From 2432ce3c414fcca8788598d19700c5d99b3797a7 Mon Sep 17 00:00:00 2001 From: zhouchenchen123 Date: Tue, 20 Dec 2022 23:34:14 +0800 Subject: [PATCH] fix some coredump --- ...ic_keytab-crash-on-memory-exhaustion.patch | 52 +++++++++++++++++++ ...x-preauth-crash-on-memory-exhaustion.patch | 32 ++++++++++++ ...x-profile-crash-on-memory-exhaustion.patch | 32 ++++++++++++ krb5.spec | 8 ++- 4 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 backport-Fix-gic_keytab-crash-on-memory-exhaustion.patch create mode 100644 backport-Fix-preauth-crash-on-memory-exhaustion.patch create mode 100644 backport-Fix-profile-crash-on-memory-exhaustion.patch diff --git a/backport-Fix-gic_keytab-crash-on-memory-exhaustion.patch b/backport-Fix-gic_keytab-crash-on-memory-exhaustion.patch new file mode 100644 index 0000000..095474c --- /dev/null +++ b/backport-Fix-gic_keytab-crash-on-memory-exhaustion.patch @@ -0,0 +1,52 @@ +From 6bc90214830cb5239aa397c20763902f10f11786 Mon Sep 17 00:00:00 2001 +From: ChenChen Zhou <357726167@qq.com> +Date: Sun, 27 Nov 2022 22:57:14 +0800 +Subject: [PATCH] Fix gic_keytab crash on memory exhaustion + +get_as_key_keytab() does not check the result of krb5_copy_keyblock(), +and dereferences a null pointer if it fails. Remove the call and +steal the memory from kt_ent instead. + +[ghudson@mit.edu: rewrote commit message; fixed comments] + +ticket: 9080 (new) +--- + src/lib/krb5/krb/gic_keytab.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c +index b8b7c1506..f9baabbf9 100644 +--- a/src/lib/krb5/krb/gic_keytab.c ++++ b/src/lib/krb5/krb/gic_keytab.c +@@ -45,7 +45,6 @@ get_as_key_keytab(krb5_context context, + krb5_keytab keytab = (krb5_keytab) gak_data; + krb5_error_code ret; + krb5_keytab_entry kt_ent; +- krb5_keyblock *kt_key; + + /* We don't need the password from the responder to create the AS key. */ + if (as_key == NULL) +@@ -71,16 +70,13 @@ get_as_key_keytab(krb5_context context, + etype, &kt_ent))) + return(ret); + +- ret = krb5_copy_keyblock(context, &kt_ent.key, &kt_key); +- +- /* again, krb5's memory management is lame... */ +- +- *as_key = *kt_key; +- free(kt_key); ++ /* Steal the keyblock from kt_ent for the caller. */ ++ *as_key = kt_ent.key; ++ memset(&kt_ent.key, 0, sizeof(kt_ent.key)); + + (void) krb5_kt_free_entry(context, &kt_ent); + +- return(ret); ++ return 0; + } + + /* Return the list of etypes available for client in keytab. */ +-- +2.32.0.windows.1 + diff --git a/backport-Fix-preauth-crash-on-memory-exhaustion.patch b/backport-Fix-preauth-crash-on-memory-exhaustion.patch new file mode 100644 index 0000000..e87a399 --- /dev/null +++ b/backport-Fix-preauth-crash-on-memory-exhaustion.patch @@ -0,0 +1,32 @@ +From 7736144eb613f797dea57a44da33007a19602e5e Mon Sep 17 00:00:00 2001 +From: ChenChen Zhou <357726167@qq.com> +Date: Sun, 27 Nov 2022 22:24:24 +0800 +Subject: [PATCH] Fix preauth crash on memory exhaustion + +In k5_preauth_request_context_init(), check the result of calloc(). + +[ghudson@mit.edu: rewrote commit message; added free() of reqctx on error] + +ticket: 9079 (new) +--- + src/lib/krb5/krb/preauth2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c +index ffca476c2..32f35b761 100644 +--- a/src/lib/krb5/krb/preauth2.c ++++ b/src/lib/krb5/krb/preauth2.c +@@ -263,6 +263,10 @@ k5_preauth_request_context_init(krb5_context context, + * preauth context's array of handles. */ + for (count = 0; pctx->handles[count] != NULL; count++); + reqctx->modreqs = calloc(count, sizeof(*reqctx->modreqs)); ++ if (reqctx->modreqs == NULL) { ++ free(reqctx); ++ return; ++ } + for (i = 0; i < count; i++) { + h = pctx->handles[i]; + if (h->vt.request_init != NULL) +-- +2.32.0.windows.1 + diff --git a/backport-Fix-profile-crash-on-memory-exhaustion.patch b/backport-Fix-profile-crash-on-memory-exhaustion.patch new file mode 100644 index 0000000..b9690f5 --- /dev/null +++ b/backport-Fix-profile-crash-on-memory-exhaustion.patch @@ -0,0 +1,32 @@ +From 2929ec400c174bc848a9c438a61b0e3506b91d0e Mon Sep 17 00:00:00 2001 +From: ChenChen Zhou <357726167@qq.com> +Date: Thu, 24 Nov 2022 21:59:21 +0800 +Subject: [PATCH] Fix profile crash on memory exhaustion + +In profile_get_values(), if init_list() fails to allocate values.list, +end_list() will dereference a null pointer. Fix end_list() to handle +list->list being null. + +[ghudson@mit.edu: rewrote commit message] + +ticket: 9078 (new) +--- + src/util/profile/prof_get.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/util/profile/prof_get.c b/src/util/profile/prof_get.c +index 0e14200ca..12c7b9641 100644 +--- a/src/util/profile/prof_get.c ++++ b/src/util/profile/prof_get.c +@@ -62,7 +62,7 @@ static void end_list(struct profile_string_list *list, char ***ret_list) + *ret_list = list->list; + return; + } else { +- for (cp = list->list; *cp; cp++) ++ for (cp = list->list; cp && *cp; cp++) + free(*cp); + free(list->list); + } +-- +2.32.0.windows.1 + diff --git a/krb5.spec b/krb5.spec index cb35425..97f0715 100644 --- a/krb5.spec +++ b/krb5.spec @@ -3,7 +3,7 @@ Name: krb5 Version: 1.19.2 -Release: 4 +Release: 5 Summary: The Kerberos network authentication protocol License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -28,6 +28,9 @@ Patch5: Remove-3des-support.patch Patch6: FIPS-with-PRNG-and-RADIUS-and-MD4.patch Patch7: backport-CVE-2021-37750.patch Patch8: Fix-CVE-2022-42898-integer-overflows-in-PAC-parsing.patch +Patch9: backport-Fix-profile-crash-on-memory-exhaustion.patch +Patch10: backport-Fix-preauth-crash-on-memory-exhaustion.patch +Patch11: backport-Fix-gic_keytab-crash-on-memory-exhaustion.patch BuildRequires: gettext BuildRequires: gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc @@ -320,6 +323,9 @@ make -C src check || : %changelog +* Tue Dec 20 2022 zhouchenchen - 1.19.2-5 +- fix some coredump + * Fri Dec 2 2022 zhouchenchen - 1.19.2-4 - fix CVE-2022-42898 -- Gitee