fix CVE-2022-44640

2022-12-17 07:43:46 +00:00 · 2022-12-17 07:43:46 +00:00 · c0b8539aff
commit c0b8539aff
parent 900da28af8
3 changed files with 167 additions and 1 deletions
--- a/backport-0001-CVE-2022-44640.patch
+++ b/backport-0001-CVE-2022-44640.patch
@ -0,0 +1,112 @@
+From b4c3ce6fb9b2aebbbe7d802ce48c691a9cabcf4f Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@twosigma.com>
+Date: Wed, 10 Mar 2021 16:49:04 -0600
+Subject: [PATCH 1/2] CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec
+
+This is a 10.0 on the Common Vulnerability Scoring System (CVSS) v3.
+
+Heimdal's ASN.1 compiler generates code that allows specially
+crafted DER encodings of CHOICEs to invoke the wrong free function
+on the decoded structure upon decode error.  This is known to impact
+the Heimdal KDC, leading to an invalid free() of an address partly
+or wholly under the control of the attacker, in turn leading to a
+potential remote code execution (RCE) vulnerability.
+
+This error affects the DER codec for all CHOICE types used in
+Heimdal, though not all cases will be exploitable.  We have not
+completed a thorough analysis of all the Heimdal components
+affected, thus the Kerberos client, the X.509 library, and other
+parts, may be affected as well.
+
+This bug has been in Heimdal since 2005.  It was first reported by
+Douglas Bagnall, though it had been found independently by the
+Heimdal maintainers via fuzzing a few weeks earlier.
+
+While no zero-day exploit is known, such an exploit will likely be
+available soon after public disclosure.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
+
+[abartlet@samba.org Adapted from Heimdal commit
+ea5ec8f174920cb80ce2b168b49195378420449e for older Heimdal in Samba 4.15
+by dropping fuzz-inputs file and EXPORTS entry for fuzzing]
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Conflict: NA
+Reference: https://attachments.samba.org/attachment.cgi?id=17679
+---
+ source4/heimdal/lib/asn1/gen_decode.c | 12 ++++++------
+ source4/heimdal/lib/asn1/gen_free.c   |  7 +++++++
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/source4/heimdal/lib/asn1/gen_decode.c b/source4/heimdal/lib/asn1/gen_decode.c
+index 9d816d5400d7..bf2d93b806df 100644
+--- a/source4/heimdal/lib/asn1/gen_decode.c
+++ b/source4/heimdal/lib/asn1/gen_decode.c
+@@ -584,14 +584,14 @@ decode_type (const char *name, const Type *t, int optional,
+ 		    classname(cl),
+ 		    ty ? "CONS" : "PRIM",
+ 		    valuename(cl, tag));
+	    fprintf(codefile,
+		    "(%s)->element = %s;\n",
+		    name, m->label);
+ 	    if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&",
+ 			  name, m->gen_name) < 0 || s == NULL)
+ 		errx(1, "malloc");
+ 	    decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
+ 		depth + 1);
+-	    fprintf(codefile,
+-		    "(%s)->element = %s;\n",
+-		    name, m->label);
+ 	    free(s);
+ 	    fprintf(codefile,
+ 		    "}\n");
+@@ -600,23 +600,23 @@ decode_type (const char *name, const Type *t, int optional,
+ 	if (have_ellipsis) {
+ 	    fprintf(codefile,
+ 		    "else {\n"
+		    "(%s)->element = %s;\n"
+ 		    "(%s)->u.%s.data = calloc(1, len);\n"
+ 		    "if ((%s)->u.%s.data == NULL) {\n"
+ 		    "e = ENOMEM; %s;\n"
+ 		    "}\n"
+ 		    "(%s)->u.%s.length = len;\n"
+ 		    "memcpy((%s)->u.%s.data, p, len);\n"
+-		    "(%s)->element = %s;\n"
+ 		    "p += len;\n"
+ 		    "ret += len;\n"
+ 		    "len = 0;\n"
