The Samba-Bugzilla – Attachment 17679 Details for
Bug 14929
CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Patches for v4-15-test
bfixes-CVE-2022-44640-v4-15.txt (text/plain), 5.38 KB, created by
Stefan Metzmacher
on 2022-12-07 19:04:57 UTC
(
hide
)
Description:
Patches for v4-15-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2022-12-07 19:04:57 UTC
Size:
5.38 KB
patch
obsolete
>From b4c3ce6fb9b2aebbbe7d802ce48c691a9cabcf4f Mon Sep 17 00:00:00 2001 >From: Nicolas Williams <nico@twosigma.com> >Date: Wed, 10 Mar 2021 16:49:04 -0600 >Subject: [PATCH 1/2] CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec > >This is a 10.0 on the Common Vulnerability Scoring System (CVSS) v3. > >Heimdal's ASN.1 compiler generates code that allows specially >crafted DER encodings of CHOICEs to invoke the wrong free function >on the decoded structure upon decode error. This is known to impact >the Heimdal KDC, leading to an invalid free() of an address partly >or wholly under the control of the attacker, in turn leading to a >potential remote code execution (RCE) vulnerability. > >This error affects the DER codec for all CHOICE types used in >Heimdal, though not all cases will be exploitable. We have not >completed a thorough analysis of all the Heimdal components >affected, thus the Kerberos client, the X.509 library, and other >parts, may be affected as well. > >This bug has been in Heimdal since 2005. It was first reported by >Douglas Bagnall, though it had been found independently by the >Heimdal maintainers via fuzzing a few weeks earlier. > >While no zero-day exploit is known, such an exploit will likely be >available soon after public disclosure. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 > >[abartlet@samba.org Adapted from Heimdal commit >ea5ec8f174920cb80ce2b168b49195378420449e for older Heimdal in Samba 4.15 >by dropping fuzz-inputs file and EXPORTS entry for fuzzing] > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >--- > source4/heimdal/lib/asn1/gen_decode.c | 12 ++++++------ > source4/heimdal/lib/asn1/gen_free.c | 7 +++++++ > 2 files changed, 13 insertions(+), 6 deletions(-) > >diff --git a/source4/heimdal/lib/asn1/gen_decode.c b/source4/heimdal/lib/asn1/gen_decode.c >index 9d816d5400d7..bf2d93b806df 100644 >--- a/source4/heimdal/lib/asn1/gen_decode.c >+++ b/source4/heimdal/lib/asn1/gen_decode.c >@@ -584,14 +584,14 @@ decode_type (const char *name, const Type *t, int optional, > classname(cl), > ty ? "CONS" : "PRIM", > valuename(cl, tag)); >+ fprintf(codefile, >+ "(%s)->element = %s;\n", >+ name, m->label); > if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&", > name, m->gen_name) < 0 || s == NULL) > errx(1, "malloc"); > decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL, > depth + 1); >- fprintf(codefile, >- "(%s)->element = %s;\n", >- name, m->label); > free(s); > fprintf(codefile, > "}\n"); >@@ -600,23 +600,23 @@ decode_type (const char *name, const Type *t, int optional, > if (have_ellipsis) { > fprintf(codefile, > "else {\n" >+ "(%s)->element = %s;\n" > "(%s)->u.%s.data = calloc(1, len);\n" > "if ((%s)->u.%s.data == NULL) {\n" > "e = ENOMEM; %s;\n" > "}\n" > "(%s)->u.%s.length = len;\n" > "memcpy((%s)->u.%s.data, p, len);\n" >- "(%s)->element = %s;\n" > "p += len;\n" > "ret += len;\n" > "len = 0;\n" > "}\n", >+ name, have_ellipsis->label, > name, have_ellipsis->gen_name, > name, have_ellipsis->gen_name, > forwstr, > name, have_ellipsis->gen_name, >- name, have_ellipsis->gen_name, >- name, have_ellipsis->label); >+ name, have_ellipsis->gen_name); > } else { > fprintf(codefile, > "else {\n" >diff --git a/source4/heimdal/lib/asn1/gen_free.c b/source4/heimdal/lib/asn1/gen_free.c >index b9cae7533b17..74449fe6ca82 100644 >--- a/source4/heimdal/lib/asn1/gen_free.c >+++ b/source4/heimdal/lib/asn1/gen_free.c >@@ -61,6 +61,13 @@ free_type (const char *name, const Type *t, int preserve) > case TNull: > case TGeneralizedTime: > case TUTCTime: >+ /* >+ * This doesn't do much, but it leaves zeros where garbage might >+ * otherwise have been found. Gets us closer to having the equivalent >+ * of a memset()-to-zero data structure after calling the free >+ * functions. >+ */ >+ fprintf(codefile, "*%s = 0;\n", name); > break; > case TBitString: > if (ASN1_TAILQ_EMPTY(t->members)) >-- >2.34.1 > > >From 73c7c6ec9bc3a1993e766f119e9e29905ded5e28 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 7 Dec 2022 20:13:25 +1300 >Subject: [PATCH 2/2] CVE-2022-44640 source4/heimdal: Fix use-after-free when > decoding PA-ENC-TS-ENC > >Upstream Heimdal fixed this in commit >7151d4e66c07b42c15187becd61fb20e0666458a (partial handling of >ENC-CHALLANGE). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >--- > source4/heimdal/kdc/kerberos5.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c >index ad026dd617bd..bda61e69df2a 100644 >--- a/source4/heimdal/kdc/kerberos5.c >+++ b/source4/heimdal/kdc/kerberos5.c >@@ -1391,7 +1391,6 @@ _kdc_as_rep(krb5_context context, > client_name); > continue; > } >- free_PA_ENC_TS_ENC(&p); > if (abs(kdc_time - p.patimestamp) > context->max_skew) { > char client_time[100]; > >@@ -1413,8 +1412,10 @@ _kdc_as_rep(krb5_context context, > * there is a e_text, they become unhappy. > */ > e_text = NULL; >+ free_PA_ENC_TS_ENC(&p); > goto out; > } >+ free_PA_ENC_TS_ENC(&p); > et.flags.pre_authent = 1; > > set_salt_padata(rep.padata, pa_key->salt); >-- >2.34.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
ci-passed+
Actions:
View
Attachments on
bug 14929
:
17675
|
17676
| 17679