diff options
author | Greg Hudson <ghudson@mit.edu> | 2024-06-14 10:56:12 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2024-06-26 12:32:23 -0400 |
commit | b0a2f8a5365f2eec3e27d78907de9f9d2c80505a (patch) | |
tree | 54b1d106bc1bc43247601f224b84606bf1dfa46b /doc/conf.py | |
parent | 78f38ca89a6e80cd17bd3ba2f9c5482981206ad5 (diff) | |
download | krb5-b0a2f8a5365f2eec3e27d78907de9f9d2c80505a.zip krb5-b0a2f8a5365f2eec3e27d78907de9f9d2c80505a.tar.gz krb5-b0a2f8a5365f2eec3e27d78907de9f9d2c80505a.tar.bz2 |
Fix vulnerabilities in GSS message token handling
In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
verify the Extra Count field of CFX wrap tokens against the encrypted
header. Reported by Jacob Champion.
In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
length too short to contain the encrypted header and extra count
bytes. Reported by Jacob Champion.
In kg_unseal_iov_token(), separately track the header IOV length and
complete token length when parsing the token's ASN.1 wrapper. This
fix contains modified versions of functions from k5-der.h and
util_token.c; this duplication will be cleaned up in a future commit.
CVE-2024-37370:
In MIT krb5 release 1.3 and later, an attacker can modify the
plaintext Extra Count field of a confidential GSS krb5 wrap token,
causing the unwrapped token to appear truncated to the application.
CVE-2024-37371:
In MIT krb5 release 1.3 and later, an attacker can cause invalid
memory reads by sending message tokens with invalid length fields.
ticket: 9128 (new)
tags: pullup
target_version: 1.21-next
Diffstat (limited to 'doc/conf.py')
0 files changed, 0 insertions, 0 deletions