Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2026-05-08 16:42:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5" Fri May 8 16:42:29 2026 rev:182 rq:1351369 version:1.22.2 Changes: -------- --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2026-03-27 16:48:21.612549968 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new.1966/krb5-mini.changes 2026-05-08 16:42:33.298155604 +0200 @@ -1,0 +2,8 @@ +Wed May 6 09:52:46 UTC 2026 - Samuel Cabrero <[email protected]> + +- Fix Fix two NegoEx parsing vulnerabilities: + * CVE-2026-40355, bsc#1263366 + * CVE-2026-40356, bsc#1263367 +- Add patch 0012-Fix-two-NegoEx-parsing-vulnerabilities.patch + +------------------------------------------------------------------- krb5.changes: same change New: ---- 0012-Fix-two-NegoEx-parsing-vulnerabilities.patch ----------(New B)---------- New:/work/SRC/openSUSE:Factory/.krb5.new.1966/krb5-mini.changes- * CVE-2026-40356, bsc#1263367 /work/SRC/openSUSE:Factory/.krb5.new.1966/krb5-mini.changes:- Add patch 0012-Fix-two-NegoEx-parsing-vulnerabilities.patch /work/SRC/openSUSE:Factory/.krb5.new.1966/krb5-mini.changes- -- /work/SRC/openSUSE:Factory/.krb5.new.1966/krb5.changes- * CVE-2026-40356, bsc#1263367 /work/SRC/openSUSE:Factory/.krb5.new.1966/krb5.changes:- Add patch 0012-Fix-two-NegoEx-parsing-vulnerabilities.patch /work/SRC/openSUSE:Factory/.krb5.new.1966/krb5.changes- ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-mini.spec ++++++ --- /var/tmp/diff_new_pack.zK6QkI/_old 2026-05-08 16:42:34.430202516 +0200 +++ /var/tmp/diff_new_pack.zK6QkI/_new 2026-05-08 16:42:34.434202682 +0200 @@ -48,6 +48,7 @@ Patch9: 0009-UsrEtc-support.patch Patch10: 0010-Fix-strchr-conformance-to-C23.patch Patch11: 0011-autoconf-2.73-compatibility.patch +Patch12: 0012-Fix-two-NegoEx-parsing-vulnerabilities.patch BuildRequires: autoconf BuildRequires: bison BuildRequires: pkgconfig krb5.spec: same change ++++++ 0012-Fix-two-NegoEx-parsing-vulnerabilities.patch ++++++ >From 2e75f0d9362fb979f5fc92829431a590a130929f Mon Sep 17 00:00:00 2001 From: Greg Hudson <[email protected]> Date: Wed, 8 Apr 2026 17:57:59 -0400 Subject: [PATCH] Fix two NegoEx parsing vulnerabilities In parse_nego_message(), check the result of the second call to vector_base() before dereferencing it. In parse_message(), check for a short header_len to prevent an integer underflow when calculating the remaining message length. Reported by Cem Onat Karagun. CVE-2026-40355: In MIT krb5 release 1.18 and later, if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech, an unauthenticated remote attacker can trigger a null pointer dereference, causing the process to terminate. CVE-2026-40356: In MIT krb5 release 1.18 and later, if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech, an unauthenticated remote attacker can trigger a read overrun of up to 52 bytes, possibly causing the process to terminate. Exfiltration of the bytes read does not appear possible. ticket: 9205 (new) tags: pullup target_version: 1.22-next --- src/lib/gssapi/spnego/negoex_util.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c index edc5462e8..a65238e57 100644 --- a/src/lib/gssapi/spnego/negoex_util.c +++ b/src/lib/gssapi/spnego/negoex_util.c @@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in, offset = k5_input_get_uint32_le(in); count = k5_input_get_uint16_le(in); p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len); + if (p == NULL) { + *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; + return GSS_S_DEFECTIVE_TOKEN; + } for (i = 0; i < count; i++) { extension_type = load_32_le(p + i * EXTENSION_LENGTH); if (extension_type & EXTENSION_FLAG_CRITICAL) { @@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in, msg_len = k5_input_get_uint32_le(in); conv_id = k5_input_get_bytes(in, GUID_LENGTH); - if (in->status || msg_len > token_remaining || header_len > msg_len) { + if (in->status || msg_len > token_remaining || + header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) { *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; return GSS_S_DEFECTIVE_TOKEN; } -- 2.54.0
