From 459ccd8746d42bdcf167c12caa3a7318d23cbb5b Mon Sep 17 00:00:00 2001 From: Tee KOBAYASHI Date: Wed, 16 Nov 2022 12:19:57 +0900 Subject: [PATCH] krb5: Bump to 1.20.1 --- packages/krb5/CVE-2022-42898.patch | 100 ----------------------------- packages/krb5/build.sh | 5 +- 2 files changed, 2 insertions(+), 103 deletions(-) delete mode 100644 packages/krb5/CVE-2022-42898.patch diff --git a/packages/krb5/CVE-2022-42898.patch b/packages/krb5/CVE-2022-42898.patch deleted file mode 100644 index edf2e10687..0000000000 --- a/packages/krb5/CVE-2022-42898.patch +++ /dev/null @@ -1,100 +0,0 @@ -commit b99de751dd35360c0fccac74a40f4a60dbf1ceea -Author: Greg Hudson -Date: Mon Oct 17 20:25:11 2022 -0400 - - Fix integer overflows in PAC parsing - - In krb5_parse_pac(), check for buffer counts large enough to threaten - integer overflow in the header length and memory length calculations. - Avoid potential integer overflows when checking the length of each - buffer. Credit to OSS-Fuzz for discovering one of the issues. - - CVE-2022-42898: - - In MIT krb5 releases 1.8 and later, an authenticated attacker may be - able to cause a KDC or kadmind process to crash by reading beyond the - bounds of allocated memory, creating a denial of service. A - privileged attacker may similarly be able to cause a Kerberos or GSS - application service to crash. On 32-bit platforms, an attacker can - also cause insufficient memory to be allocated for the result, - potentially leading to remote code execution in a KDC, kadmind, or GSS - or Kerberos application server process. An attacker with the - privileges of a cross-realm KDC may be able to extract secrets from a - KDC process's memory by having them copied into the PAC of a new - ticket. - - (cherry picked from commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583) - - ticket: 9074 - version_fixed: 1.20.1 - -diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c -index 2f1df8d42b..f6c4373de0 100644 ---- a/src/lib/krb5/krb/pac.c -+++ b/lib/krb5/krb/pac.c -@@ -28,6 +28,8 @@ - #include "int-proto.h" - #include "authdata.h" - -+#define MAX_BUFFERS 4096 -+ - /* draft-brezak-win2k-krb-authz-00 */ - - /* -@@ -317,6 +319,9 @@ krb5_pac_parse(krb5_context context, - if (version != 0) - return EINVAL; - -+ if (cbuffers < 1 || cbuffers > MAX_BUFFERS) -+ return ERANGE; -+ - header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); - if (len < header_len) - return ERANGE; -@@ -349,8 +354,8 @@ krb5_pac_parse(krb5_context context, - krb5_pac_free(context, pac); - return EINVAL; - } -- if (buffer->Offset < header_len || -- buffer->Offset + buffer->cbBufferSize > len) { -+ if (buffer->Offset < header_len || buffer->Offset > len || -+ buffer->cbBufferSize > len - buffer->Offset) { - krb5_pac_free(context, pac); - return ERANGE; - } -diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c -index 0b1b1f0564..173bde7bab 100644 ---- a/src/lib/krb5/krb/t_pac.c -+++ b/lib/krb5/krb/t_pac.c -@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = { - 0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00 - }; - -+static const unsigned char fuzz1[] = { -+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, -+ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5 -+}; -+ -+static const unsigned char fuzz2[] = { -+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, -+ 0x20, 0x20 -+}; -+ - static const char *s4u_principal = "w2k8u@ACME.COM"; - static const char *s4u_enterprise = "w2k8u@abc@ACME.COM"; - -@@ -828,6 +838,14 @@ main(int argc, char **argv) - krb5_free_principal(context, sep); - } - -+ /* Check problematic PACs found by fuzzing. */ -+ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac); -+ if (!ret) -+ err(context, ret, "krb5_pac_parse should have failed"); -+ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac); -+ if (!ret) -+ err(context, ret, "krb5_pac_parse should have failed"); -+ - /* - * Test empty free - */ diff --git a/packages/krb5/build.sh b/packages/krb5/build.sh index 8ee2457053..12c52360f4 100644 --- a/packages/krb5/build.sh +++ b/packages/krb5/build.sh @@ -3,10 +3,9 @@ TERMUX_PKG_DESCRIPTION="The Kerberos network authentication system" TERMUX_PKG_LICENSE="custom" TERMUX_PKG_LICENSE_FILE="../NOTICE" TERMUX_PKG_MAINTAINER="@termux" -TERMUX_PKG_VERSION=1.20 -TERMUX_PKG_REVISION=2 +TERMUX_PKG_VERSION=1.20.1 TERMUX_PKG_SRCURL=https://fossies.org/linux/misc/krb5-$TERMUX_PKG_VERSION.tar.gz -TERMUX_PKG_SHA256=7e022bdd3c851830173f9faaa006a230a0e0fdad4c953e85bff4bf0da036e12f +TERMUX_PKG_SHA256=704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851 TERMUX_PKG_DEPENDS="libandroid-support, libandroid-glob, libresolv-wrapper, readline, openssl, libdb" TERMUX_PKG_BREAKS="krb5-dev" TERMUX_PKG_REPLACES="krb5-dev"