Bug 15155 (CVE-2022-3116) - CVE-2022-3116 [NOT SECURITY] heimdal NULL deref in lib/gssapi/spnego/accept_sec_context.c
Summary: CVE-2022-3116 [NOT SECURITY] heimdal NULL deref in lib/gssapi/spnego/accept_s...
Alias: CVE-2022-3116
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.9
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL: https://kb.cert.org/vuls/id/730793
: 15204 (view as bug list)
Depends on:
Reported: 2022-08-23 22:33 UTC by Douglas Bagnall
Modified: 2022-10-13 20:24 UTC (History)
5 users (show)

See Also:

a patch being handed round the internet (2.05 KB, patch)
2022-09-01 00:10 UTC, Douglas Bagnall
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2022-08-23 22:33:42 UTC
This was reported to us by Petr Štetiar of OpenWRT, and was fixed upstream in November 2021, hence the fix was included in the new Heimdal snapshot for 4.16.

The original report reputedly said

"A flawed logical condition in lib/gssapi/spnego/accept_sec_context.c
allows a malicious actor to remotely trigger a NULL pointer dereference
using a crafted negTokenInit token." 

The patch doesn't apply cleanly on our old snapshot, and it is not immediately clear to me how to adapt the second chunk.


There is no CVE assigned, and the veil of secrecy is somewhat incomplete, given it was patched upstream last year.

Restricting to Samba developers for now.
Comment 1 Douglas Bagnall 2022-09-01 00:10:18 UTC
Created attachment 17504 [details]
a patch being handed round the internet

Attaching a patch we have received, that claims to be by Jeffrey Altman. 

It might work better for the old versions, pre the latest lorikeet Heimdal import. I haven't actually looked.
Comment 2 Douglas Bagnall 2022-09-01 01:00:40 UTC
(In reply to Douglas Bagnall from comment #1)
> I haven't actually looked.

I did. It sort of applies to old and new, and I am still not really sure what the status of this bug is.

I am taking the liberty of CCing Jeffrey Altman and some of our kerberos experts, in the hope that someone can work out which patches, if any, we need for our various versions.
Comment 3 Douglas Bagnall 2022-09-13 05:20:21 UTC
Reportedly this will be published by CERT/CC on October 7.
Comment 4 Andrew Bartlett 2022-09-13 22:02:21 UTC
I'm almost certain Samba doesn't run this codepath, we handle the SPNEGO in GENSEC, not in Heimdal. 

Either way, this does not meet our bar for a security release, as it would be in a child process that is restarted.
Comment 5 Andrew Bartlett 2022-09-13 22:17:53 UTC
https://samba-team.gitlab.io/samba/third_party/heimdal/lib/gssapi/spnego/index.html shows we don't run the Heimdal SPNEGO code, thankfully.
Comment 6 Andrew Bartlett 2022-10-13 20:21:48 UTC
*** Bug 15204 has been marked as a duplicate of this bug. ***