Wed Jul 12 20:41:16 UTC 202320230712204116_15.0

patches/packages/krb5-1.19.2-x86_64-4_slack15.0.txz: Rebuilt. Fix potential uninitialized pointer free in kadm5 XDR parsing. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-36054 (* Security fix *) patches/packages/sudo-1.9.14p1-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release.
author: Patrick J Volkerding <volkerdi@slackware.com> 2023-07-12 20:41:16 +0000
committer: Eric Hameleers <alien@slackware.com> 2023-07-13 13:30:36 +0200
commit: 08b21a9944735aee9b1c2acd8d363059e6018fc6 (patch)
tree: b47bc641c1b9daa54dcca00e4f0ffed58e7e016d /patches
parent: 3b203b36ef3c683f2e13ba4ee5161c63cfc32899 (diff)
download: current-08b21a9944735aee9b1c2acd8d363059e6018fc6.tar.gz
current-08b21a9944735aee9b1c2acd8d363059e6018fc6.tar.xz
4 files changed, 64 insertions, 1 deletions
diff --git a/patches/packages/krb5-1.19.2-x86_64-3_slack15.0.txt b/patches/packages/krb5-1.19.2-x86_64-4_slack15.0.txt
index cd70c71bb..cd70c71bb 100644
--- a/patches/packages/krb5-1.19.2-x86_64-3_slack15.0.txt
+++ b/patches/packages/krb5-1.19.2-x86_64-4_slack15.0.txt
diff --git a/patches/packages/sudo-1.9.13p3-x86_64-1_slack15.0.txt b/patches/packages/sudo-1.9.14p1-x86_64-1_slack15.0.txt
index 427ea5539..427ea5539 100644
--- a/patches/packages/sudo-1.9.13p3-x86_64-1_slack15.0.txt
+++ b/patches/packages/sudo-1.9.14p1-x86_64-1_slack15.0.txt
diff --git a/patches/source/krb5/ef08b09c9459551aabbe7924fb176f1583053cdd.patch b/patches/source/krb5/ef08b09c9459551aabbe7924fb176f1583053cdd.patch
new file mode 100644
index 000000000..9159bc3e8
--- /dev/null
+++ b/patches/source/krb5/ef08b09c9459551aabbe7924fb176f1583053cdd.patch
@@ -0,0 +1,62 @@
+From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 21 Jun 2023 10:57:39 -0400
+Subject: [PATCH] Ensure array count consistency in kadm5 RPC
+
+In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
+key_data array count when decoding.  Otherwise when the structure is
+later freed, xdr_array() could iterate over the wrong number of
+elements, either leaking some memory or freeing uninitialized
+pointers.  Reported by Robert Morris.
+
+CVE-2023-36054:
+
+An authenticated attacker can cause a kadmind process to crash by
+freeing uninitialized pointers.  Remote code execution is unlikely.
+An attacker with control of a kadmin server can cause a kadmin client
+to crash by freeing uninitialized pointers.
+
+ticket: 9099 (new)
+tags: pullup
+target_version: 1.21-next
+target_version: 1.20-next
+---
+ src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 0411c3fd3f4..287cae750f9 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
++++ b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ 			     int v)
+ {
+ 	unsigned int n;
++	bool_t r;
+ 
+ 	if (!xdr_krb5_principal(xdrs, &objp->principal)) {
+ 		return (FALSE);
+@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ 	if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
+ 		return (FALSE);
+ 	}
++	if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
++		return (FALSE);
++	}
+ 	if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
+ 		return (FALSE);
+ 	}
+@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ 		return FALSE;
+ 	}
+ 	n = objp->n_key_data;
+-	if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
+-		       &n, ~0, sizeof(krb5_key_data),
+-		       xdr_krb5_key_data_nocontents)) {
++	r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
++		      sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
++	objp->n_key_data = n;
++	if (!r) {
+ 		return (FALSE);
+ 	}
+ 
diff --git a/patches/source/krb5/krb5.SlackBuild b/patches/source/krb5/krb5.SlackBuild
index 49ea6646d..3db26386d 100755
--- a/patches/source/krb5/krb5.SlackBuild
+++ b/patches/source/krb5/krb5.SlackBuild
@@ -26,7 +26,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=krb5
 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-3_slack15.0}
+BUILD=${BUILD:-4_slack15.0}
 
 if [ -z "$ARCH" ]; then
   case "$( uname -m )" in
@@ -83,6 +83,7 @@ cat $CWD/d775c95af7606a51bf79547a94fa52ddd1cb7f49.patch | patch -p1 --verbose ||
 cat $CWD/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583.patch | patch -p1 --verbose || exit 1
 cat $CWD/e134d9a6b6332bd085093e9075c949ece784fcd0.patch | patch -p1 --verbose || exit 1
 cat $CWD/5ad465bc8e0d957a4945218bea487b77622bf433.patch | patch -p1 --verbose || exit 1
+cat $CWD/ef08b09c9459551aabbe7924fb176f1583053cdd.patch | patch -p1 --verbose || exit 1
 
 cd src
author	Patrick J Volkerding <volkerdi@slackware.com>	2023-07-12 20:41:16 +0000
committer	Eric Hameleers <alien@slackware.com>	2023-07-13 13:30:36 +0200
commit	08b21a9944735aee9b1c2acd8d363059e6018fc6 (patch)
tree	b47bc641c1b9daa54dcca00e4f0ffed58e7e016d /patches
parent	3b203b36ef3c683f2e13ba4ee5161c63cfc32899 (diff)
download	current-08b21a9944735aee9b1c2acd8d363059e6018fc6.tar.gz current-08b21a9944735aee9b1c2acd8d363059e6018fc6.tar.xz