Date: Wed, 16 Aug 2023 15:31:34 GMT From: Cy Schubert <cy@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: git: aa4e888e949e - 2023Q3 - security/krb5-121: Fix double-free in KDC TGS processing Message-ID: <202308161531.37GFVYvr019044@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch 2023Q3 has been updated by cy: URL: https://cgit.FreeBSD.org/ports/commit/?id=aa4e888e949e1a194441551cd28c33f9d0d72b22 commit aa4e888e949e1a194441551cd28c33f9d0d72b22 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2023-08-14 14:43:21 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2023-08-16 15:31:24 +0000 security/krb5-121: Fix double-free in KDC TGS processing Upstream's commit log message: When issuing a ticket for a TGS renew or validate request, copy only the server field from the outer part of the header ticket to the new ticket. Copying the whole structure causes the enc_part pointer to be aliased to the header ticket until krb5_encrypt_tkt_part() is called, resulting in a double-free if handle_authdata() fails. [ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather than check for aliasing before freeing; rewrote commit message] CVE-2023-39975: In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to free the same pointer twice if it can induce a failure in authorization data handling. ticket: 9101 (new) tags: pullup target_version: 1.21-next Obtained from: Upstream git commit 88a1701b4 MFH: 2023Q3 (cherry picked from commit 73ac8e036934587e606aefad711b19ab9431fe83) --- security/krb5-121/Makefile | 1 + security/krb5-121/files/patch-kdc_do__tgs__req.c | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/security/krb5-121/Makefile b/security/krb5-121/Makefile index 4ba2b5aa5cea..fe0251da5e19 100644 --- a/security/krb5-121/Makefile +++ b/security/krb5-121/Makefile @@ -1,5 +1,6 @@ PORTNAME= krb5 PORTVERSION= 1.21.1 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/ .if !defined(MASTERDIR) diff --git a/security/krb5-121/files/patch-kdc_do__tgs__req.c b/security/krb5-121/files/patch-kdc_do__tgs__req.c new file mode 100644 index 000000000000..b42861d35c02 --- /dev/null +++ b/security/krb5-121/files/patch-kdc_do__tgs__req.c @@ -0,0 +1,14 @@ +--- kdc/do_tgs_req.c.orig 2023-07-10 13:58:20.000000000 -0700 ++++ kdc/do_tgs_req.c 2023-08-14 07:23:14.383349000 -0700 +@@ -1010,8 +1010,9 @@ + } + + if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) { +- /* Copy the whole header ticket except for authorization data. */ +- ticket_reply = *t->header_tkt; ++ /* Copy the header ticket server and all enc-part fields except for ++ * authorization data. */ ++ ticket_reply.server = t->header_tkt->server; + enc_tkt_reply = *t->header_tkt->enc_part2; + enc_tkt_reply.authorization_data = NULL; + } else {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202308161531.37GFVYvr019044>