[16891] in Kerberos-V5-bugs


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[krbdev.mit.edu #9085] git commit

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Tue Jul 11 18:57:11 2023

From: "Greg Hudson via RT" <rt@krbdev.mit.edu>
In-Reply-To: 
Message-ID: <rt-4.4.3-2-2254692-1689116202-1720.9085-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9085":;
Date: Tue, 11 Jul 2023 18:56:42 -0400
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9085 >

Fix read overruns in SPNEGO parsing

Fix three read overruns discovered by the GitHub Security Lab team
(GHSL-2023-016, GHSL-2023-017, and GHSL-2023-018) using OSS-Fuzz.

In get_mech_set(), error out if gss_add_oid_set_member() fails rather
than continue the loop and increment i past the current bound of
returned_mechSet.  In g_verify_neg_token_init(), check for zero-byte
sequences before reading tag bytes, and reduce cur_size by one to
account for the tag byte when calling gssint_get_der_length().

(cherry picked from commit 47c2a12830dbd7fb8e13c239ddc0ac74129a91f6)

https://github.com/krb5/krb5/commit/eb886f626526769e596443314bcbe4e8bd9d84ee
Author: Greg Hudson <ghudson@mit.edu>
Commit: eb886f626526769e596443314bcbe4e8bd9d84ee
Branch: krb5-1.20
 src/lib/gssapi/spnego/spnego_mech.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[16891] in Kerberos-V5-bugs

[krbdev.mit.edu #9085] git commit

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)Tue Jul 11 18:57:11 2023

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Tue Jul 11 18:57:11 2023