git: 73ac8e036934 - main - security/krb5-121: Fix double-free in KDC TGS processing

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Cy Schubert <cy_at_FreeBSD.org>
Date: Mon, 14 Aug 2023 14:46:04 UTC
The branch main has been updated by cy:

URL: https://cgit.FreeBSD.org/ports/commit/?id=73ac8e036934587e606aefad711b19ab9431fe83

commit 73ac8e036934587e606aefad711b19ab9431fe83
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2023-08-14 14:43:21 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2023-08-14 14:45:52 +0000

    security/krb5-121: Fix double-free in KDC TGS processing
    
    Upstream's commit log message:
    
        When issuing a ticket for a TGS renew or validate request, copy only
        the server field from the outer part of the header ticket to the new
        ticket.  Copying the whole structure causes the enc_part pointer to be
        aliased to the header ticket until krb5_encrypt_tkt_part() is called,
        resulting in a double-free if handle_authdata() fails.
    
        [ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
        than check for aliasing before freeing; rewrote commit message]
    
        CVE-2023-39975:
    
        In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
        free the same pointer twice if it can induce a failure in
        authorization data handling.
    
        ticket: 9101 (new)
        tags: pullup
        target_version: 1.21-next
    
    Obtained from:  Upstream git commit 88a1701b4
    MFH:            2023Q3
---
 security/krb5-121/Makefile                       |  1 +
 security/krb5-121/files/patch-kdc_do__tgs__req.c | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/security/krb5-121/Makefile b/security/krb5-121/Makefile
index 4ba2b5aa5cea..fe0251da5e19 100644
--- a/security/krb5-121/Makefile
+++ b/security/krb5-121/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=		krb5
 PORTVERSION=		1.21.1
+PORTREVISION=		1
 CATEGORIES=		security
 MASTER_SITES=		http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
 .if !defined(MASTERDIR)
diff --git a/security/krb5-121/files/patch-kdc_do__tgs__req.c b/security/krb5-121/files/patch-kdc_do__tgs__req.c
new file mode 100644
index 000000000000..b42861d35c02
--- /dev/null
+++ b/security/krb5-121/files/patch-kdc_do__tgs__req.c
@@ -0,0 +1,14 @@
+--- kdc/do_tgs_req.c.orig	2023-07-10 13:58:20.000000000 -0700
++++ kdc/do_tgs_req.c	2023-08-14 07:23:14.383349000 -0700
+@@ -1010,8 +1010,9 @@
+     }
+ 
+     if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) {
+-        /* Copy the whole header ticket except for authorization data. */
+-        ticket_reply = *t->header_tkt;
++        /* Copy the header ticket server and all enc-part fields except for
++         * authorization data. */
++        ticket_reply.server = t->header_tkt->server;
+         enc_tkt_reply = *t->header_tkt->enc_part2;
+         enc_tkt_reply.authorization_data = NULL;
+     } else {