microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

heimdal: address CVE-2022-42898 (#6046) 

Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
This commit is contained in:
Muhammad Falak R Wani 2023-08-29 08:56:57 +05:30 коммит произвёл GitHub
Родитель f754814e7e
Коммит 0cceaaf45c
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
5 изменённых файлов: 406 добавлений и 1 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

34
SPECS/heimdal/0001-lib-krb5-krb5_pac_parse-mem-leak-if-pac_header_size-.patch Normal file
Просмотреть файл

@ -0,0 +1,34 @@
From 7f4a2848e01ddaa3250d9d17e2e87a090b29a1c8 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@auristor.com>
Date: Wed, 16 Nov 2022 17:28:21 -0500
Subject: [PATCH 1/3] lib/krb5: krb5_pac_parse mem leak if pac_header_size
failure
48 byte memory leak from krb5_pac_parse() each time pac_header_size()
fails.
(cherry picked from commit 02f12fc746341f54a514e9e17bc7d315b91129e8)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
lib/krb5/pac.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/lib/krb5/pac.c b/lib/krb5/pac.c
index cf051cd1f..81eba84e2 100644
--- a/lib/krb5/pac.c
+++ b/lib/krb5/pac.c
@@ -204,9 +204,8 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
}
ret = pac_header_size(context, tmp, &header_end);
- if (ret) {
- return ret;
- }
+ if (ret)
+ goto out;
p->pac = calloc(1, header_end);
if (p->pac == NULL) {
--
2.42.0

191
SPECS/heimdal/0002-kdc-Check-generate_pac-return-code.patch Normal file
Просмотреть файл

@ -0,0 +1,191 @@
From f452eea6f2aa4df7f4f60c56902a4c2c510c103a Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 16 Jun 2022 15:26:07 +1200
Subject: [PATCH 2/3] kdc: Check generate_pac() return code
If the function fails, we should not issue a ticket missing the PAC.
(cherry picked from commit 05e589d2473a1bd225b0fc4670c75ba24091644d)
(cherry picked from commit d1e077c50b6b6e6108d70a0301b97f6904c45ca7)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
kdc/kerberos5.c | 44 +++++++++++++++++++++++---------------------
1 file changed, 23 insertions(+), 21 deletions(-)
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index a06dc7d2a..f04472ef7 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -359,10 +359,10 @@ pa_pkinit_validate(kdc_request_t r, const PA_DATA *pa)
r->client_name);
goto out;
}
-
+
ret = _kdc_pk_check_client(r->context,
r->config,
- r->clientdb,
+ r->clientdb,
r->client,
pkp,
&client_cert);
@@ -460,7 +460,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
int i;
heim_assert(r->armor_crypto != NULL, "ENC-CHAL called for non FAST");
-
+
if (_kdc_is_anon_request(&r->req)) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(r->context, r->config, 0, "ENC-CHALL doesn't support anon");
@@ -491,23 +491,23 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
PA_ENC_TS_ENC p;
k = &r->client->entry.keys.val[i];
-
+
ret = krb5_crypto_init(r->context, &k->key, 0, &longtermcrypto);
if (ret)
- continue;
-
+ continue;
+
ret = krb5_crypto_fx_cf2(r->context, r->armor_crypto, longtermcrypto,
&pepper1, &pepper2, aenctype,
&challangekey);
krb5_crypto_destroy(r->context, longtermcrypto);
