[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY ADVISORY] gsasl: Server out-of-bounds read with authenticated
[SECURITY ADVISORY] gsasl: Server out-of-bounds read with authenticated malicious GSS-API client
Fri, 15 Jul 2022 18:01:25 +0200
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Server out-of-bounds read with authenticated malicious GSS-API client
A malicious client can after it has authenticated with Kerberos send a
specially crafted message that causes Libgsasl to read out of bounds
and cause a crash in the server.
The vulnerability only occur on the server; only when Libgsasl is
built with GSS-API support; and only when the server has completed a
successful Kerberos authentication.
We are not aware of any exploit of this flaw.
The problem was found during internal code review when writing CI/CD
test cases covering the relevant code.
The vulnerability has been in GNU SASL since the initial commit on
2002-10-07 that went into version 0.0.0:
The code from version 2.0.0 is here:
It unpacks a buffer using gss_unwrap (which decrypt and integrity
check that the buffer comes from an authenticated client) and then
fail to check buffer length conditions before reading from the string.
The code incorrectly trust the already authenticated client to only
send messages conforming to the protocol, but it should have carefully
checked if that is true.
All versions of GNU SASL released before version 2.0.1.
Version 2.0.1 includes the following patch:
We recommend you to upgrade to version 2.0.1, and only if that is too
unpractical we recommended you to apply the patch.
The problem was discovered on 2022-07-14 and the first version of this
advisory was released on 2022-07-15 together with a patch and the new
Report and patch by Simon Josefsson.
Description: PGP signature
- [SECURITY ADVISORY] gsasl: Server out-of-bounds read with authenticated malicious GSS-API client,
Simon Josefsson <=