Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: k...@packages.debian.org
Control: affects -1 + src:krb5
This is the bullseye version of the bookworm update request I just filed.
[ Reason ]
Non-DSA security update for a DOS
[ Impact ]
A remote authenticated attacker can crash kadmind.
[ Tests ]
autopkgtest should cover this code path; tested upstream.
[ Risks ]
Simple obvious patch.
[ Checklist ]
[x ] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[ x] the issue is verified as fixed in unstable
[ Changes ]
diff --git a/debian/changelog b/debian/changelog
index 60fb20b347..bea091f603 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+krb5 (1.18.3-6+deb11u4) bullseye; urgency=medium
+
+ * Fixes CVE-2023-36054: a remote authenticated attacker can cause
+ kadmind to free an uninitialized pointer. Upstream believes remote
+ code execusion is unlikely, Closes: #1043431
+
+ -- Sam Hartman <hartm...@debian.org> Mon, 14 Aug 2023 14:42:46 -0600
+
krb5 (1.18.3-6+deb11u3) bullseye-security; urgency=high
* Integer overflows in PAC parsing; potentially critical for 32-bit
diff --git
a/debian/patches/0015-Ensure-array-count-consistency-in-kadm5-RPC.patch
b/debian/patches/0015-Ensure-array-count-consistency-in-kadm5-RPC.patch
new file mode 100644
index 0000000000..658dc99e5b
--- /dev/null
+++ b/debian/patches/0015-Ensure-array-count-consistency-in-kadm5-RPC.patch
@@ -0,0 +1,63 @@
+From: Greg Hudson <ghud...@mit.edu>
+Date: Wed, 21 Jun 2023 10:57:39 -0400
+Subject: Ensure array count consistency in kadm5 RPC
+
+In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
+key_data array count when decoding. Otherwise when the structure is
+later freed, xdr_array() could iterate over the wrong number of
+elements, either leaking some memory or freeing uninitialized
+pointers. Reported by Robert Morris.
+
+CVE-2023-36054:
+
+An authenticated attacker can cause a kadmind process to crash by
+freeing uninitialized pointers. Remote code execution is unlikely.
+An attacker with control of a kadmin server can cause a kadmin client
+to crash by freeing uninitialized pointers.
+
+ticket: 9099 (new)
+tags: pullup
+target_version: 1.21-next
+target_version: 1.20-next
+
+(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd)
+---
+ src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 8383e4e..9585080 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
++++ b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs,
kadm5_principal_ent_rec *objp,
+ int v)
+ {
+ unsigned int n;
++ bool_t r;
+
+ if (!xdr_krb5_principal(xdrs, &objp->principal)) {
+ return (FALSE);
+@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs,
kadm5_principal_ent_rec *objp,
+ if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
+ return (FALSE);
+ }
++ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
++ return (FALSE);
++ }
+ if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
+ return (FALSE);
+ }
+@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs,
kadm5_principal_ent_rec *objp,
+ return FALSE;
+ }
+ n = objp->n_key_data;
+- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
+- &n, ~0, sizeof(krb5_key_data),
+- xdr_krb5_key_data_nocontents)) {
++ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
++ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
++ objp->n_key_data = n;
++ if (!r) {
+ return (FALSE);
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index a62749cd49..c87cf1c9d2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ debian-local/0008-Use-isystem-for-include-paths.patch
0012-Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
0013-Use-SHA-256-instead-of-SHA-1-for-PKINIT-CMS-digest.patch
0014-Fix-integer-overflows-in-PAC-parsing.patch
+0015-Ensure-array-count-consistency-in-kadm5-RPC.patch
