Skip Menu |
 

From: ghudson@mit.edu
Subject: git commit

Fix read overruns in SPNEGO parsing

Fix three read overruns discovered by the GitHub Security Lab team
(GHSL-2023-016, GHSL-2023-017, and GHSL-2023-018) using OSS-Fuzz.

In get_mech_set(), error out if gss_add_oid_set_member() fails rather
than continue the loop and increment i past the current bound of
returned_mechSet. In g_verify_neg_token_init(), check for zero-byte
sequences before reading tag bytes, and reduce cur_size by one to
account for the tag byte when calling gssint_get_der_length().

https://github.com/krb5/krb5/commit/47c2a12830dbd7fb8e13c239ddc0ac74129a91f6
Author: Greg Hudson <ghudson@mit.edu>
Commit: 47c2a12830dbd7fb8e13c239ddc0ac74129a91f6
Branch: master
src/lib/gssapi/spnego/spnego_mech.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Fix read overruns in SPNEGO parsing

Fix three read overruns discovered by the GitHub Security Lab team
(GHSL-2023-016, GHSL-2023-017, and GHSL-2023-018) using OSS-Fuzz.

In get_mech_set(), error out if gss_add_oid_set_member() fails rather
than continue the loop and increment i past the current bound of
returned_mechSet. In g_verify_neg_token_init(), check for zero-byte
sequences before reading tag bytes, and reduce cur_size by one to
account for the tag byte when calling gssint_get_der_length().

(cherry picked from commit 47c2a12830dbd7fb8e13c239ddc0ac74129a91f6)

https://github.com/krb5/krb5/commit/eb886f626526769e596443314bcbe4e8bd9d84ee
Author: Greg Hudson <ghudson@mit.edu>
Commit: eb886f626526769e596443314bcbe4e8bd9d84ee
Branch: krb5-1.20
src/lib/gssapi/spnego/spnego_mech.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)