RT RT/krbdev.mit.edu: Ticket #8598 Preserve GSS context on init/accept failure Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
8598
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.15.2
  • 1.14.6
Target_Version
  • 1.14-next
  • 1.15-next
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Mon Aug 28 12:11:37 2017
Starts: Not set
Started: Mon Aug 28 12:11:37 2017
Last Contact: Not set
Due: Not set
Updated: Sun Sep 24 20:40:03 2017 by ghudson
 

 People  
Owner
 ghudson
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Mon Aug 28 12:11:37 2017  ghudson - Ticket created    
     
From: ghudson@mit.edu
Subject: git commit


Preserve GSS context on init/accept failure

After gss_init_sec_context() or gss_accept_sec_context() has created a
context, don't delete the mechglue context on failures from subsequent
calls, even if the mechanism deletes the mech-specific context (which
is allowed by RFC 2744 but not preferred).  Check for union contexts
with no mechanism context in each GSS function which accepts a
gss_ctx_id_t.

CVE-2017-11462:

RFC 2744 permits a GSS-API implementation to delete an existing
security context on a second or subsequent call to
gss_init_sec_context() or gss_accept_sec_context() if the call results
in an error.  This API behavior has been found to be dangerous,
leading to the possibility of memory errors in some callers.  For
safety, GSS-API implementations should instead preserve existing
security contexts on error until the caller deletes them.

All versions of MIT krb5 prior to this change may delete acceptor
contexts on error.  Versions 1.13.4 through 1.13.7, 1.14.1 through
1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts on
error.

https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf
Author: Greg Hudson <ghudson@mit.edu>
Commit: 56f7b1bc95a2a3eeb420e069e7655fb181ade5cf
Branch: master
 src/lib/gssapi/mechglue/g_accept_sec_context.c  |   22 +++++++++++++++-------
 src/lib/gssapi/mechglue/g_complete_auth_token.c |    2 ++
 src/lib/gssapi/mechglue/g_context_time.c        |    2 ++
 src/lib/gssapi/mechglue/g_delete_sec_context.c  |   14 ++++++++------
 src/lib/gssapi/mechglue/g_exp_sec_context.c     |    2 ++
 src/lib/gssapi/mechglue/g_init_sec_context.c    |   19 +++++++++++--------
 src/lib/gssapi/mechglue/g_inq_context.c         |    2 ++
 src/lib/gssapi/mechglue/g_prf.c                 |    2 ++
 src/lib/gssapi/mechglue/g_process_context.c     |    2 ++
 src/lib/gssapi/mechglue/g_seal.c                |    4 ++++
 src/lib/gssapi/mechglue/g_sign.c                |    2 ++
 src/lib/gssapi/mechglue/g_unseal.c              |    2 ++
 src/lib/gssapi/mechglue/g_unwrap_aead.c         |    2 ++
 src/lib/gssapi/mechglue/g_unwrap_iov.c          |    4 ++++
 src/lib/gssapi/mechglue/g_verify.c              |    2 ++
 src/lib/gssapi/mechglue/g_wrap_aead.c           |    2 ++
 src/lib/gssapi/mechglue/g_wrap_iov.c            |    8 ++++++++
 17 files changed, 72 insertions(+), 21 deletions(-)


Download (untitled) 2.3k
      Mon Aug 28 12:11:37 2017  ghudson - Status changed from new to review    
      Mon Aug 28 12:11:37 2017  ghudson - Tags pullup added    
      Mon Aug 28 12:11:37 2017  ghudson - Target_Version 1.15-next added    
      Mon Aug 28 12:11:37 2017  ghudson - Target_Version 1.14-next added    
      Mon Aug 28 12:11:37 2017  ghudson - Requestor ghudson@mit.edu added    
      Fri Sep 22 12:48:33 2017  ghudson - Version_Fixed 1.15.2 added    
      Fri Sep 22 12:48:33 2017  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Preserve GSS context on init/accept failure

After gss_init_sec_context() or gss_accept_sec_context() has created a
context, don't delete the mechglue context on failures from subsequent
calls, even if the mechanism deletes the mech-specific context (which
is allowed by RFC 2744 but not preferred).  Check for union contexts
with no mechanism context in each GSS function which accepts a
gss_ctx_id_t.

CVE-2017-11462:

RFC 2744 permits a GSS-API implementation to delete an existing
security context on a second or subsequent call to
gss_init_sec_context() or gss_accept_sec_context() if the call results
in an error.  This API behavior has been found to be dangerous,
leading to the possibility of memory errors in some callers.  For
safety, GSS-API implementations should instead preserve existing
security contexts on error until the caller deletes them.

All versions of MIT krb5 prior to this change may delete acceptor
contexts on error.  Versions 1.13.4 through 1.13.7, 1.14.1 through
1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts on
error.

