[oe][meta-networking][kirkstone][PATCH V2 1/1] samba: fix CVE-2021-44758

Fri, 16 Jun 2023 05:21:43 -0700 

Heimdal before 7.7.1 allows attackers to cause a NULL pointer
dereference in a SPNEGO acceptor via a preferred_mech_type of
GSS_C_NO_OID and a nonzero initial_response value to send_accept.

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-44758

Upstream patches:
https://github.com/heimdal/heimdal/commit/f9ec7002cdd526ae84fbacbf153162e118f22580

Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com>
---
 .../samba/samba/CVE-2021-44758.patch          | 72 +++++++++++++++++++
 .../samba/samba_4.14.14.bb                    |  1 +
 2 files changed, 73 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2021-44758.patch

diff --git 
a/meta-networking/recipes-connectivity/samba/samba/CVE-2021-44758.patch 
b/meta-networking/recipes-connectivity/samba/samba/CVE-2021-44758.patch
new file mode 100644
index 000000000..661089945
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2021-44758.patch
@@ -0,0 +1,72 @@
+From f9ec7002cdd526ae84fbacbf153162e118f22580 Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <n...@twosigma.com>
+Date: Wed Mar 9 10:18:52 2022 -0600
+Subject: [PATCH] spnego: CVE-2021-44758 send_reject when no mech selected
+
+    This fixes a DoS where an initial SPNEGO token that has no acceptable
+    mechanisms causes a NULL dereference in acceptors.
+
+    send_accept() when called with a non-zero 'initial_response' did
+    not handle the case of gssspnego_ctx.preferred_mech_type equal
+    to GSS_C_NO_OID.
+
+    The failure to handle GSS_C_NO_OID has been present since the
+    initial revision of gssapi/spnego,
+    2baa7e7d613c26b2b037b368931519a84baec53d but might not have
+    been exercised until later revisions.
+
+    The introduction of opportunistic token handling in
+    gss_accept_sec_context(), 3c9d3266f47f594a29068c9d629908e7000ac663,
+    introduced two bugs:
+
+     1. The optional mechToken field is used unconditionally
+        possibly resulting in a segmentation fault.
+
+     2. If use of the opportunistic token is unsuccessful and the
+        mech type list length is one, send_accept() can be called
+        with 'initial_response' true and preferred mech set to
+        GSS_C_NO_OID.
+
+    b53c90da0890a9cce6f95c552f094ff6d69027bf ("Make error reporting
+    somewhat more correct for SPNEGO") attempted to fix the first
+    issue and increased the likelihood of the second.
+
+    This change alters the behavior of acceptor_start() so it calls
+    send_reject() when no mechanism was selected.
+
+Upstream-Status: Backport 
[https://github.com/heimdal/heimdal/commit/f9ec7002cdd526ae84fbacbf153162e118f22580]
+CVE: CVE-2021-44758
+
+Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com>
+---
+ .../heimdal/lib/gssapi/spnego/accept_sec_context.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/lib/gssapi/spnego/accept_sec_context.c 
b/lib/gssapi/spnego/accept_sec_context.c
+index 3a51dd3..b60dc19 100644
+--- a/lib/gssapi/spnego/accept_sec_context.c
++++ b/lib/gssapi/spnego/accept_sec_context.c
+@@ -619,13 +619,15 @@ acceptor_start
+           if (ret == 0)
+               break;
+       }
+-      if (preferred_mech_type == GSS_C_NO_OID) {
+-          HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+-          free_NegotiationToken(&nt);
+-          return ret;
+-      }
++    }
++
++    ctx->preferred_mech_type = preferred_mech_type;
+
+-      ctx->preferred_mech_type = preferred_mech_type;
++    if (preferred_mech_type == GSS_C_NO_OID) {
++        send_reject(minor_status, output_token);
++        HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
++        free_NegotiationToken(&nt);
++        return ret;
+     }
+
+     /*
+--
+2.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb 
b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index fcec63752..72021745b 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -32,6 +32,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
            file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
            file://CVE-2022-45142.patch;patchdir=source4/heimdal \
            file://CVE-2022-41916.patch;patchdir=source4/heimdal \
+           file://CVE-2021-44758.patch;patchdir=source4/heimdal \
            "
 
 SRC_URI:append:libc-musl = " \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#103343): 
https://lists.openembedded.org/g/openembedded-devel/message/103343
Mute This Topic: https://lists.openembedded.org/mt/99569157/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to