diff --git a/0001-Add-compatibility-with-OpenSSL-1.1.0.patch b/0001-Add-compatibility-with-OpenSSL-1.1.0.patch deleted file mode 100644 index a3b3913..0000000 --- a/0001-Add-compatibility-with-OpenSSL-1.1.0.patch +++ /dev/null @@ -1,149 +0,0 @@ -From e498737a96e8832a2cb9141ab1fe51e129185a48 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Wed, 29 Jun 2016 11:15:11 -0400 -Subject: [PATCH] Add compatibility with OpenSSL 1.1.0 - -In their continued wisdom OpenSSL developers keep breaking APIs left and right -with very poor documentation and forward/backward source compatibility. - -Signed-off-by: Simo Sorce ---- - src/crypto.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++------------ - 1 file changed, 48 insertions(+), 12 deletions(-) - -diff --git a/src/crypto.c b/src/crypto.c -index 9fe69f97cfe9a4c1c9a5fb1861fef3fdfb8ae596..33a0c3e9060df0fa14784e869b5edce2f462b238 100644 ---- a/src/crypto.c -+++ b/src/crypto.c -@@ -27,6 +27,32 @@ - - #include "crypto.h" - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+HMAC_CTX *HMAC_CTX_new(void) -+{ -+ HMAC_CTX *ctx; -+ -+ ctx = OPENSSL_malloc(sizeof(HMAC_CTX)); -+ if (!ctx) return NULL; -+ -+ HMAC_CTX_init(ctx); -+ -+ return ctx; -+} -+ -+void HMAC_CTX_free(HMAC_CTX *ctx) -+{ -+ if (ctx == NULL) return; -+ -+ HMAC_CTX_cleanup(ctx); -+ OPENSSL_free(ctx); -+} -+ -+#define EVP_MD_CTX_new EVP_MD_CTX_create -+#define EVP_MD_CTX_free EVP_MD_CTX_destroy -+ -+#endif -+ - int RAND_BUFFER(struct ntlm_buffer *random) - { - int ret; -@@ -42,30 +68,34 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key, - struct ntlm_iov *iov, - struct ntlm_buffer *result) - { -- HMAC_CTX hmac_ctx; -+ HMAC_CTX *hmac_ctx; - unsigned int len; - size_t i; - int ret = 0; - - if (result->length != 16) return EINVAL; - -- HMAC_CTX_init(&hmac_ctx); -+ hmac_ctx = HMAC_CTX_new(); -+ if (!hmac_ctx) { -+ ret = ERR_CRYPTO; -+ goto done; -+ } - -- ret = HMAC_Init_ex(&hmac_ctx, key->data, key->length, EVP_md5(), NULL); -+ ret = HMAC_Init_ex(hmac_ctx, key->data, key->length, EVP_md5(), NULL); - if (ret == 0) { - ret = ERR_CRYPTO; - goto done; - } - - for (i = 0; i < iov->num; i++) { -- ret = HMAC_Update(&hmac_ctx, iov->data[i]->data, iov->data[i]->length); -+ ret = HMAC_Update(hmac_ctx, iov->data[i]->data, iov->data[i]->length); - if (ret == 0) { - ret = ERR_CRYPTO; - goto done; - } - } - -- ret = HMAC_Final(&hmac_ctx, result->data, &len); -+ ret = HMAC_Final(hmac_ctx, result->data, &len); - if (ret == 0) { - ret = ERR_CRYPTO; - goto done; -@@ -74,7 +104,7 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key, - ret = 0; - - done: -- HMAC_CTX_cleanup(&hmac_ctx); -+ HMAC_CTX_free(hmac_ctx); - return ret; - } - -@@ -93,26 +123,32 @@ static int mdx_hash(const EVP_MD *type, - struct ntlm_buffer *payload, - struct ntlm_buffer *result) - { -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - unsigned int len; - int ret; - - if (result->length != 16) return EINVAL; - -- EVP_MD_CTX_init(&ctx); -- ret = EVP_DigestInit_ex(&ctx, type, NULL); -+ ctx = EVP_MD_CTX_new(); -+ if (!ctx) { -+ ret = ERR_CRYPTO; -+ goto done; -+ } -+ -+ EVP_MD_CTX_init(ctx); -+ ret = EVP_DigestInit_ex(ctx, type, NULL); - if (ret == 0) { - ret = ERR_CRYPTO; - goto done; - } - -- ret = EVP_DigestUpdate(&ctx, payload->data, payload->length); -+ ret = EVP_DigestUpdate(ctx, payload->data, payload->length); - if (ret == 0) { - ret = ERR_CRYPTO; - goto done; - } - -- ret = EVP_DigestFinal_ex(&ctx, result->data, &len); -+ ret = EVP_DigestFinal_ex(ctx, result->data, &len); - if (ret == 0) { - ret = ERR_CRYPTO; - goto done; -@@ -121,7 +157,7 @@ static int mdx_hash(const EVP_MD *type, - ret = 0; - - done: -- EVP_MD_CTX_cleanup(&ctx); -+ if (ctx) EVP_MD_CTX_free(ctx); - return ret; - } - --- -2.9.3 - diff --git a/CVE-2023-25563.patch b/CVE-2023-25563.patch deleted file mode 100644 index 04ad195..0000000 --- a/CVE-2023-25563.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 97c62c6167299028d80765080e74d91dfc99efbd Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Tue, 7 Feb 2023 13:51:34 -0500 -Subject: [PATCH] Out-of-bounds read in multiple decode functions - -These were reported as: -- Out-of-bounds read in ntlm_decode_oem_str (GHSL-2023-019) -- Out-of-bounds read in ntlm_decode_u16l_str_hdr (GHSL-2023-020) -- Out-of-bounds read in ntlm_decode_field (GHSL-2023-021) - -These are lall basically the same identical error replicated in 3 -separate functions. - -Fixes defects GHSL-2023-019, GHSL-2023-020, GHSL-2023-021 found by -the GitHub Security Lab team via oss-fuzz. - -A 32-bit integer overflow condition can lead to incorrect checks of -consistency of length of internal buffers. This leads to a DoS -as the service may end up reading from unmapped memory and crashing. - -Although most applications will error out before accepting a singe input -buffer of 4GB in lenght this could theoretically happen, and therefore -we fix it. - -Fixes CVE-2023-25563 - -Signed-off-by: Simo Sorce ---- - src/ntlm.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/ntlm.c b/src/ntlm.c -index b2d84a2..df2458a 100644 ---- a/src/ntlm.c -+++ b/src/ntlm.c -@@ -205,7 +205,6 @@ static int ntlm_str_convert(iconv_t cd, - return 0; - } - -- - uint8_t ntlmssp_sig[8] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0}; - - static void ntlm_encode_header(struct wire_msg_hdr *hdr, uint32_t msg_type) -@@ -256,6 +255,7 @@ static int ntlm_decode_oem_str(struct wire_field_hdr *str_hdr, - str_offs = le32toh(str_hdr->offset); - if ((str_offs < payload_offs) || - (str_offs > buffer->length) || -+ (UINT32_MAX - str_offs < str_len) || - (str_offs + str_len > buffer->length)) { - return ERR_DECODE; - } -@@ -308,6 +308,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx, - str_offs = le32toh(str_hdr->offset); - if ((str_offs < payload_offs) || - (str_offs > buffer->length) || -+ (UINT32_MAX - str_offs < str_len) || - (str_offs + str_len > buffer->length)) { - return ERR_DECODE; - } -@@ -393,6 +394,7 @@ static int ntlm_decode_field(struct wire_field_hdr *hdr, - offs = le32toh(hdr->offset); - if ((offs < payload_offs) || - (offs > buffer->length) || -+ (UINT32_MAX - offs < len) || - (offs + len > buffer->length)) { - return ERR_DECODE; - } diff --git a/CVE-2023-25564.patch b/CVE-2023-25564.patch deleted file mode 100644 index 9d0bf7a..0000000 --- a/CVE-2023-25564.patch +++ /dev/null @@ -1,58 +0,0 @@ -From c753000eb31835c0664e528fbc99378ae0cbe950 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Tue, 7 Feb 2023 12:14:20 -0500 -Subject: [PATCH] GHSL-2023-013: Memory corruption decoding UTF16 - -Memory corruption when decoding UTF16 strings (GHSL-2023-013) - -Fixes defect GHSL-2023-013 found by the GitHub Security Lab team via -oss-fuzz. - -The variable outlen was not initialized and could cause writing a zero -to an arbitrary place in memory if ntlm_str_convert() were to fail, -which would leave outlen uninitialized. - -This can lead to a DoS if the write hits unmapped memory or randomly -corrupting a byte in the application memory space. - -Make sure to zero out only if ntlm_str_convert() succeeds, but for good -measure also initialize outlen to 0. - -Fixes CVE-2023-25564 - -Signed-off-by: Simo Sorce ---- - src/ntlm.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/src/ntlm.c b/src/ntlm.c -index df2458a..0ac1c03 100644 ---- a/src/ntlm.c -+++ b/src/ntlm.c -@@ -299,7 +299,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx, - char *in, *out = NULL; - uint16_t str_len; - uint32_t str_offs; -- size_t outlen; -+ size_t outlen = 0; - int ret = 0; - - str_len = le16toh(str_hdr->len); -@@ -320,13 +320,14 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx, - - ret = ntlm_str_convert(ctx->to_oem, in, out, str_len, &outlen); - -- /* make sure to terminate output string */ -- out[outlen] = '\0'; -- - done: - if (ret) { - safefree(out); -+ } else { -+ /* make sure to terminate output string */ -+ out[outlen] = '\0'; - } -+ - *str = out; - return ret; - } diff --git a/CVE-2023-25565.patch b/CVE-2023-25565.patch deleted file mode 100644 index c13a0a9..0000000 --- a/CVE-2023-25565.patch +++ /dev/null @@ -1,38 +0,0 @@ -From c16100f60907a2de92bcb676f303b81facee0f64 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Tue, 7 Feb 2023 12:04:11 -0500 -Subject: [PATCH] GHSL-2023-012: Incorrect free when decoding target - -Incorrect free when decoding target information (GHSL-2023-012) - -Fixes defect GHSL-2023-012 found by the GitHub Security Lab team via -oss-fuzz. - -The error condition incorrectly assumed the cb and sh buffers would -contain a copy of the data that needed to freed. However that is not the -case. - -This will generally cause an assertion when trying to free a pointer -that was never allocated, and potentially memory corruption depending on -the contents fo the target_info buffer. - -This may cause a DoS condition. - -Signed-off-by: Simo Sorce ---- - src/ntlm.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/src/ntlm.c b/src/ntlm.c -index 0ac1c03..d3d7d1b 100644 ---- a/src/ntlm.c -+++ b/src/ntlm.c -@@ -731,8 +731,6 @@ int ntlm_decode_target_info(struct ntlm_ctx *ctx, struct ntlm_buffer *buffer, - - done: - if (ret) { -- ntlm_free_buffer_data(&sh); -- ntlm_free_buffer_data(&cb); - safefree(nb_computer); - safefree(nb_domain); - safefree(dns_computer); diff --git a/CVE-2023-25567.patch b/CVE-2023-25567.patch deleted file mode 100644 index 7a7ac43..0000000 --- a/CVE-2023-25567.