The Samba-Bugzilla – Attachment 18156 Details for
Bug 15491
CVE-2023-5568 [SECURITY] Heap buffer overflow with freshness tokens in the Heimdal KDC in Samba 4.19
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for Samba 4.19
bug-15491-4.19.patch (text/plain), 1.99 KB, created by
Jo Sutton
on 2023-10-13 00:34:19 UTC
(
hide
)
Description:
patch for Samba 4.19
Filename:
MIME Type:
Creator:
Jo Sutton
Created:
2023-10-13 00:34:19 UTC
Size:
1.99 KB
patch
obsolete
>From 7dc90aa05b32780ffee2d2ec4c1a0ac6769976b2 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 10 Oct 2023 11:59:34 +1300 >Subject: [PATCH] third_party/heimdal: Fix PKINIT freshness token memory > handling (Import lorikeet-heimdal-202310092148 (commit > 38aa80e35b6b1e16b081fa9c005c03b1e6994204)) > >The issue here is that only the size of the pointer, not the size >of the struture was allocated with calloc(). > >This means that the malloc() for the freshness token bytes would >have the memory address written beyond the end of the allocated memory. > >Additionally, the allocation was not free()ed, resulting in a memory >leak. This means that a user could trigger ongoing memory allocation >in the server. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15491 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 3280893ae80507e36653a0c7da03c82b88ece30b) >--- > third_party/heimdal/kdc/pkinit.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > >diff --git a/third_party/heimdal/kdc/pkinit.c b/third_party/heimdal/kdc/pkinit.c >index 495dfa7a7e5..88aa2887fb7 100644 >--- a/third_party/heimdal/kdc/pkinit.c >+++ b/third_party/heimdal/kdc/pkinit.c >@@ -180,6 +180,9 @@ _kdc_pk_free_client_param(krb5_context context, pk_client_params *cp) > hx509_peer_info_free(cp->peer); > if (cp->client_anchors) > hx509_certs_free(&cp->client_anchors); >+ if (cp->freshness_token) >+ der_free_octet_string(cp->freshness_token); >+ free(cp->freshness_token); > memset(cp, 0, sizeof(*cp)); > free(cp); > } >@@ -776,7 +779,7 @@ _kdc_pk_rd_padata(astgs_request_t priv, > * Copy the freshness token into the out parameters if it is present. > */ > if (ap.pkAuthenticator.freshnessToken != NULL) { >- cp->freshness_token = calloc(1, sizeof (cp->freshness_token)); >+ cp->freshness_token = calloc(1, sizeof (*cp->freshness_token)); > if (cp->freshness_token == NULL) { > ret = ENOMEM; > free_AuthPack(&ap); >-- >2.39.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 15491
:
18156
|
18158