The branch, v4-15-test has been updated
via 2ea3f2db808 CVE-2022-45141 source4/heimdal: Fix check-des
via 2be27ec1d7f CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part
key selection
via 73c7c6ec9bc CVE-2022-44640 source4/heimdal: Fix use-after-free when
decoding PA-ENC-TS-ENC
via b4c3ce6fb9b CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1
codec
from f3672577a8e CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64
on systems where 'unsigned long' is just 32-bit
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -----------------------------------------------------------------
commit 2ea3f2db8087e0a2c4a18c633b039c722cb6f829
Author: Nicolas Williams <n...@cryptonector.com>
Date: Wed Oct 12 01:15:13 2011 -0500
CVE-2022-45141 source4/heimdal: Fix check-des
The previous fix was incomplete. But it also finally uncovered an
old check-des problem that I'd had once and which may have gotten
papered over by changing the default of one of the *strongest* KDC
parameters. The old problem is that we were passing the wrong
enctype to _kdc_encode_reply(): we were passing the session key
enctype where the ticket enc-part key's enctype was expected.
The whole enctype being passed in is superfluous anyways. Let's
clean that up next.
(cherry picked from Heimdal commit 4c6976a6bdf8a76c6f3c650ae970d46c931e5c71)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 2be27ec1d7f3bfcdcac65bca1db53772535fe7bf
Author: Nicolas Williams <n...@cryptonector.com>
Date: Tue Oct 11 23:57:58 2011 -0500
CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part key selection
When I added support for configuring how the KDC selects session,
reply, and ticket enc-part keys I accidentally had the KDC use the
session key selection algorithm for selecting the ticket enc-part
key. This becomes a problem when using a Heimdal KDC with an MIT
KDB as the HDB backend and when the krbtgt keys are not in
strongest-to-weakest order, in which case forwardable tickets minted
by the Heimdal KDC will not be accepted by MIT KDCs with the same
KDB.
(cherry picked from Heimdal commit 12cd2c9cbd1ca027a3ef9ac7ab3e79526b1348ae)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 73c7c6ec9bc3a1993e766f119e9e29905ded5e28
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Dec 7 20:13:25 2022 +1300
CVE-2022-44640 source4/heimdal: Fix use-after-free when decoding
PA-ENC-TS-ENC
Upstream Heimdal fixed this in commit
7151d4e66c07b42c15187becd61fb20e0666458a (partial handling of
ENC-CHALLANGE).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit b4c3ce6fb9b2aebbbe7d802ce48c691a9cabcf4f
Author: Nicolas Williams <n...@twosigma.com>
Date: Wed Mar 10 16:49:04 2021 -0600
CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec
This is a 10.0 on the Common Vulnerability Scoring System (CVSS) v3.
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all CHOICE types used in
Heimdal, though not all cases will be exploitable. We have not
completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal since 2005. It was first reported by
Douglas Bagnall, though it had been found independently by the
Heimdal maintainers via fuzzing a few weeks earlier.
While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
[abart...@samba.org Adapted from Heimdal commit
ea5ec8f174920cb80ce2b168b49195378420449e for older Heimdal in Samba 4.15
by dropping fuzz-inputs file and EXPORTS entry for fuzzing]
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source4/heimdal/kdc/kerberos5.c | 3 ++-
source4/heimdal/kdc/krb5tgs.c | 14 ++++++++++----
source4/heimdal/lib/asn1/gen_decode.c | 12 ++++++------
source4/heimdal/lib/asn1/gen_free.c | 7 +++++++
4 files changed, 25 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index ad026dd617b..bda61e69df2 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1391,7 +1391,6 @@ _kdc_as_rep(krb5_context context,
client_name);
continue;
}
- free_PA_ENC_TS_ENC(&p);
if (abs(kdc_time - p.patimestamp) > context->max_skew) {
char client_time[100];
@@ -1413,8 +1412,10 @@ _kdc_as_rep(krb5_context context,
* there is a e_text, they become unhappy.
