Bug 14929 (CVE-2021-44758) - CVE-2021-44758 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST
Summary: CVE-2021-44758 [SECURITY] Upstream Heimdal free of user-controlled pointer in...
Status: NEW
Alias: CVE-2021-44758
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL: https://github.com/heimdal/heimdal/re...
Keywords:
Depends on:
Blocks: 14079 15238
  Show dependency treegraph
 
Reported: 2021-12-09 08:03 UTC by Andrew Bartlett
Modified: 2022-11-18 00:17 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2021-12-09 08:03:55 UTC
Douglas Bagnall found, using HongFuzz a free() of uninitialised data in the generated code for ASN.1.

The initial case is in the KrbFastArmoredReq, thankfully something Samba doesn't have a codepath to, however as the issue is generic we need to be careful in case another case is used.

(Samba will have a codepath to KrbFastArmoredReq once the Heimdal upgrade is merged from https://gitlab.com/samba-team/samba/-/merge_requests/2014 )
Comment 1 Andrew Bartlett 2021-12-09 22:14:07 UTC
The other codepaths towards this are in rfc2459 but a careful analysis shows that because the enums chosen by the compiler all start with value 1 and the structure is zeroed with a memset(data, 0, sizeof(*data)).

Therefore production Samba is not impacted.
Comment 2 Andrew Bartlett 2022-11-17 21:14:55 UTC
Removing embargo as Heimdal has released with this.  Samba will look to include the fix for this, for Samba 4.15 (which doesn't use a modern Heimdal and the template compiler) in the next security release on a 'to be sure' basis. 

https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0