Date: Mon, 04 May 2026 11:57:36 +0000 From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: a22ad16deb2c - stable/15 - krb5: Fix two NegoEx parsing vulnerabilities Message-ID: <69f889b0.362d1.23163885@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/15 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=a22ad16deb2ce23050c949b43210f5c6feb5afa8 commit a22ad16deb2ce23050c949b43210f5c6feb5afa8 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2026-04-30 19:27:31 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2026-05-04 11:57:26 +0000 krb5: Fix two NegoEx parsing vulnerabilities Bring in upstream commit 2e75f0d93 fixing two CVEs. Upstream commit log is: In parse_nego_message(), check the result of the second call to vector_base() before dereferencing it. In parse_message(), check for a short header_len to prevent an integer underflow when calculating the remaining message length. Reported by Cem Onat Karagun. CVE-2026-40355: In MIT krb5 release 1.18 and later, if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech, an unauthenticated remote attacker can trigger a null pointer dereference, causing the process to terminate. CVE-2026-40356: In MIT krb5 release 1.18 and later, if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech, an unauthenticated remote attacker can trigger a read overrun of up to 52 bytes, possibly causing the process to terminate. Exfiltration of the bytes read does not appear possible. (cherry picked from commit c9dd7bffa58c50b2f7ed9e66ace39197c468d8e6) --- crypto/krb5/src/lib/gssapi/spnego/negoex_util.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/crypto/krb5/src/lib/gssapi/spnego/negoex_util.c b/crypto/krb5/src/lib/gssapi/spnego/negoex_util.c index edc5462e8441..a65238e57305 100644 --- a/crypto/krb5/src/lib/gssapi/spnego/negoex_util.c +++ b/crypto/krb5/src/lib/gssapi/spnego/negoex_util.c @@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in, offset = k5_input_get_uint32_le(in); count = k5_input_get_uint16_le(in); p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len); + if (p == NULL) { + *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; + return GSS_S_DEFECTIVE_TOKEN; + } for (i = 0; i < count; i++) { extension_type = load_32_le(p + i * EXTENSION_LENGTH); if (extension_type & EXTENSION_FLAG_CRITICAL) { @@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in, msg_len = k5_input_get_uint32_le(in); conv_id = k5_input_get_bytes(in, GUID_LENGTH); - if (in->status || msg_len > token_remaining || header_len > msg_len) { + if (in->status || msg_len > token_remaining || + header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) { *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; return GSS_S_DEFECTIVE_TOKEN; }home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69f889b0.362d1.23163885>