Skip Menu |
 

From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.4KiB

Fix vulnerabilities in GSS message token handling

In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
verify the Extra Count field of CFX wrap tokens against the encrypted
header. Reported by Jacob Champion.

In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
length too short to contain the encrypted header and extra count
bytes. Reported by Jacob Champion.

In kg_unseal_iov_token(), separately track the header IOV length and
complete token length when parsing the token's ASN.1 wrapper. This
fix contains modified versions of functions from k5-der.h and
util_token.c; this duplication will be cleaned up in a future commit.

CVE-2024-37370:

In MIT krb5 release 1.3 and later, an attacker can modify the
plaintext Extra Count field of a confidential GSS krb5 wrap token,
causing the unwrapped token to appear truncated to the application.

CVE-2024-37371:

In MIT krb5 release 1.3 and later, an attacker can cause invalid
memory reads by sending message tokens with invalid length fields.

https://github.com/krb5/krb5/commit/b0a2f8a5365f2eec3e27d78907de9f9d2c80505a
Author: Greg Hudson <ghudson@mit.edu>
Commit: b0a2f8a5365f2eec3e27d78907de9f9d2c80505a
Branch: master
src/lib/gssapi/krb5/k5sealv3.c | 5 +
src/lib/gssapi/krb5/k5sealv3iov.c | 3 +-
src/lib/gssapi/krb5/k5unsealiov.c | 80 +++++++++++--
src/tests/gssapi/t_invalid.c | 233 +++++++++++++++++++++++++++++++-------
4 files changed, 275 insertions(+), 46 deletions(-)
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.5KiB

Fix vulnerabilities in GSS message token handling

In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
verify the Extra Count field of CFX wrap tokens against the encrypted
header. Reported by Jacob Champion.

In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
length too short to contain the encrypted header and extra count
bytes. Reported by Jacob Champion.

In kg_unseal_iov_token(), separately track the header IOV length and
complete token length when parsing the token's ASN.1 wrapper. This
fix contains modified versions of functions from k5-der.h and
util_token.c; this duplication will be cleaned up in a future commit.

CVE-2024-37370:

In MIT krb5 release 1.3 and later, an attacker can modify the
plaintext Extra Count field of a confidential GSS krb5 wrap token,
causing the unwrapped token to appear truncated to the application.

CVE-2024-37371:

In MIT krb5 release 1.3 and later, an attacker can cause invalid
memory reads by sending message tokens with invalid length fields.

(cherry picked from commit b0a2f8a5365f2eec3e27d78907de9f9d2c80505a)

https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef
Author: Greg Hudson <ghudson@mit.edu>
Commit: 55fbf435edbe2e92dd8101669b1ce7144bc96fef
Branch: krb5-1.21
src/lib/gssapi/krb5/k5sealv3.c | 5 +
src/lib/gssapi/krb5/k5sealv3iov.c | 3 +-
src/lib/gssapi/krb5/k5unsealiov.c | 80 +++++++++++--
src/tests/gssapi/t_invalid.c | 233 +++++++++++++++++++++++++++++++-------
4 files changed, 275 insertions(+), 46 deletions(-)