Source: gss-ntlmssp Version: 1.0.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for gss-ntlmssp. CVE-2023-25563[0]: | GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that | implements NTLM authentication. Prior to version 1.2.0, multiple out- | of-bounds reads when decoding NTLM fields can trigger a denial of | service. A 32-bit integer overflow condition can lead to incorrect | checks of consistency of length of internal buffers. Although most | applications will error out before accepting a singe input buffer of | 4GB in length this could theoretically happen. This vulnerability can | be triggered via the main `gss_accept_sec_context` entry point if the | application allows tokens greater than 4GB in length. This can lead to | a large, up to 65KB, out-of-bounds read which could cause a denial-of- | service if it reads from unmapped memory. Version 1.2.0 contains a | patch for the out-of-bounds reads. CVE-2023-25564[1]: | GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that | implements NTLM authentication. Prior to version 1.2.0, memory | corruption can be triggered when decoding UTF16 strings. The variable | `outlen` was not initialized and could cause writing a zero to an | arbitrary place in memory if `ntlm_str_convert()` were to fail, which | would leave `outlen` uninitialized. This can lead to a denial of | service if the write hits unmapped memory or randomly corrupts a byte | in the application memory space. This vulnerability can trigger an | out-of-bounds write, leading to memory corruption. This vulnerability | can be triggered via the main `gss_accept_sec_context` entry point. | This issue is fixed in version 1.2.0. CVE-2023-25565[2]: | GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that | implements NTLM authentication. Prior to version 1.2.0, an incorrect | free when decoding target information can trigger a denial of service. | The error condition incorrectly assumes the `cb` and `sh` buffers | contain a copy of the data that needs to be freed. However, that is | not the case. This vulnerability can be triggered via the main | `gss_accept_sec_context` entry point. This will likely trigger an | assertion failure in `free`, causing a denial-of-service. This issue | is fixed in version 1.2.0. CVE-2023-25566[3]: | GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that | implements NTLM authentication. Prior to version 1.2.0, a memory leak | can be triggered when parsing usernames which can trigger a denial-of- | service. The domain portion of a username may be overridden causing an | allocated memory area the size of the domain name to be leaked. An | attacker can leak memory via the main `gss_accept_sec_context` entry | point, potentially causing a denial-of-service. This issue is fixed in | version 1.2.0. CVE-2023-25567[4]: | GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements | NTLM authentication, has an out-of-bounds read when decoding target | information prior to version 1.2.0. The length of the `av_pair` is not | checked properly for two of the elements which can trigger an out-of- | bound read. The out-of-bounds read can be triggered via the main | `gss_accept_sec_context` entry point and could cause a denial-of- | service if the memory is unmapped. The issue is fixed in version | 1.2.0. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-25563 https://www.cve.org/CVERecord?id=CVE-2023-25563 [1] https://security-tracker.debian.org/tracker/CVE-2023-25564 https://www.cve.org/CVERecord?id=CVE-2023-25564 [2] https://security-tracker.debian.org/tracker/CVE-2023-25565 https://www.cve.org/CVERecord?id=CVE-2023-25565 [3] https://security-tracker.debian.org/tracker/CVE-2023-25566 https://www.cve.org/CVERecord?id=CVE-2023-25566 [4] https://security-tracker.debian.org/tracker/CVE-2023-25567 https://www.cve.org/CVERecord?id=CVE-2023-25567 Please adjust the affected versions in the BTS as needed. Regards, Salvatore