if (ret)
continue;
-
+
ret = krb5_crypto_init(r->context, &challangekey, 0,
&challangecrypto);
if (ret)
continue;
-
+
ret = krb5_decrypt_EncryptedData(r->context, challangecrypto,
KRB5_KU_ENC_CHALLENGE_CLIENT,
&enc_data,
@@ -530,7 +530,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
continue;
}
-
+
ret = decode_PA_ENC_TS_ENC(ts_data.data,
ts_data.length,
&p,
@@ -571,7 +571,7 @@ pa_enc_chal_validate(kdc_request_t r, const PA_DATA *pa)
krb5_crypto_destroy(r->context, challangecrypto);
if (ret)
goto out;
-
+
set_salt_padata(&r->outpadata, k->salt);
krb5_free_keyblock_contents(r->context, &r->reply_key);
ret = krb5_copy_keyblock_contents(r->context, &k->key, &r->reply_key);
@@ -609,7 +609,7 @@ pa_enc_ts_validate(kdc_request_t r, const PA_DATA *pa)
size_t len;
Key *pa_key;
char *str;
-
+
ret = decode_EncryptedData(pa->padata_value.data,
pa->padata_value.length,
&enc_data,
@@ -620,7 +620,7 @@ pa_enc_ts_validate(kdc_request_t r, const PA_DATA *pa)
r->client_name);
goto out;
}
-
+
ret = hdb_enctype2key(r->context, &r->client->entry, NULL,
enc_data.etype, &pa_key);
if(ret){
@@ -704,7 +704,7 @@ pa_enc_ts_validate(kdc_request_t r, const PA_DATA *pa)
}
if (labs(kdc_time - p.patimestamp) > r->context->max_skew) {
char client_time[100];
-
+
krb5_format_time(r->context, p.patimestamp,
client_time, sizeof(client_time), TRUE);
@@ -776,7 +776,7 @@ static const struct kdc_patypes pat[] = {
{ KRB5_PADATA_PKINIT_KX, "Anonymous PK-INIT", 0, NULL },
#endif
{ KRB5_PADATA_PA_PK_OCSP_RESPONSE , "OCSP", 0, NULL },
- {
+ {
KRB5_PADATA_ENC_TIMESTAMP , "ENC-TS",
PA_ANNOUNCE,
pa_enc_ts_validate
@@ -800,7 +800,7 @@ log_patypes(krb5_context context,
struct rk_strpool *p = NULL;
char *str;
size_t n, m;
-
+
for (n = 0; n < padata->len; n++) {
for (m = 0; m < sizeof(pat) / sizeof(pat[0]); m++) {
if (padata->val[n].padata_type == pat[m].type) {
@@ -1569,7 +1569,7 @@ generate_pac(kdc_request_t r, Key *skey)
r->client_name);
return ret;
}
-
+
ret = _kdc_tkt_add_if_relevant_ad(r->context, &r->et,
KRB5_AUTHDATA_WIN2K_PAC,
&data);
@@ -1638,7 +1638,7 @@ add_enc_pa_rep(kdc_request_t r)
KRB5_PADATA_REQ_ENC_PA_REP, cdata.data, cdata.length);
if (ret)
return ret;
-
+
return krb5_padata_add(r->context, r->ek.encrypted_pa_data,
KRB5_PADATA_FX_FAST, NULL, 0);
}
@@ -1899,7 +1899,7 @@ _kdc_as_rep(kdc_request_t r,
goto out;
}
- /*
+ /*
* send requre preauth is its required or anon is requested,
* anon is today only allowed via preauth mechanisms.
*/
@@ -1921,7 +1921,7 @@ _kdc_as_rep(kdc_request_t r,
}
if (r->clientdb->hdb_auth_status) {
- r->clientdb->hdb_auth_status(context, r->clientdb, r->client,
+ r->clientdb->hdb_auth_status(context, r->clientdb, r->client,
HDB_AUTH_SUCCESS);
}
@@ -2038,7 +2038,7 @@ _kdc_as_rep(kdc_request_t r,
{
time_t start;
time_t t;
-
+
start = r->et.authtime = kdc_time;
if(f.postdated && req->req_body.from){
@@ -2199,7 +2199,9 @@ _kdc_as_rep(kdc_request_t r,
/* Add the PAC */
if (send_pac_p(context, req) && !r->et.flags.anonymous) {
- generate_pac(r, skey);
+ ret = generate_pac(r, skey);
+ if (ret)
+ goto out;
}
_kdc_log_timestamp(context, config, "AS-REQ", r->et.authtime, r->et.starttime,
--
2.42.0

