatore Bonaccorso <car...@debian.org> writes:
> Salvatore> Thanks for sharing the analysis. Can you prepare debdiff
> Salvatore> for bullseye-security accordingly, so we can release an
> Salvatore> update via a DSA?
>
> diff --git a/debian/changelog b/debian/changelog
> index d6eaa38262..60fb20b347 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,11 @@
> +krb5 (1.18.3-6+deb11u3) bullseye-security; urgency=high
> +
> + * Integer overflows in PAC parsing; potentially critical for 32-bit
> + KDCs or when cross-realm acts maliciously; DOS in other conditions;
> + CVE-2022-42898, Closes: #1024267
> +
> + -- Sam Hartman <hartm...@debian.org> Thu, 17 Nov 2022 12:41:46 -0700
> +
> krb5 (1.18.3-6+deb11u2) bullseye; urgency=medium
>
> * Use SHA256 as Pkinit CMS Digest, Closes: #1017995
> diff --git a/debian/patches/0014-Fix-integer-overflows-in-PAC-parsing.patch
> b/debian/patches/0014-Fix-integer-overflows-in-PAC-parsing.patch
> new file mode 100644
> index 0000000000..04dbfd4788
> --- /dev/null
> +++ b/debian/patches/0014-Fix-integer-overflows-in-PAC-parsing.patch
> @@ -0,0 +1,104 @@
> +From: Greg Hudson <ghud...@mit.edu>
> +Date: Mon, 17 Oct 2022 20:25:11 -0400
> +Subject: Fix integer overflows in PAC parsing
> +
> +In krb5_parse_pac(), check for buffer counts large enough to threaten
> +integer overflow in the header length and memory length calculations.
> +Avoid potential integer overflows when checking the length of each
> +buffer. Credit to OSS-Fuzz for discovering one of the issues.
> +
> +CVE-2022-42898:
> +
> +In MIT krb5 releases 1.8 and later, an authenticated attacker may be
> +able to cause a KDC or kadmind process to crash by reading beyond the
> +bounds of allocated memory, creating a denial of service. A
> +privileged attacker may similarly be able to cause a Kerberos or GSS
> +application service to crash. On 32-bit platforms, an attacker can
> +also cause insufficient memory to be allocated for the result,
> +potentially leading to remote code execution in a KDC, kadmind, or GSS
> +or Kerberos application server process. An attacker with the
> +privileges of a cross-realm KDC may be able to extract secrets from a
> +KDC process's memory by having them copied into the PAC of a new
> +ticket.
> +
> +(cherry picked from commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583)
> +
> +ticket: 9074
> +version_fixed: 1.20.1
> +
> +(cherry picked from commit b99de751dd35360c0fccac74a40f4a60dbf1ceea)
> +---
> + src/lib/krb5/krb/pac.c | 9 +++++++--
> + src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++
> + 2 files changed, 25 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
> +index 950beda..1b9ef12 100644
> +--- a/src/lib/krb5/krb/pac.c
> ++++ b/src/lib/krb5/krb/pac.c
> +@@ -27,6 +27,8 @@
> + #include "k5-int.h"
> + #include "authdata.h"
> +
> ++#define MAX_BUFFERS 4096
> ++
> + /* draft-brezak-win2k-krb-authz-00 */
> +
> + /*
> +@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context,
> + if (version != 0)
> + return EINVAL;
> +
> ++ if (cbuffers < 1 || cbuffers > MAX_BUFFERS)
> ++ return ERANGE;
> ++
> + header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
> + if (len < header_len)
> + return ERANGE;
> +@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context,
> + krb5_pac_free(context, pac);
> + return EINVAL;
> + }
> +- if (buffer->Offset < header_len ||
> +- buffer->Offset + buffer->cbBufferSize > len) {
> ++ if (buffer->Offset < header_len || buffer->Offset > len ||
> ++ buffer->cbBufferSize > len - buffer->Offset) {
> + krb5_pac_free(context, pac);
> + return ERANGE;
> + }
> +diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
> +index ee47152..ccd1653 100644
> +--- a/src/lib/krb5/krb/t_pac.c
> ++++ b/src/lib/krb5/krb/t_pac.c
> +@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {
> + 0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00
> + };
> +
> ++static const unsigned char fuzz1[] = {
> ++ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
> ++ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
> ++};
> ++
> ++static const unsigned char fuzz2[] = {
> ++ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
> ++ 0x20, 0x20
> ++};
> ++
> + static const char *s4u_principal = "w2...@acme.com";
> + static const char *s4u_enterprise = "w2k8u@a...@acme.com";
> +
> +@@ -646,6 +656,14 @@ main(int argc, char **argv)
> + krb5_free_principal(context, sep);
> + }
> +
> ++ /* Check problematic PACs found by fuzzing. */
> ++ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
> ++ if (!ret)
> ++ err(context, ret, "krb5_pac_parse should have failed");
> ++ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
> ++ if (!ret)
> ++ err(context, ret, "krb5_pac_parse should have failed");
> ++
> + /*
> + * Test empty free
> + */
> diff --git a/debian/patches/series b/debian/patches/series
> index c02427759f..a62749cd49 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -11,3 +11,4 @@ debian-local/0008-Use-isystem-for-include-paths.patch
> 0011-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
> 0012-Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
> 0013-Use-SHA-256-instead-of-SHA-1-for-PKINIT-CMS-digest.patch
> +0014-Fix-integer-overflows-in-PAC-parsing.patch
Thanges looks good to me, can you please upload to security-master?
(Make sure to build with -sa to include the orig tarball in the
upload).
Regards,
Salvatore
