diff options
Diffstat (limited to 'patches')
-rw-r--r-- | patches/packages/krb5-1.19.2-x86_64-4_slack15.0.txt (renamed from patches/packages/krb5-1.19.2-x86_64-3_slack15.0.txt) | 0 | ||||
-rw-r--r-- | patches/packages/sudo-1.9.14p1-x86_64-1_slack15.0.txt (renamed from patches/packages/sudo-1.9.13p3-x86_64-1_slack15.0.txt) | 0 | ||||
-rw-r--r-- | patches/source/krb5/ef08b09c9459551aabbe7924fb176f1583053cdd.patch | 62 | ||||
-rwxr-xr-x | patches/source/krb5/krb5.SlackBuild | 3 |
4 files changed, 64 insertions, 1 deletions
diff --git a/patches/packages/krb5-1.19.2-x86_64-3_slack15.0.txt b/patches/packages/krb5-1.19.2-x86_64-4_slack15.0.txt index cd70c71bb..cd70c71bb 100644 --- a/patches/packages/krb5-1.19.2-x86_64-3_slack15.0.txt +++ b/patches/packages/krb5-1.19.2-x86_64-4_slack15.0.txt diff --git a/patches/packages/sudo-1.9.13p3-x86_64-1_slack15.0.txt b/patches/packages/sudo-1.9.14p1-x86_64-1_slack15.0.txt index 427ea5539..427ea5539 100644 --- a/patches/packages/sudo-1.9.13p3-x86_64-1_slack15.0.txt +++ b/patches/packages/sudo-1.9.14p1-x86_64-1_slack15.0.txt diff --git a/patches/source/krb5/ef08b09c9459551aabbe7924fb176f1583053cdd.patch b/patches/source/krb5/ef08b09c9459551aabbe7924fb176f1583053cdd.patch new file mode 100644 index 000000000..9159bc3e8 --- /dev/null +++ b/patches/source/krb5/ef08b09c9459551aabbe7924fb176f1583053cdd.patch @@ -0,0 +1,62 @@ +From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Wed, 21 Jun 2023 10:57:39 -0400 +Subject: [PATCH] Ensure array count consistency in kadm5 RPC + +In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the +key_data array count when decoding. Otherwise when the structure is +later freed, xdr_array() could iterate over the wrong number of +elements, either leaking some memory or freeing uninitialized +pointers. Reported by Robert Morris. + +CVE-2023-36054: + +An authenticated attacker can cause a kadmind process to crash by +freeing uninitialized pointers. Remote code execution is unlikely. +An attacker with control of a kadmin server can cause a kadmin client +to crash by freeing uninitialized pointers. + +ticket: 9099 (new) +tags: pullup +target_version: 1.21-next +target_version: 1.20-next +--- + src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 0411c3fd3f4..287cae750f9 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + int v) + { + unsigned int n; ++ bool_t r; + + if (!xdr_krb5_principal(xdrs, &objp->principal)) { + return (FALSE); +@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) { + return (FALSE); + } ++ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) { ++ return (FALSE); ++ } + if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) { + return (FALSE); + } +@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + return FALSE; + } + n = objp->n_key_data; +- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, +- &n, ~0, sizeof(krb5_key_data), +- xdr_krb5_key_data_nocontents)) { ++ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data, ++ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents); ++ objp->n_key_data = n; ++ if (!r) { + return (FALSE); + } + diff --git a/patches/source/krb5/krb5.SlackBuild b/patches/source/krb5/krb5.SlackBuild index 49ea6646d..3db26386d 100755 --- a/patches/source/krb5/krb5.SlackBuild +++ b/patches/source/krb5/krb5.SlackBuild @@ -26,7 +26,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=krb5 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-3_slack15.0} +BUILD=${BUILD:-4_slack15.0} if [ -z "$ARCH" ]; then case "$( uname -m )" in @@ -83,6 +83,7 @@ cat $CWD/d775c95af7606a51bf79547a94fa52ddd1cb7f49.patch | patch -p1 --verbose || cat $CWD/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583.patch | patch -p1 --verbose || exit 1 cat $CWD/e134d9a6b6332bd085093e9075c949ece784fcd0.patch | patch -p1 --verbose || exit 1 cat $CWD/5ad465bc8e0d957a4945218bea487b77622bf433.patch | patch -p1 --verbose || exit 1 +cat $CWD/ef08b09c9459551aabbe7924fb176f1583053cdd.patch | patch -p1 --verbose || exit 1 cd src |