Douglas Bagnall found, using HongFuzz a free() of uninitialised data in the generated code for ASN.1. The initial case is in the KrbFastArmoredReq, thankfully something Samba doesn't have a codepath to, however as the issue is generic we need to be careful in case another case is used. (Samba will have a codepath to KrbFastArmoredReq once the Heimdal upgrade is merged from https://gitlab.com/samba-team/samba/-/merge_requests/2014 )
The other codepaths towards this are in rfc2459 but a careful analysis shows that because the enums chosen by the compiler all start with value 1 and the structure is zeroed with a memset(data, 0, sizeof(*data)). Therefore production Samba is not impacted.
Removing embargo as Heimdal has released with this. Samba will look to include the fix for this, for Samba 4.15 (which doesn't use a modern Heimdal and the template compiler) in the next security release on a 'to be sure' basis. https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
(In reply to Andrew Bartlett from comment #2) Andrew what do we need to here for 4.15?
I suggest we find the patch in Heimdal master, apply to our master and backport to the other releases. Thankfully we don't even use this any more in master/4.17/4.16 but the code will be there so we can just do this via a MR like the others I think.
I suspect the change in question is commit 9c9dac2b169255bad9071eea99fa90b980dde767 Author: Nicolas Williams <nico@twosigma.com> Date: Wed Mar 10 16:49:04 2021 -0600 asn1: CVE-2022-44640 invalid free in ASN.1 codec Heimdal's ASN.1 compiler generates code that allows specially crafted DER encodings of CHOICEs to invoke the wrong free function on the decoded structure upon decode error. This is known to impact the Heimdal KDC, leading to an invalid free() of an address partly or wholly under the control of the attacker, in turn leading to a potential remote code execution (RCE) vulnerability. This error affects the DER codec for all CHOICE types used in Heimdal, though not all cases will be exploitable. We have not completed a thorough analysis of all the Heimdal components affected, thus the Kerberos client, the X.509 library, and other parts, may be affected as well. This bug has been in Heimdal since 2005. It was first reported by Douglas Bagnall, though it had been found independently by the Heimdal maintainers via fuzzing a few weeks earlier.
This bug was referenced in samba master: 5a02915913a2410904886e186ada90a36492571f 68fc909a7f4d69c254d34bec85cf8431bcb6e72f
Created attachment 17675 [details] Patches for v4-17-test
Created attachment 17676 [details] Patch for v4-16-test
Andrew, the fix doesn't apply to v4-15, do we need a different patch or can we drop it there?
I'm changing from CVE-2021-44758 to CVE-2022-44640 (the one used in the commit message)
Pushed to autobuild-v4-{16,17}-test
This bug was referenced in samba v4-16-test: d7eccdbb0285ee2c1b07377471215692e9c7f3d0 2736d267aa9cfd49bd1c9a934d4788a2b9c49809
This bug was referenced in samba v4-17-test: 7b90f5c8296eeeeeebed5c2f969a96e78708d848 7bb1180c5adf98220962ee23938dc708ebd7bd02
(In reply to Stefan Metzmacher from comment #9) I'll figure out what is needed for 4.15 today. This needs to be fixed in 4.15 as that is where we actually run this code (even if harmlessly, per our current analysis).
Despite the scary advisory in upstream Heimdal, Samba is not currently known to be vulnerable to this issue because we don't have a path to the vulnerable FAST functionality that decodes KrbFastArmoredReq in Samba 4.15 and used a newer ASN.1 parser in Samba 4.16 and 4.17 See comment #1 for our analysis regarding other structures in use. Despite this, we want the patch to be included in supported releases so that we can't become vulnerable if a feature is backported (for 4.15) or the codegen ASN.1 backend is selected for some reason in the future (for 4.16 and 4.17).
This bug was referenced in samba v4-15-test: b4c3ce6fb9b2aebbbe7d802ce48c691a9cabcf4f 73c7c6ec9bc3a1993e766f119e9e29905ded5e28
Created attachment 17679 [details] Patches for v4-15-test This is already in v4-15-test
Comment on attachment 17679 [details] Patches for v4-15-test These are already in v4-15-test, they passed a private autobuild
Will be in the next 4.15, 4.16 and 4.17 releases.
This bug was referenced in samba v4-15-stable (Release samba-4.15.13): b4c3ce6fb9b2aebbbe7d802ce48c691a9cabcf4f 73c7c6ec9bc3a1993e766f119e9e29905ded5e28
This bug was referenced in samba v4-17-stable (Release samba-4.17.4): 7b90f5c8296eeeeeebed5c2f969a96e78708d848 7bb1180c5adf98220962ee23938dc708ebd7bd02
This bug was referenced in samba v4-16-stable (Release samba-4.16.8): d7eccdbb0285ee2c1b07377471215692e9c7f3d0 2736d267aa9cfd49bd1c9a934d4788a2b9c49809