azurelinux/SPECS/krb5/CVE-2026-40356.patch at f82a514b0ef8b1deb094e902bb32969ce3b1dfe1 · azurelinux-security/azurelinux · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
From 0c8b9f176c00897ad2ef323da52a3b95f023c612 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 8 Apr 2026 17:57:59 -0400
Subject: [PATCH] Fix two NegoEx parsing vulnerabilities

In parse_nego_message(), check the result of the second call to
vector_base() before dereferencing it.  In parse_message(), check for
a short header_len to prevent an integer underflow when calculating
the remaining message length.

Reported by Cem Onat Karagun.

CVE-2026-40355:

In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a null pointer dereference, causing the process to terminate.

CVE-2026-40356:

In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a read overrun of up to 52 bytes, possibly causing the process
to terminate.  Exfiltration of the bytes read does not appear
possible.

ticket: 9205 (new)
tags: pullup
target_version: 1.22-next

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f.patch
---
 src/lib/gssapi/spnego/negoex_util.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c
index edc5462..a65238e 100644
--- a/src/lib/gssapi/spnego/negoex_util.c
+++ b/src/lib/gssapi/spnego/negoex_util.c
@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in,
     offset = k5_input_get_uint32_le(in);
     count = k5_input_get_uint16_le(in);
     p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len);
+    if (p == NULL) {
+        *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
+        return GSS_S_DEFECTIVE_TOKEN;
+    }
     for (i = 0; i < count; i++) {
         extension_type = load_32_le(p + i * EXTENSION_LENGTH);
         if (extension_type & EXTENSION_FLAG_CRITICAL) {
@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in,
     msg_len = k5_input_get_uint32_le(in);
     conv_id = k5_input_get_bytes(in, GUID_LENGTH);

-    if (in->status || msg_len > token_remaining || header_len > msg_len) {
+    if (in->status || msg_len > token_remaining ||
+        header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) {
         *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
         return GSS_S_DEFECTIVE_TOKEN;
     }
--
2.45.4