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 025fbb756d44ffee8f847db4222ed6aa4bd1fbe4 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Tue, 7 Feb 2023 11:53:11 -0500 -Subject: [PATCH] GHSL-2023-011: Out-of-bounds read when decoding - -Out-of-bounds read when decoding target information (GHSL-2023-011) - -Fixes defect GHSL-2023-011 found by the GitHub Security Lab team via -oss-fuzz. - -The lenght of the av_pair is not checked properly for two of the -elements. In case the lenght is shorter than requires this may cause an -out-of-bound read that either reads garbage or may cause a crash by -reading unmapped memory. - -This can be exploited to crash the service causing a DoS. - -Signed-off-by: Simo Sorce ---- - src/ntlm.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/ntlm.c b/src/ntlm.c -index d3d7d1b..0f71bfd 100644 ---- a/src/ntlm.c -+++ b/src/ntlm.c -@@ -685,11 +685,19 @@ int ntlm_decode_target_info(struct ntlm_ctx *ctx, struct ntlm_buffer *buffer, - break; - case MSV_AV_TIMESTAMP: - if (!av_timestamp) continue; -+ if (av_len < sizeof(timestamp)) { -+ ret = ERR_DECODE; -+ goto done; -+ } - memcpy(×tamp, av_pair->value, sizeof(timestamp)); - timestamp = le64toh(timestamp); - break; - case MSV_AV_FLAGS: - if (!av_flags) continue; -+ if (av_len < sizeof(flags)) { -+ ret = ERR_DECODE; -+ goto done; -+ } - memcpy(&flags, av_pair->value, sizeof(flags)); - flags = le32toh(flags); - break; diff --git a/gssntlmssp-0.7.0.tar.gz b/gssntlmssp-0.7.0.tar.gz deleted file mode 100644 index bd1283a..0000000 Binary files a/gssntlmssp-0.7.0.tar.gz and /dev/null differ diff --git a/gssntlmssp-1.2.0.tar.gz b/gssntlmssp-1.2.0.tar.gz new file mode 100644 index 0000000..f6ec0ae Binary files /dev/null and b/gssntlmssp-1.2.0.tar.gz differ diff --git a/gssntlmssp.spec b/gssntlmssp.spec index 00c8d9f..d541af9 100644 --- a/gssntlmssp.spec +++ b/gssntlmssp.spec @@ -1,15 +1,10 @@ Name: gssntlmssp -Version: 0.7.0 -Release: 10 +Version: 1.2.0 +Release: 1 Summary: The mechanism of GSSAPI NTLMSSP License: LGPLv3+ -URL: https://pagure.io/gssntlmssp -Source0: https://fedorahosted.org/released/gss-ntlmssp/%{name}-%{version}.tar.gz -Patch01: 0001-Add-compatibility-with-OpenSSL-1.1.0.patch -Patch02: CVE-2023-25567.patch -Patch03: CVE-2023-25563.patch -Patch04: CVE-2023-25564.patch -Patch05: CVE-2023-25565.patch +URL: https://github.com/gssapi/gss-ntlmssp +Source0: https://github.com/gssapi/gss-ntlmssp/releases/download/v%{version}/%{name}-%{version}.tar.gz Requires: krb5-libs >= 1.12.1-9 @@ -33,7 +28,7 @@ Summary: Documentation for gssntlmssp This package provides documentation for gssntlmssp. %prep -%autosetup -n gssntlmssp-0.7.0 -p1 +%autosetup -n gssntlmssp-%{version} -p1 %build autoreconf -fiv @@ -66,6 +61,9 @@ make test_gssntlmssp %{_mandir}/man8/gssntlmssp.8* %changelog +* Tue Sep 19 2023 wulei - 1.2.0-1 +- Update to 1.2.0 + * Tue Feb 21 2023 yaoxin - 0.7.0-10 - Fix CVE-2023-25563,CVE-2023-25564,CVE-2023-25565 and CVE-2023-25567 diff --git a/gssntlmssp.yaml b/gssntlmssp.yaml new file mode 100644 index 0000000..bece3f4 --- /dev/null +++ b/gssntlmssp.yaml @@ -0,0 +1,4 @@ +version_control: github +src_repo: gssapi/gss-ntlmssp +tag_prefix: ^v +separator: .