https://mailman.mit.edu/pipermail/kerberos-announce/2024q2/000207.html and
https://web.mit.edu/kerberos/www/krb5-1.21/ have announced the release on
Wed. June 26 of Kerberos 1.21.3 with these changes:
* Fix vulnerabilities in GSS message token handling [CVE-2024-37370,
CVE-2024-37371].
* Fix a potential bad pointer free in krb5_cccol_have_contents().
* Fix a memory leak in the macOS ccache type.
https://krbdev.mit.edu/rt/Ticket/Display.html?id=9128 and
https://github.com/krb5/krb5/commit/b0a2f8a5365f2eec3e27d78907de9f9d2c80505a
give this info for the issues assigned CVEs:
In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
verify the Extra Count field of CFX wrap tokens against the encrypted
header. Reported by Jacob Champion.
In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
length too short to contain the encrypted header and extra count
bytes. Reported by Jacob Champion.
In kg_unseal_iov_token(), separately track the header IOV length and
complete token length when parsing the token's ASN.1 wrapper. This
fix contains modified versions of functions from k5-der.h and
util_token.c; this duplication will be cleaned up in a future commit.
CVE-2024-37370:
In MIT krb5 release 1.3 and later, an attacker can modify the
plaintext Extra Count field of a confidential GSS krb5 wrap token,
causing the unwrapped token to appear truncated to the application.
CVE-2024-37371:
In MIT krb5 release 1.3 and later, an attacker can cause invalid
memory reads by sending message tokens with invalid length fields.
--
-Alan Coopersmith- alan.coopersm...@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
