>>>>> "Salvatore" == Salvatore Bonaccorso <car...@debian.org> writes:
Salvatore> Thanks for sharing the analysis. Can you prepare debdiff
Salvatore> for bullseye-security accordingly, so we can release an
Salvatore> update via a DSA?
diff --git a/debian/changelog b/debian/changelog
index d6eaa38262..60fb20b347 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+krb5 (1.18.3-6+deb11u3) bullseye-security; urgency=high
+
+ * Integer overflows in PAC parsing; potentially critical for 32-bit
+ KDCs or when cross-realm acts maliciously; DOS in other conditions;
+ CVE-2022-42898, Closes: #1024267
+
+ -- Sam Hartman <hartm...@debian.org> Thu, 17 Nov 2022 12:41:46 -0700
+
krb5 (1.18.3-6+deb11u2) bullseye; urgency=medium
* Use SHA256 as Pkinit CMS Digest, Closes: #1017995
diff --git a/debian/patches/0014-Fix-integer-overflows-in-PAC-parsing.patch
b/debian/patches/0014-Fix-integer-overflows-in-PAC-parsing.patch
new file mode 100644
index 0000000000..04dbfd4788
--- /dev/null
+++ b/debian/patches/0014-Fix-integer-overflows-in-PAC-parsing.patch
@@ -0,0 +1,104 @@
+From: Greg Hudson <ghud...@mit.edu>
+Date: Mon, 17 Oct 2022 20:25:11 -0400
+Subject: Fix integer overflows in PAC parsing
+
+In krb5_parse_pac(), check for buffer counts large enough to threaten
+integer overflow in the header length and memory length calculations.
+Avoid potential integer overflows when checking the length of each
+buffer. Credit to OSS-Fuzz for discovering one of the issues.
+
+CVE-2022-42898:
+
+In MIT krb5 releases 1.8 and later, an authenticated attacker may be
+able to cause a KDC or kadmind process to crash by reading beyond the
+bounds of allocated memory, creating a denial of service. A
+privileged attacker may similarly be able to cause a Kerberos or GSS
+application service to crash. On 32-bit platforms, an attacker can
+also cause insufficient memory to be allocated for the result,
+potentially leading to remote code execution in a KDC, kadmind, or GSS
+or Kerberos application server process. An attacker with the
+privileges of a cross-realm KDC may be able to extract secrets from a
+KDC process's memory by having them copied into the PAC of a new
+ticket.
+
+(cherry picked from commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583)
+
+ticket: 9074
+version_fixed: 1.20.1
+
+(cherry picked from commit b99de751dd35360c0fccac74a40f4a60dbf1ceea)
+---
+ src/lib/krb5/krb/pac.c | 9 +++++++--
+ src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
+index 950beda..1b9ef12 100644
+--- a/src/lib/krb5/krb/pac.c
++++ b/src/lib/krb5/krb/pac.c
+@@ -27,6 +27,8 @@
+ #include "k5-int.h"
+ #include "authdata.h"
+
++#define MAX_BUFFERS 4096
++
+ /* draft-brezak-win2k-krb-authz-00 */
+
+ /*
+@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context,
+ if (version != 0)
+ return EINVAL;
+
++ if (cbuffers < 1 || cbuffers > MAX_BUFFERS)
++ return ERANGE;
++
+ header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
+ if (len < header_len)
+ return ERANGE;
+@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context,
+ krb5_pac_free(context, pac);
+ return EINVAL;
+ }
+- if (buffer->Offset < header_len ||
+- buffer->Offset + buffer->cbBufferSize > len) {
++ if (buffer->Offset < header_len || buffer->Offset > len ||
++ buffer->cbBufferSize > len - buffer->Offset) {
+ krb5_pac_free(context, pac);
+ return ERANGE;
+ }
+diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
+index ee47152..ccd1653 100644
+--- a/src/lib/krb5/krb/t_pac.c
++++ b/src/lib/krb5/krb/t_pac.c
+@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {
+ 0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00
+ };
+
++static const unsigned char fuzz1[] = {
++ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
++ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
++};
++
++static const unsigned char fuzz2[] = {
++ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
++ 0x20, 0x20
++};
++
+ static const char *s4u_principal = "w2...@acme.com";
+ static const char *s4u_enterprise = "w2k8u@a...@acme.com";
+
+@@ -646,6 +656,14 @@ main(int argc, char **argv)
+ krb5_free_principal(context, sep);
+ }
+
++ /* Check problematic PACs found by fuzzing. */
++ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
++ if (!ret)
++ err(context, ret, "krb5_pac_parse should have failed");
++ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
++ if (!ret)
++ err(context, ret, "krb5_pac_parse should have failed");
++
+ /*
+ * Test empty free
+ */
diff --git a/debian/patches/series b/debian/patches/series
index c02427759f..a62749cd49 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ debian-local/0008-Use-isystem-for-include-paths.patch
0011-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
0012-Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
0013-Use-SHA-256-instead-of-SHA-1-for-PKINIT-CMS-digest.patch
+0014-Fix-integer-overflows-in-PAC-parsing.patch
signature.asc
Description: PGP signature
