From nobody Fri May 1 00:19:47 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g6BWB5TMsz6cYc6; Fri, 01 May 2026 00:19:50 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta004.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g6BWB37CFz421m; Fri, 01 May 2026 00:19:50 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4004b.ext.cloudfilter.net ([10.228.9.230]) by cmsmtp with ESMTPS id ITSlwqEcU5R43IbbhwKHD9; Fri, 01 May 2026 00:19:49 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id IbbfwoA73KTB5Ibbgwf75F; Fri, 01 May 2026 00:19:49 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=Ge8aXAXL c=1 sm=1 tr=0 ts=69f3f1a5 a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=kj9zAlcOel0A:10 a=A5OVakUREuEA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=YxBL1-UpAAAA:8 a=PXzK8sMiJLvmTTDkssgA:9 a=CjuIK1q_8ugA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy.cwsent.com [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 929CAE8; Thu, 30 Apr 2026 17:19:47 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 72C5D28D; Thu, 30 Apr 2026 17:19:47 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Cy Schubert cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: c9dd7bffa58c - main - krb5: Fix two NegoEx parsing vulnerabilities In-reply-to: <69f3efba.307f2.6f425dba@gitrepo.freebsd.org> References: <69f3efba.307f2.6f425dba@gitrepo.freebsd.org> Comments: In-reply-to Cy Schubert message dated "Fri, 01 May 2026 00:11:38 -0000." List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 30 Apr 2026 17:19:47 -0700 Message-Id: <20260501001947.72C5D28D@slippy.cwsent.com> X-CMAE-Envelope: MS4xfESwt69sYZTv1rskEn+5MY05rrSnll7Nr55EpoLruw3F3ZQZl/RGZfypERK5onzaylF0LPhXfHMjjQlKWM5Dw9Cc7PuW2MJI77nz9yWIyxY+S7rQswlN mTX+6TVDr+y2AbifMPoxUXDB+1SPTy++paRLQuqMHXA8XQkAQ9PO9J5FgueIucIvlPBuJH8vt94pf/KW791CgakQ1eJKbFNqqrhcUrMUsyIJI+Shfy1bsJeR G3C8t5/GpSOPFIKw72SHVh3o9CVgLggQLtNxvZsjBMz1isCs3iOJtMhB4BO9q7tZpsLQB1egN7cI12PgDxCoObFy6reVYls/yFQwLsfiYH0= X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] X-Rspamd-Queue-Id: 4g6BWB37CFz421m X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated In message <69f3efba.307f2.6f425dba@gitrepo.freebsd.org>, Cy Schubert writes: > The branch main has been updated by cy: > > URL: https://cgit.FreeBSD.org/src/commit/?id=c9dd7bffa58c50b2f7ed9e66ace39197 > c468d8e6 > > commit c9dd7bffa58c50b2f7ed9e66ace39197c468d8e6 > Author: Cy Schubert > AuthorDate: 2026-04-30 19:27:31 +0000 > Commit: Cy Schubert > CommitDate: 2026-05-01 00:11:25 +0000 > > krb5: Fix two NegoEx parsing vulnerabilities > > Bring in upstream commit 2e75f0d93 fixing two CVEs. Upstream commit > log is: > > In parse_nego_message(), check the result of the second call to > vector_base() before dereferencing it. In parse_message(), check for > a short header_len to prevent an integer underflow when calculating > the remaining message length. > > Reported by Cem Onat Karagun. > > CVE-2026-40355: > > In MIT krb5 release 1.18 and later, if an application calls > gss_accept_sec_context() on a system with a NegoEx mechanism > registered in /etc/gss/mech, an unauthenticated remote attacker can > trigger a null pointer dereference, causing the process to terminate. > > CVE-2026-40356: > > In MIT krb5 release 1.18 and later, if an application calls > gss_accept_sec_context() on a system with a NegoEx mechanism > registered in /etc/gss/mech, an unauthenticated remote attacker can > trigger a read overrun of up to 52 bytes, possibly causing the process > to terminate. Exfiltration of the bytes read does not appear > possible. > --- FreeBSD is not vulnerable to this Microsoft NegoEx extension. But it is a good idea include this anyway. Though it is still good to include this patch. I was notified about this at $JOB. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e**(i*pi)+1=0