+ 		    "}\n",
+		    name, have_ellipsis->label,
+ 		    name, have_ellipsis->gen_name,
+ 		    name, have_ellipsis->gen_name,
+ 		    forwstr,
+ 		    name, have_ellipsis->gen_name,
+-		    name, have_ellipsis->gen_name,
+-		    name, have_ellipsis->label);
+		    name, have_ellipsis->gen_name);
+ 	} else {
+ 	    fprintf(codefile,
+ 		    "else {\n"
+diff --git a/source4/heimdal/lib/asn1/gen_free.c b/source4/heimdal/lib/asn1/gen_free.c
+index b9cae7533b17..74449fe6ca82 100644
+--- a/source4/heimdal/lib/asn1/gen_free.c
+++ b/source4/heimdal/lib/asn1/gen_free.c
+@@ -61,6 +61,13 @@ free_type (const char *name, const Type *t, int preserve)
+     case TNull:
+     case TGeneralizedTime:
+     case TUTCTime:
+        /*
+         * This doesn't do much, but it leaves zeros where garbage might
+         * otherwise have been found.  Gets us closer to having the equivalent
+         * of a memset()-to-zero data structure after calling the free
+         * functions.
+         */
+        fprintf(codefile, "*%s = 0;\n", name);
+ 	break;
+     case TBitString:
+ 	if (ASN1_TAILQ_EMPTY(t->members))
+-- 
+2.34.1
--- a/backport-0002-CVE-2022-44640.patch
+++ b/backport-0002-CVE-2022-44640.patch
@ -0,0 +1,46 @@
+From 73c7c6ec9bc3a1993e766f119e9e29905ded5e28 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 7 Dec 2022 20:13:25 +1300
+Subject: [PATCH 2/2] CVE-2022-44640 source4/heimdal: Fix use-after-free when
+ decoding PA-ENC-TS-ENC
+
+Upstream Heimdal fixed this in commit
+7151d4e66c07b42c15187becd61fb20e0666458a (partial handling of
+ENC-CHALLANGE).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Conflict: NA
+Reference: https://attachments.samba.org/attachment.cgi?id=17679
+---
+ source4/heimdal/kdc/kerberos5.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
+index ad026dd617bd..bda61e69df2a 100644
+--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
+@@ -1391,7 +1391,6 @@ _kdc_as_rep(krb5_context context,
+ 			client_name);
+ 		continue;
+ 	    }
+-	    free_PA_ENC_TS_ENC(&p);
+ 	    if (abs(kdc_time - p.patimestamp) > context->max_skew) {
+ 		char client_time[100];
+ 
+@@ -1413,8 +1412,10 @@ _kdc_as_rep(krb5_context context,
+ 		 * there is a e_text, they become unhappy.
+ 		 */
+ 		e_text = NULL;
+		free_PA_ENC_TS_ENC(&p);
+ 		goto out;
+ 	    }
+	    free_PA_ENC_TS_ENC(&p);
+ 	    et.flags.pre_authent = 1;
+ 
+ 	    set_salt_padata(rep.padata, pa_key->salt);
+-- 
+2.34.1
--- a/samba.spec
+++ b/samba.spec
@ -49,7 +49,7 @@

 Name:           samba
 Version:        4.11.12
-Release:        21
+Release:        22

 Summary:        A suite for Linux to interoperate with Windows
 License:        GPLv3+ and LGPLv3+
@ -296,6 +296,8 @@ Patch6366:       backport-0003-CVE-2022-42898.patch
 Patch6367:       backport-0004-CVE-2022-42898.patch
 Patch6368:       backport-s3waf-Fix-version-number-of-public-libsmbconf.patch
 Patch6369:       backport-waf-Fix-SO-version-number-of-libsamba-errors.patch
+Patch6370:       backport-0001-CVE-2022-44640.patch
+Patch6371:       backport-0002-CVE-2022-44640.patch


 BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
@ -3354,6 +3356,12 @@ fi
 %{_mandir}/man*

 %changelog
+* Sat Dec 17 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-22
+- Type:cves
+- CVE:CVE-2022-44640
+- SUG:NA
+- DESC:fix CVE-2022-44640
+
 * Fri Dec 02 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-21
 - Type:bugfix
 - CVE:NA