[SCM] Samba Shared Repository - branch v4-19-test updated

Jule Anger janger at samba.org
Mon Oct 16 08:29:01 UTC 2023 

The branch, v4-19-test has been updated
       via  f0da8219262 CVE-2023-5568 third_party/heimdal: Fix PKINIT freshness token memory handling (Import lorikeet-heimdal-202310092148 (commit 38aa80e35b6b1e16b081fa9c005c03b1e6994204))
      from  147050697e1 ctdb-daemon: Call setproctitle_init()

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test


- Log -----------------------------------------------------------------
commit f0da8219262ba7c3e066d4f519063edf26f36b88
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Oct 10 11:59:34 2023 +1300

    CVE-2023-5568 third_party/heimdal: Fix PKINIT freshness token memory handling (Import lorikeet-heimdal-202310092148 (commit 38aa80e35b6b1e16b081fa9c005c03b1e6994204))
    
    The issue here is that only the size of the pointer, not the size
    of the struture was allocated with calloc().
    
    This means that the malloc() for the freshness token bytes would
    have the memory address written beyond the end of the allocated memory.
    
    Additionally, the allocation was not free()ed, resulting in a memory
    leak.  This means that a user could trigger ongoing memory allocation
    in the server.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15491
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 3280893ae80507e36653a0c7da03c82b88ece30b)
    
    Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-19-test): Mon Oct 16 08:28:32 UTC 2023 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 third_party/heimdal/kdc/pkinit.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/third_party/heimdal/kdc/pkinit.c b/third_party/heimdal/kdc/pkinit.c
index 495dfa7a7e5..88aa2887fb7 100644
--- a/third_party/heimdal/kdc/pkinit.c
+++ b/third_party/heimdal/kdc/pkinit.c
@@ -180,6 +180,9 @@ _kdc_pk_free_client_param(krb5_context context, pk_client_params *cp)
 	hx509_peer_info_free(cp->peer);
     if (cp->client_anchors)
 	hx509_certs_free(&cp->client_anchors);
+    if (cp->freshness_token)
+	der_free_octet_string(cp->freshness_token);
+    free(cp->freshness_token);
     memset(cp, 0, sizeof(*cp));
     free(cp);
 }
@@ -776,7 +779,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
 	 * Copy the freshness token into the out parameters if it is present.
 	 */
 	if (ap.pkAuthenticator.freshnessToken != NULL) {
-	    cp->freshness_token = calloc(1, sizeof (cp->freshness_token));
+	    cp->freshness_token = calloc(1, sizeof (*cp->freshness_token));
 	    if (cp->freshness_token == NULL) {
 		ret = ENOMEM;
 		free_AuthPack(&ap);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list