(cherry picked from commit 56f7b1bc95a2a3eeb420e069e7655fb181ade5cf)

https://github.com/krb5/krb5/commit/3659e55443962a50fdbe564bc5333e32dafd22f9
Author: Greg Hudson <ghudson@mit.edu>
Commit: 3659e55443962a50fdbe564bc5333e32dafd22f9
Branch: krb5-1.15
 src/lib/gssapi/mechglue/g_accept_sec_context.c  |   22 +++++++++++++++-------
 src/lib/gssapi/mechglue/g_complete_auth_token.c |    2 ++
 src/lib/gssapi/mechglue/g_context_time.c        |    2 ++
 src/lib/gssapi/mechglue/g_delete_sec_context.c  |   14 ++++++++------
 src/lib/gssapi/mechglue/g_exp_sec_context.c     |    2 ++
 src/lib/gssapi/mechglue/g_init_sec_context.c    |   19 +++++++++++--------
 src/lib/gssapi/mechglue/g_inq_context.c         |    2 ++
 src/lib/gssapi/mechglue/g_prf.c                 |    2 ++
 src/lib/gssapi/mechglue/g_process_context.c     |    2 ++
 src/lib/gssapi/mechglue/g_seal.c                |    4 ++++
 src/lib/gssapi/mechglue/g_sign.c                |    2 ++
 src/lib/gssapi/mechglue/g_unseal.c              |    2 ++
 src/lib/gssapi/mechglue/g_unwrap_aead.c         |    2 ++
 src/lib/gssapi/mechglue/g_unwrap_iov.c          |    4 ++++
 src/lib/gssapi/mechglue/g_verify.c              |    2 ++
 src/lib/gssapi/mechglue/g_wrap_aead.c           |    2 ++
 src/lib/gssapi/mechglue/g_wrap_iov.c            |    8 ++++++++
 17 files changed, 72 insertions(+), 21 deletions(-)


Download (untitled) 2.3k
      Fri Sep 22 12:48:44 2017  ghudson - Version_Fixed 1.14.6 added    
      Fri Sep 22 12:48:44 2017  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Preserve GSS context on init/accept failure

After gss_init_sec_context() or gss_accept_sec_context() has created a
context, don't delete the mechglue context on failures from subsequent
calls, even if the mechanism deletes the mech-specific context (which
is allowed by RFC 2744 but not preferred).  Check for union contexts
with no mechanism context in each GSS function which accepts a
gss_ctx_id_t.

CVE-2017-11462:

RFC 2744 permits a GSS-API implementation to delete an existing
security context on a second or subsequent call to
gss_init_sec_context() or gss_accept_sec_context() if the call results
in an error.  This API behavior has been found to be dangerous,
leading to the possibility of memory errors in some callers.  For
safety, GSS-API implementations should instead preserve existing
security contexts on error until the caller deletes them.

All versions of MIT krb5 prior to this change may delete acceptor
contexts on error.  Versions 1.13.4 through 1.13.7, 1.14.1 through
1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts on
error.

(cherry picked from commit 56f7b1bc95a2a3eeb420e069e7655fb181ade5cf)

https://github.com/krb5/krb5/commit/5949691d76eb41bb2c50c3d742a5cb03d1478d06
Author: Greg Hudson <ghudson@mit.edu>
Commit: 5949691d76eb41bb2c50c3d742a5cb03d1478d06
Branch: krb5-1.14
 src/lib/gssapi/mechglue/g_accept_sec_context.c  |   22 +++++++++++++++-------
 src/lib/gssapi/mechglue/g_complete_auth_token.c |    2 ++
 src/lib/gssapi/mechglue/g_context_time.c        |    2 ++
 src/lib/gssapi/mechglue/g_delete_sec_context.c  |   14 ++++++++------
 src/lib/gssapi/mechglue/g_exp_sec_context.c     |    2 ++
 src/lib/gssapi/mechglue/g_init_sec_context.c    |   19 +++++++++++--------
 src/lib/gssapi/mechglue/g_inq_context.c         |    2 ++
 src/lib/gssapi/mechglue/g_prf.c                 |    2 ++
 src/lib/gssapi/mechglue/g_process_context.c     |    2 ++
 src/lib/gssapi/mechglue/g_seal.c                |    4 ++++
 src/lib/gssapi/mechglue/g_sign.c                |    2 ++
 src/lib/gssapi/mechglue/g_unseal.c              |    2 ++
 src/lib/gssapi/mechglue/g_unwrap_aead.c         |    2 ++
 src/lib/gssapi/mechglue/g_unwrap_iov.c          |    4 ++++
 src/lib/gssapi/mechglue/g_verify.c              |    2 ++
 src/lib/gssapi/mechglue/g_wrap_aead.c           |    2 ++
 src/lib/gssapi/mechglue/g_wrap_iov.c            |    8 ++++++++
 17 files changed, 72 insertions(+), 21 deletions(-)


Download (untitled) 2.3k
      Fri Sep 22 12:51:07 2017  ghudson - Keyword pullup deleted    
      Sun Sep 24 20:40:03 2017  ghudson - Status changed from review to resolved