The Samba-Bugzilla – Attachment 18158 Details for
Bug 15491
CVE-2023-5568 [SECURITY] Heap buffer overflow with freshness tokens in the Heimdal KDC in Samba 4.19
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch v2 for Samba 4.19
bug-15491-4.19-v2.patch (text/plain), 2.01 KB, created by
Jo Sutton
on 2023-10-15 22:05:54 UTC
(
hide
)
Description:
patch v2 for Samba 4.19
Filename:
MIME Type:
Creator:
Jo Sutton
Created:
2023-10-15 22:05:54 UTC
Size:
2.01 KB
patch
obsolete
>From 81b593f04bb0ddefb25b5867dd201ef4e3f22fd0 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 10 Oct 2023 11:59:34 +1300 >Subject: [PATCH] CVE-2023-5568 third_party/heimdal: Fix PKINIT freshness token > memory handling (Import lorikeet-heimdal-202310092148 (commit > 38aa80e35b6b1e16b081fa9c005c03b1e6994204)) > >The issue here is that only the size of the pointer, not the size >of the struture was allocated with calloc(). > >This means that the malloc() for the freshness token bytes would >have the memory address written beyond the end of the allocated memory. > >Additionally, the allocation was not free()ed, resulting in a memory >leak. This means that a user could trigger ongoing memory allocation >in the server. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15491 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 3280893ae80507e36653a0c7da03c82b88ece30b) >--- > third_party/heimdal/kdc/pkinit.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > >diff --git a/third_party/heimdal/kdc/pkinit.c b/third_party/heimdal/kdc/pkinit.c >index 495dfa7a7e5..88aa2887fb7 100644 >--- a/third_party/heimdal/kdc/pkinit.c >+++ b/third_party/heimdal/kdc/pkinit.c >@@ -180,6 +180,9 @@ _kdc_pk_free_client_param(krb5_context context, pk_client_params *cp) > hx509_peer_info_free(cp->peer); > if (cp->client_anchors) > hx509_certs_free(&cp->client_anchors); >+ if (cp->freshness_token) >+ der_free_octet_string(cp->freshness_token); >+ free(cp->freshness_token); > memset(cp, 0, sizeof(*cp)); > free(cp); > } >@@ -776,7 +779,7 @@ _kdc_pk_rd_padata(astgs_request_t priv, > * Copy the freshness token into the out parameters if it is present. > */ > if (ap.pkAuthenticator.freshnessToken != NULL) { >- cp->freshness_token = calloc(1, sizeof (cp->freshness_token)); >+ cp->freshness_token = calloc(1, sizeof (*cp->freshness_token)); > if (cp->freshness_token == NULL) { > ret = ENOMEM; > free_AuthPack(&ap); >-- >2.39.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 15491
:
18156
| 18158