[31518] in CVS-changelog-for-Kerberos-V5
krb5 commit: Fix two NegoEx parsing vulnerabilities
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Mon Apr 13 13:21:50 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260413172144.575F5104B37@krbdev.mit.edu>
Date: Mon, 13 Apr 2026 13:21:44 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f
commit 2e75f0d9362fb979f5fc92829431a590a130929f
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Apr 8 17:57:59 2026 -0400
Fix two NegoEx parsing vulnerabilities
In parse_nego_message(), check the result of the second call to
vector_base() before dereferencing it. In parse_message(), check for
a short header_len to prevent an integer underflow when calculating
the remaining message length.
Reported by Cem Onat Karagun.
CVE-2026-40355:
In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a null pointer dereference, causing the process to terminate.
CVE-2026-40356:
In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a read overrun of up to 52 bytes, possibly causing the process
to terminate. Exfiltration of the bytes read does not appear
possible.
ticket: 9205 (new)
tags: pullup
target_version: 1.22-next
src/lib/gssapi/spnego/negoex_util.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c
index edc5462e8..a65238e57 100644
--- a/src/lib/gssapi/spnego/negoex_util.c
+++ b/src/lib/gssapi/spnego/negoex_util.c
@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in,
offset = k5_input_get_uint32_le(in);
count = k5_input_get_uint16_le(in);
p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len);
+ if (p == NULL) {
+ *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
for (i = 0; i < count; i++) {
extension_type = load_32_le(p + i * EXTENSION_LENGTH);
if (extension_type & EXTENSION_FLAG_CRITICAL) {
@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in,
msg_len = k5_input_get_uint32_le(in);
conv_id = k5_input_get_bytes(in, GUID_LENGTH);
- if (in->status || msg_len > token_remaining || header_len > msg_len) {
+ if (in->status || msg_len > token_remaining ||
+ header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) {
*minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
return GSS_S_DEFECTIVE_TOKEN;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
