Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 30 Apr 2026 17:19:47 -0700
From:      Cy Schubert <Cy.Schubert@cschubert.com>
To:        Cy Schubert <cy@FreeBSD.org>
Cc:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   Re: git: c9dd7bffa58c - main - krb5: Fix two NegoEx parsing  vulnerabilities
Message-ID:  <20260501001947.72C5D28D@slippy.cwsent.com>
In-Reply-To: <69f3efba.307f2.6f425dba@gitrepo.freebsd.org>
index | next in thread | previous in thread | raw e-mail 

In message <69f3efba.307f2.6f425dba@gitrepo.freebsd.org>, Cy Schubert 
writes:
> The branch main has been updated by cy:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=c9dd7bffa58c50b2f7ed9e66ace39197
> c468d8e6
>
> commit c9dd7bffa58c50b2f7ed9e66ace39197c468d8e6
> Author:     Cy Schubert <cy@FreeBSD.org>
> AuthorDate: 2026-04-30 19:27:31 +0000
> Commit:     Cy Schubert <cy@FreeBSD.org>
> CommitDate: 2026-05-01 00:11:25 +0000
>
>     krb5: Fix two NegoEx parsing vulnerabilities
>     
>     Bring in upstream commit 2e75f0d93 fixing two CVEs. Upstream commit
>     log is:
>     
>      In parse_nego_message(), check the result of the second call to
>      vector_base() before dereferencing it.  In parse_message(), check for
>      a short header_len to prevent an integer underflow when calculating
>      the remaining message length.
>     
>      Reported by Cem Onat Karagun.
>     
>      CVE-2026-40355:
>     
>      In MIT krb5 release 1.18 and later, if an application calls
>      gss_accept_sec_context() on a system with a NegoEx mechanism
>      registered in /etc/gss/mech, an unauthenticated remote attacker can
>      trigger a null pointer dereference, causing the process to terminate.
>     
>      CVE-2026-40356:
>     
>      In MIT krb5 release 1.18 and later, if an application calls
>      gss_accept_sec_context() on a system with a NegoEx mechanism
>      registered in /etc/gss/mech, an unauthenticated remote attacker can
>      trigger a read overrun of up to 52 bytes, possibly causing the process
>      to terminate.  Exfiltration of the bytes read does not appear
>      possible.
> ---

FreeBSD is not vulnerable to this Microsoft NegoEx extension. But it is a 
good idea include this anyway. Though it is still good to include this 
patch. I was notified about this at $JOB.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e**(i*pi)+1=0
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20260501001947.72C5D28D>