*/
e_text = NULL;
+ free_PA_ENC_TS_ENC(&p);
goto out;
}
+ free_PA_ENC_TS_ENC(&p);
et.flags.pre_authent = 1;
set_salt_padata(rep.padata, pa_key->salt);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 15be136496f..609649003ea 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -747,7 +747,7 @@ tgs_make_reply(krb5_context context,
etype list, even if we don't want a session key with
DES3? */
ret = _kdc_encode_reply(context, config,
- &rep, &et, &ek, et.key.keytype,
+ &rep, &et, &ek, serverkey->keytype,
kvno,
serverkey, 0, replykey, rk_is_subkey,
e_text, reply);
@@ -1667,15 +1667,21 @@ server_lookup:
ret = _kdc_find_etype(context,
config->tgs_use_strongest_session_key, FALSE,
- server, b->etype.val, b->etype.len, NULL,
- &skey);
+ server, b->etype.val, b->etype.len, &etype,
+ NULL);
if(ret) {
kdc_log(context, config, 0,
"Server (%s) has no support for etypes", spn);
goto out;
}
+ ret = _kdc_get_preferred_key(context, config, server, spn,
+ NULL, &skey);
+ if(ret) {
+ kdc_log(context, config, 0,
+ "Server (%s) has no supported etypes", spn);
+ goto out;
+ }
ekey = &skey->key;
- etype = skey->key.keytype;
kvno = server->entry.kvno;
}
diff --git a/source4/heimdal/lib/asn1/gen_decode.c
b/source4/heimdal/lib/asn1/gen_decode.c
index 9d816d5400d..bf2d93b806d 100644
--- a/source4/heimdal/lib/asn1/gen_decode.c
+++ b/source4/heimdal/lib/asn1/gen_decode.c
@@ -584,14 +584,14 @@ decode_type (const char *name, const Type *t, int
optional,
classname(cl),
ty ? "CONS" : "PRIM",
valuename(cl, tag));
+ fprintf(codefile,
+ "(%s)->element = %s;\n",
+ name, m->label);
if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&",
name, m->gen_name) < 0 || s == NULL)
errx(1, "malloc");
decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
depth + 1);
- fprintf(codefile,
- "(%s)->element = %s;\n",
- name, m->label);
free(s);
fprintf(codefile,
"}\n");
@@ -600,23 +600,23 @@ decode_type (const char *name, const Type *t, int
optional,
if (have_ellipsis) {
fprintf(codefile,
"else {\n"
+ "(%s)->element = %s;\n"
"(%s)->u.%s.data = calloc(1, len);\n"
"if ((%s)->u.%s.data == NULL) {\n"
"e = ENOMEM; %s;\n"
"}\n"
"(%s)->u.%s.length = len;\n"
"memcpy((%s)->u.%s.data, p, len);\n"
- "(%s)->element = %s;\n"
"p += len;\n"
"ret += len;\n"
"len = 0;\n"
"}\n",
+ name, have_ellipsis->label,
name, have_ellipsis->gen_name,
name, have_ellipsis->gen_name,
forwstr,
name, have_ellipsis->gen_name,
- name, have_ellipsis->gen_name,
- name, have_ellipsis->label);
+ name, have_ellipsis->gen_name);
} else {
fprintf(codefile,
"else {\n"
diff --git a/source4/heimdal/lib/asn1/gen_free.c
b/source4/heimdal/lib/asn1/gen_free.c
index b9cae7533b1..74449fe6ca8 100644
--- a/source4/heimdal/lib/asn1/gen_free.c
+++ b/source4/heimdal/lib/asn1/gen_free.c
@@ -61,6 +61,13 @@ free_type (const char *name, const Type *t, int preserve)
case TNull:
case TGeneralizedTime:
case TUTCTime:
+ /*
+ * This doesn't do much, but it leaves zeros where garbage might
+ * otherwise have been found. Gets us closer to having the equivalent
+ * of a memset()-to-zero data structure after calling the free
+ * functions.
+ */
+ fprintf(codefile, "*%s = 0;\n", name);
break;
case TBitString:
if (ASN1_TAILQ_EMPTY(t->members))
--
Samba Shared Repository
