packages/gssntlmssp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!16 Update to 1.2.0

Browse Source 
From: @wu-leilei 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
This commit is contained in:
openeuler-ci-bot 2023-09-21 11:36:48 +00:00 committed by Gitee
commit d4b9ae429e
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
9 changed files with 12 additions and 368 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

149
0001-Add-compatibility-with-OpenSSL-1.1.0.patch
View File

@ -1,149 +0,0 @@
From e498737a96e8832a2cb9141ab1fe51e129185a48 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 29 Jun 2016 11:15:11 -0400
Subject: [PATCH] Add compatibility with OpenSSL 1.1.0
In their continued wisdom OpenSSL developers keep breaking APIs left and right
with very poor documentation and forward/backward source compatibility.
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/crypto.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 48 insertions(+), 12 deletions(-)
diff --git a/src/crypto.c b/src/crypto.c
index 9fe69f97cfe9a4c1c9a5fb1861fef3fdfb8ae596..33a0c3e9060df0fa14784e869b5edce2f462b238 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -27,6 +27,32 @@
#include "crypto.h"
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+HMAC_CTX *HMAC_CTX_new(void)
+{
+ HMAC_CTX *ctx;
+
+ ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
+ if (!ctx) return NULL;
+
+ HMAC_CTX_init(ctx);
+
+ return ctx;
+}
+
+void HMAC_CTX_free(HMAC_CTX *ctx)
+{
+ if (ctx == NULL) return;
+
+ HMAC_CTX_cleanup(ctx);
+ OPENSSL_free(ctx);
+}
+
+#define EVP_MD_CTX_new EVP_MD_CTX_create
+#define EVP_MD_CTX_free EVP_MD_CTX_destroy
+
+#endif
+
int RAND_BUFFER(struct ntlm_buffer *random)
{
int ret;
@@ -42,30 +68,34 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key,
struct ntlm_iov *iov,
struct ntlm_buffer *result)
{
- HMAC_CTX hmac_ctx;
+ HMAC_CTX *hmac_ctx;
unsigned int len;
size_t i;
int ret = 0;
if (result->length != 16) return EINVAL;
- HMAC_CTX_init(&hmac_ctx);
+ hmac_ctx = HMAC_CTX_new();
+ if (!hmac_ctx) {
+ ret = ERR_CRYPTO;
+ goto done;
+ }
- ret = HMAC_Init_ex(&hmac_ctx, key->data, key->length, EVP_md5(), NULL);
+ ret = HMAC_Init_ex(hmac_ctx, key->data, key->length, EVP_md5(), NULL);
if (ret == 0) {
ret = ERR_CRYPTO;
goto done;
}
for (i = 0; i < iov->num; i++) {
- ret = HMAC_Update(&hmac_ctx, iov->data[i]->data, iov->data[i]->length);
+ ret = HMAC_Update(hmac_ctx, iov->data[i]->data, iov->data[i]->length);
if (ret == 0) {
ret = ERR_CRYPTO;
goto done;
}
}
- ret = HMAC_Final(&hmac_ctx, result->data, &len);
+ ret = HMAC_Final(hmac_ctx, result->data, &len);
if (ret == 0) {
ret = ERR_CRYPTO;
goto done;
@@ -74,7 +104,7 @@ int HMAC_MD5_IOV(struct ntlm_buffer *key,
ret = 0;
done:
- HMAC_CTX_cleanup(&hmac_ctx);
+ HMAC_CTX_free(hmac_ctx);
return ret;
}
@@ -93,26 +123,32 @@ static int mdx_hash(const EVP_MD *type,
struct ntlm_buffer *payload,
struct ntlm_buffer *result)
{
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
unsigned int len;
int ret;
if (result->length != 16) return EINVAL;
- EVP_MD_CTX_init(&ctx);
- ret = EVP_DigestInit_ex(&ctx, type, NULL);
+ ctx = EVP_MD_CTX_new();
+ if (!ctx) {
+ ret = ERR_CRYPTO;
+ goto done;
+ }
+
+ EVP_MD_CTX_init(ctx);
+ ret = EVP_DigestInit_ex(ctx, type, NULL);
if (ret == 0) {
ret = ERR_CRYPTO;
goto done;
}
- ret = EVP_DigestUpdate(&ctx, payload->data, payload->length);
+ ret = EVP_DigestUpdate(ctx, payload->data, payload->length);
if (ret == 0) {
ret = ERR_CRYPTO;
goto done;
}
- ret = EVP_DigestFinal_ex(&ctx, result->data, &len);
+ ret = EVP_DigestFinal_ex(ctx, result->data, &len);
if (ret == 0) {
ret = ERR_CRYPTO;
goto done;
@@ -121,7 +157,7 @@ static int mdx_hash(const EVP_MD *type,
ret = 0;
done:
- EVP_MD_CTX_cleanup(&ctx);
+ if (ctx) EVP_MD_CTX_free(ctx);
return ret;
}
--
2.9.3

