3 kerberos security issues

Greg Hudson

2024-03-01 20:38:04 UTC

Post by Alexander Bergmann
We got notified via NVD about 3 new security issues. Right now there
seams to be no upstream reference. Could someone please comment on this?
CVE-2024-26458: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c
CVE-2024-26461: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c
CVE-2024-26462: Memory leak at /krb5/src/kdc/ndr.c

These CVEs appear to be the result of someone running a static analysis
tool over the MIT krb5 code base and assigning CVEs to each resulting
defect, without performing any additional impact analysis or upstream
consultation.

The pmap_rmt.c leak only affects pmap_rmtcall(), which is unused by the
rest of the krb5 code base and likely unused by anyone else.

The k5sealv3.c leak affects an encoding function, and happens on a
bounds check which likely cannot be triggered with any choice of
memory-valid API inputs. (The bounds check was itself introduced to
quash a different static analysis defect.)

The ndr.c leak also affects an encoding function, and triggers if the
input contains invalid UTF-8. This one might be triggerable by a
request (though it may require elevated privilege), but I would not have
requested a CVE for it myself.

I will fix these on the mainline, but I only expect to assign a ticket
to the third one.