[Buildroot] [PATCH 1/1] package/libkrb5: fix CVE-2021-37750

Yann E. MORIN yann.morin.1998 at free.fr
Sat Sep 18 06:55:38 UTC 2021 

Fabrice, All,

On 2021-09-15 21:48 +0200, Fabrice Fontaine spake thusly:
> The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before
> 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in
> kdc/do_tgs_req.c via a FAST inner body that lacks a server field.
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  ...-deref-on-TGS-inner-body-null-server.patch | 47 +++++++++++++++++++
>  package/libkrb5/libkrb5.mk                    |  3 ++
>  2 files changed, 50 insertions(+)
>  create mode 100644 package/libkrb5/0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
> 
> diff --git a/package/libkrb5/0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch b/package/libkrb5/0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
> new file mode 100644
> index 0000000000..ec6f623380
> --- /dev/null
> +++ b/package/libkrb5/0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
> @@ -0,0 +1,47 @@
> +From d775c95af7606a51bf79547a94fa52ddd1cb7f49 Mon Sep 17 00:00:00 2001
> +From: Greg Hudson <ghudson at mit.edu>
> +Date: Tue, 3 Aug 2021 01:15:27 -0400
> +Subject: [PATCH] Fix KDC null deref on TGS inner body null server
> +
> +After the KDC decodes a FAST inner body, it does not check for a null
> +server.  Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
> +would typically result in an error from krb5_unparse_name(), but with
> +the addition of get_local_tgt() it results in a null dereference.  Add
> +a null check.
> +
> +Reported by Joseph Sutton of Catalyst.
> +
> +CVE-2021-37750:
> +
> +In MIT krb5 releases 1.14 and later, an authenticated attacker can
> +cause a null dereference in the KDC by sending a FAST TGS request with
> +no server field.
> +
> +ticket: 9008 (new)
> +tags: pullup
> +target_version: 1.19-next
> +target_version: 1.18-next
> +
> +[Retrieved from:
> +https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> +---
> + src/kdc/do_tgs_req.c | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
> +index 582e497cc9..32dc65fa8e 100644
> +--- a/src/kdc/do_tgs_req.c
> ++++ b/src/kdc/do_tgs_req.c
> +@@ -204,6 +204,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
> +         status = "FIND_FAST";
> +         goto cleanup;
> +     }
> ++    if (sprinc == NULL) {
> ++        status = "NULL_SERVER";
> ++        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
> ++        goto cleanup;
> ++    }
> + 
> +     errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
> +                             &local_tgt, &local_tgt_storage, &local_tgt_key);
> diff --git a/package/libkrb5/libkrb5.mk b/package/libkrb5/libkrb5.mk
> index 89f219d913..d41e7559a5 100644
> --- a/package/libkrb5/libkrb5.mk
> +++ b/package/libkrb5/libkrb5.mk
> @@ -16,6 +16,9 @@ LIBKRB5_CPE_ID_PRODUCT = kerberos_5
>  LIBKRB5_DEPENDENCIES = host-bison $(TARGET_NLS_DEPENDENCIES)
>  LIBKRB5_INSTALL_STAGING = YES
>  
> +# 0001-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
> +LIBKRB5_IGNORE_CVES += CVE-2021-37750
> +
>  # The configure script uses AC_TRY_RUN tests to check for those values,
>  # which doesn't work in a cross-compilation scenario. Therefore,
>  # we feed the configure script with the correct answer for those tests
> -- 
> 2.33.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at lists.buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

More information about the buildroot mailing list