67
CVE-2023-25563.patch
View File

@ -1,67 +0,0 @@
From 97c62c6167299028d80765080e74d91dfc99efbd Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Feb 2023 13:51:34 -0500
Subject: [PATCH] Out-of-bounds read in multiple decode functions
These were reported as:
- Out-of-bounds read in ntlm_decode_oem_str (GHSL-2023-019)
- Out-of-bounds read in ntlm_decode_u16l_str_hdr (GHSL-2023-020)
- Out-of-bounds read in ntlm_decode_field (GHSL-2023-021)
These are lall basically the same identical error replicated in 3
separate functions.
Fixes defects GHSL-2023-019, GHSL-2023-020, GHSL-2023-021 found by
the GitHub Security Lab team via oss-fuzz.
A 32-bit integer overflow condition can lead to incorrect checks of
consistency of length of internal buffers. This leads to a DoS
as the service may end up reading from unmapped memory and crashing.
Although most applications will error out before accepting a singe input
buffer of 4GB in lenght this could theoretically happen, and therefore
we fix it.
Fixes CVE-2023-25563
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/ntlm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/ntlm.c b/src/ntlm.c
index b2d84a2..df2458a 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -205,7 +205,6 @@ static int ntlm_str_convert(iconv_t cd,
return 0;
}
-
uint8_t ntlmssp_sig[8] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
static void ntlm_encode_header(struct wire_msg_hdr *hdr, uint32_t msg_type)
@@ -256,6 +255,7 @@ static int ntlm_decode_oem_str(struct wire_field_hdr *str_hdr,
str_offs = le32toh(str_hdr->offset);
if ((str_offs < payload_offs) ||
(str_offs > buffer->length) ||
+ (UINT32_MAX - str_offs < str_len) ||
(str_offs + str_len > buffer->length)) {
return ERR_DECODE;
}
@@ -308,6 +308,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
str_offs = le32toh(str_hdr->offset);
if ((str_offs < payload_offs) ||
(str_offs > buffer->length) ||
+ (UINT32_MAX - str_offs < str_len) ||
(str_offs + str_len > buffer->length)) {
return ERR_DECODE;
}
@@ -393,6 +394,7 @@ static int ntlm_decode_field(struct wire_field_hdr *hdr,
offs = le32toh(hdr->offset);
if ((offs < payload_offs) ||
(offs > buffer->length) ||
+ (UINT32_MAX - offs < len) ||
(offs + len > buffer->length)) {
return ERR_DECODE;
}

58
CVE-2023-25564.patch
View File

@ -1,58 +0,0 @@
From c753000eb31835c0664e528fbc99378ae0cbe950 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Feb 2023 12:14:20 -0500
Subject: [PATCH] GHSL-2023-013: Memory corruption decoding UTF16
Memory corruption when decoding UTF16 strings (GHSL-2023-013)
Fixes defect GHSL-2023-013 found by the GitHub Security Lab team via
oss-fuzz.
The variable outlen was not initialized and could cause writing a zero
to an arbitrary place in memory if ntlm_str_convert() were to fail,
which would leave outlen uninitialized.
This can lead to a DoS if the write hits unmapped memory or randomly
corrupting a byte in the application memory space.
Make sure to zero out only if ntlm_str_convert() succeeds, but for good
measure also initialize outlen to 0.
Fixes CVE-2023-25564
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/ntlm.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/ntlm.c b/src/ntlm.c
index df2458a..0ac1c03 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -299,7 +299,7 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
char *in, *out = NULL;
uint16_t str_len;
uint32_t str_offs;
- size_t outlen;
+ size_t outlen = 0;
int ret = 0;
str_len = le16toh(str_hdr->len);
@@ -320,13 +320,14 @@ static int ntlm_decode_u16l_str_hdr(struct ntlm_ctx *ctx,
ret = ntlm_str_convert(ctx->to_oem, in, out, str_len, &outlen);
- /* make sure to terminate output string */
- out[outlen] = '\0';
-
done:
if (ret) {
safefree(out);
+ } else {
+ /* make sure to terminate output string */
+ out[outlen] = '\0';
}
+
*str = out;
return ret;
}