132
SPECS/heimdal/0003-kdc-avoid-re-encoding-KDC-REQ-BODY.patch Normal file
Просмотреть файл

@ -0,0 +1,132 @@
From 06151a48e0dbd24475b8d3aea55548d79cd072b0 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Thu, 20 Oct 2022 13:27:31 +1300
Subject: [PATCH 3/3] kdc: avoid re-encoding KDC-REQ-BODY
Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid
re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT.
[abartlet@samba.org adapted from Heimdal commit
ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e
by removing references to FAST and GSS-pre-auth.
This fixes the Windows 11 22H2 issue with TGS-REQ
as seen at https:github.com/heimdal/heimdal/issues/1011 and so
removes the knownfail file for this test]
FIXES: 1011
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4cd3926e14eca91ca10a9ec87200c8bd717b66e4)
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
kdc/krb5tgs.c | 24 ++----------------------
kdc/pkinit.c | 16 ++--------------
lib/asn1/krb5.opt | 1 +
3 files changed, 5 insertions(+), 36 deletions(-)
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 5dd8baf82..1c5195822 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1078,9 +1078,6 @@ tgs_check_authenticator(krb5_context context,
krb5_keyblock *key)
{
krb5_authenticator auth;
- size_t len = 0;
- unsigned char *buf;
- size_t buf_size;
krb5_error_code ret;
krb5_crypto crypto;
@@ -1106,25 +1103,9 @@ tgs_check_authenticator(krb5_context context,
goto out;
}
- /* XXX should not re-encode this */
- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
- if(ret){
- const char *msg = krb5_get_error_message(context, ret);
- kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
- krb5_free_error_message(context, msg);
- goto out;
- }
- if(buf_size != len) {
- free(buf);
- kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
- *e_text = "KDC internal error";
- ret = KRB5KRB_ERR_GENERIC;
- goto out;
- }
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
- free(buf);
kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
krb5_free_error_message(context, msg);
goto out;
@@ -1132,10 +1113,9 @@ tgs_check_authenticator(krb5_context context,
ret = krb5_verify_checksum(context,
crypto,
KRB5_KU_TGS_REQ_AUTH_CKSUM,
- buf,
- len,
+ b->_save.data,
+ b->_save.length,
auth->cksum);
- free(buf);
krb5_crypto_destroy(context, crypto);
if(ret){
const char *msg = krb5_get_error_message(context, ret);
diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 39b08f960..c79c960aa 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -111,10 +111,7 @@ pk_check_pkauthenticator(krb5_context context,
PKAuthenticator *a,
const KDC_REQ *req)
{
- u_char *buf = NULL;
- size_t buf_size;
krb5_error_code ret;
- size_t len = 0;
krb5_timestamp now;
Checksum checksum;
@@ -126,22 +123,13 @@ pk_check_pkauthenticator(krb5_context context,
return KRB5KRB_AP_ERR_SKEW;
}
- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret);
- if (ret) {
- krb5_clear_error_message(context);
- return ret;
- }
- if (buf_size != len)
- krb5_abortx(context, "Internal error in ASN.1 encoder");
-
ret = krb5_create_checksum(context,
NULL,
0,
CKSUMTYPE_SHA1,
- buf,
- len,
+ req->req_body._save.data,
+ req->req_body._save.length,
&checksum);
- free(buf);
if (ret) {
krb5_clear_error_message(context);
return ret;
diff --git a/lib/asn1/krb5.opt b/lib/asn1/krb5.opt
index 1d6d5e898..5acc596d3 100644
--- a/lib/asn1/krb5.opt
+++ b/lib/asn1/krb5.opt
@@ -4,3 +4,4 @@
--sequence=METHOD-DATA
--sequence=ETYPE-INFO
--sequence=ETYPE-INFO2
+--preserve-binary=KDC-REQ-BODY
--
2.42.0

40
SPECS/heimdal/CVE-2022-42898.patch Normal file
Просмотреть файл

@ -0,0 +1,40 @@
From 3bc1a99f71fc09ec65e870e4cf487694f9eb70e6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Nov 2022 10:05:56 -0500
Subject: [PATCH] lib/krb5: fix _krb5_get_int64 on 32-bit systems
On systems where 'unsigned long' is 32-bits and the 'size'
parameter is set to 8 and the bytes are:
0x78 0x00 0x00 0x00 0x00 0x00 0x00 0x00
When 'i' becomes 4 'v' will be 0 again. As 'unsigned long' is only
able to hold 4 bytes.
Change the type of 'v' from 'unsigned long' to 'uint64_t' which
matches the type of the output parameter 'value'.
(cherry picked from commit 9d1bfab9882d0aa14ae0981e6667c93db93ffc5d)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
CVE: CVE-2022-42898
Samba-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
---
lib/krb5/store-int.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/krb5/store-int.c b/lib/krb5/store-int.c
index 542b99abc0..6fe7eb37fc 100644
--- a/lib/krb5/store-int.c
+++ b/lib/krb5/store-int.c
@@ -49,7 +49,7 @@ KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
_krb5_get_int64(void *buffer, uint64_t *value, size_t size)
{
unsigned char *p = buffer;
- unsigned long v = 0;
+ uint64_t v = 0;
size_t i;
for (i = 0; i < size; i++)
v = (v << 8) + p[i];

10
SPECS/heimdal/heimdal.spec
Просмотреть файл

@ -12,7 +12,7 @@
Summary: A Kerberos 5 implementation without export restrictions
Name: heimdal
Version: 7.7.1
Release: 2%{?dist}
Release: 3%{?dist}
License: BSD AND MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -41,6 +41,10 @@ Source31: %{name}-ipropd-slave-wrapper
Patch1: heimdal-1.6.0-c25f45a-rename-commands.patch
Patch2: heimdal-configure.patch
Patch3: CVE-2022-45142.patch
Patch4: CVE-2022-42898.patch
Patch5: 0001-lib-krb5-krb5_pac_parse-mem-leak-if-pac_header_size-.patch
Patch6: 0002-kdc-Check-generate_pac-return-code.patch
Patch7: 0003-kdc-avoid-re-encoding-KDC-REQ-BODY.patch
BuildRequires: bison
#libcom_err-devel is in
#BuildRequires: libcom_err-devel
@ -483,6 +487,10 @@ fi
%{_sysconfdir}/profile.d/%{name}.csh
%changelog
* Thu Aug 24 2023 Muhammad Falak R Wani <mwani@microsoft.com> - 7.7.1-3
- Address CVE-2022-42898
- Introduce 3 more patches that fix bugs: https://github.com/heimdal/heimdal/issues/1011
* Tue Mar 14 2023 Thien Trung Vuong <tvuong@microsoft.com> - 7.7.1-2
- Add patch for CVE-2022-45142