38
CVE-2023-25565.patch
View File

@ -1,38 +0,0 @@
From c16100f60907a2de92bcb676f303b81facee0f64 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Feb 2023 12:04:11 -0500
Subject: [PATCH] GHSL-2023-012: Incorrect free when decoding target
Incorrect free when decoding target information (GHSL-2023-012)
Fixes defect GHSL-2023-012 found by the GitHub Security Lab team via
oss-fuzz.
The error condition incorrectly assumed the cb and sh buffers would
contain a copy of the data that needed to freed. However that is not the
case.
This will generally cause an assertion when trying to free a pointer
that was never allocated, and potentially memory corruption depending on
the contents fo the target_info buffer.
This may cause a DoS condition.
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/ntlm.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/ntlm.c b/src/ntlm.c
index 0ac1c03..d3d7d1b 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -731,8 +731,6 @@ int ntlm_decode_target_info(struct ntlm_ctx *ctx, struct ntlm_buffer *buffer,
done:
if (ret) {
- ntlm_free_buffer_data(&sh);
- ntlm_free_buffer_data(&cb);
safefree(nb_computer);
safefree(nb_domain);
safefree(dns_computer);

46
CVE-2023-25567.patch
View File

@ -1,46 +0,0 @@
From 025fbb756d44ffee8f847db4222ed6aa4bd1fbe4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Feb 2023 11:53:11 -0500
Subject: [PATCH] GHSL-2023-011: Out-of-bounds read when decoding
Out-of-bounds read when decoding target information (GHSL-2023-011)
Fixes defect GHSL-2023-011 found by the GitHub Security Lab team via
oss-fuzz.
The lenght of the av_pair is not checked properly for two of the
elements. In case the lenght is shorter than requires this may cause an
out-of-bound read that either reads garbage or may cause a crash by
reading unmapped memory.
This can be exploited to crash the service causing a DoS.
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/ntlm.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/ntlm.c b/src/ntlm.c
index d3d7d1b..0f71bfd 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -685,11 +685,19 @@ int ntlm_decode_target_info(struct ntlm_ctx *ctx, struct ntlm_buffer *buffer,
break;
case MSV_AV_TIMESTAMP:
if (!av_timestamp) continue;
+ if (av_len < sizeof(timestamp)) {
+ ret = ERR_DECODE;
+ goto done;
+ }
memcpy(&timestamp, av_pair->value, sizeof(timestamp));
timestamp = le64toh(timestamp);
break;
case MSV_AV_FLAGS:
if (!av_flags) continue;
+ if (av_len < sizeof(flags)) {
+ ret = ERR_DECODE;
+ goto done;
+ }
memcpy(&flags, av_pair->value, sizeof(flags));
flags = le32toh(flags);
break;

BIN
gssntlmssp-0.7.0.tar.gz
View File

Binary file not shown.

BIN
gssntlmssp-1.2.0.tar.gz Normal file
View File

Binary file not shown.

18
gssntlmssp.spec
View File

@ -1,15 +1,10 @@
Name: gssntlmssp Name: gssntlmssp
Version: 0.7.0 Version: 1.2.0
Release: 10 Release: 1
Summary: The mechanism of GSSAPI NTLMSSP Summary: The mechanism of GSSAPI NTLMSSP
License: LGPLv3+ License: LGPLv3+
URL: https://pagure.io/gssntlmssp URL: https://github.com/gssapi/gss-ntlmssp
Source0: https://fedorahosted.org/released/gss-ntlmssp/%{name}-%{version}.tar.gz Source0: https://github.com/gssapi/gss-ntlmssp/releases/download/v%{version}/%{name}-%{version}.tar.gz
Patch01: 0001-Add-compatibility-with-OpenSSL-1.1.0.patch
Patch02: CVE-2023-25567.patch
Patch03: CVE-2023-25563.patch
Patch04: CVE-2023-25564.patch
Patch05: CVE-2023-25565.patch
Requires: krb5-libs >= 1.12.1-9 Requires: krb5-libs >= 1.12.1-9
@ -33,7 +28,7 @@ Summary: Documentation for gssntlmssp
This package provides documentation for gssntlmssp. This package provides documentation for gssntlmssp.
%prep %prep
%autosetup -n gssntlmssp-0.7.0 -p1 %autosetup -n gssntlmssp-%{version} -p1
%build %build
autoreconf -fiv autoreconf -fiv
@ -66,6 +61,9 @@ make test_gssntlmssp
%{_mandir}/man8/gssntlmssp.8* %{_mandir}/man8/gssntlmssp.8*
%changelog %changelog
* Tue Sep 19 2023 wulei <wu_lei@hoperun.com> - 1.2.0-1
- Update to 1.2.0
* Tue Feb 21 2023 yaoxin <yaoxin30@h-partners.com> - 0.7.0-10 * Tue Feb 21 2023 yaoxin <yaoxin30@h-partners.com> - 0.7.0-10
- Fix CVE-2023-25563,CVE-2023-25564,CVE-2023-25565 and CVE-2023-25567 - Fix CVE-2023-25563,CVE-2023-25564,CVE-2023-25565 and CVE-2023-25567

4
gssntlmssp.yaml Normal file
View File

@ -0,0 +1,4 @@
version_control: github
src_repo: gssapi/gss-ntlmssp
tag_prefix: ^v
separator: .