| Summary: | www-apache/mod_auth_kerb-5.4-r2: Segmentation fault / Use after free in authenticate_user_krb5pwd() | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Johan Ymerson <johan> |
| Component: | Current packages | Assignee: | No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | joakim.tjernlund, mgorny, sam |
| Priority: | Normal | Keywords: | PATCH |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | Patch for use after free in authenticate_user_krb5pwd() | ||
Michal, I see you are maintaining the Gentoo patch queue, perhaps you can add this one too? ping? ping? Now this module does not work with app-crypt/mit-krb5-1.18.2-r1: apache2: Syntax error on line 166 of /etc/apache2/httpd.conf: Syntax error on line 13 of /etc/apache2/vhosts.d/00devsrv.conf: Cannot load modules/mod_auth_kerb.so into server: /usr/lib64/apache2/modules/mod_auth_kerb.so: undefined symbol: krb5_rc_resolve_full * ERROR: apache2 failed to stop I guess it is time to switch mod_auth_gssapi (In reply to Joakim Tjernlund from comment #4) > Now this module does not work with app-crypt/mit-krb5-1.18.2-r1: > apache2: Syntax error on line 166 of /etc/apache2/httpd.conf: Syntax error > on line 13 of /etc/apache2/vhosts.d/00devsrv.conf: Cannot load > modules/mod_auth_kerb.so into server: > /usr/lib64/apache2/modules/mod_auth_kerb.so: undefined symbol: > krb5_rc_resolve_full > * ERROR: apache2 failed to stop > > I guess it is time to switch mod_auth_gssapi This makes it load at least: -- ./src/mod_auth_kerb.c.org 2020-08-10 17:36:11.563228638 +0200 +++ ./src/mod_auth_kerb.c 2020-08-10 17:53:14.641734908 +0200 @@ -2070,12 +2070,11 @@ ret = krb5_init_context(&context); if (ret) return 0; - - ret = krb5_rc_resolve_full(context, &id, "none:"); +extern krb5_error_code + k5_rc_resolve(krb5_context context, const char *name, krb5_rcache *rc_out); + ret = k5_rc_resolve(context, "none:", &id); found = (ret == 0); - if (ret == 0) - krb5_rc_destroy(context, id); krb5_free_context(context); return found; This became in the end:
--- ./src/mod_auth_kerb.c.org 2020-08-13 17:30:15.901691505 +0200
+++ ./src/mod_auth_kerb.c 2020-08-13 17:35:00.069621299 +0200
@@ -2062,6 +2062,11 @@
static int
have_rcache_type(const char *type)
{
+ /* rcache "none" is always present in modern mit-krb5
+ * but krb5_rc_resolve_full() has been removed in 1.18.x
+ * so hardcode to true */
+ return 1;
+#if 0
krb5_error_code ret;
krb5_context context;
krb5_rcache id = NULL;
@@ -2079,6 +2084,7 @@
krb5_free_context(context);
return found;
+#endif
}
/***************************************************************************
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=433bedfe250303e35202bcaacc054a157e409a57 commit 433bedfe250303e35202bcaacc054a157e409a57 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-29 08:45:39 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-29 08:46:42 +0000 www-apache/mod_auth_kerb: add use-after-free patch Closes: https://bugs.gentoo.org/673066 Signed-off-by: Sam James <sam@gentoo.org> .../mod_auth_kerb-5.4-krb5pwd-double-free.patch | 22 ++++++++++++++++++++++ ...b-5.4-r4.ebuild => mod_auth_kerb-5.4-r5.ebuild} | 5 ++++- 2 files changed, 26 insertions(+), 1 deletion(-) Big thanks to you both. |
Created attachment 557710 [details, diff] Patch for use after free in authenticate_user_krb5pwd() In verify_krb5_user() krb5_kt_close() is called under certain conditions, but krb5_kt_close() is also called from the top level function authenticate_user_krb5pwd() after calling verify_krb5_user(). This leads to a use after free, since kbr5_kt_close() free up memory pointed to in the keytab struct and the next call to krb5_kt_close() will dereference pointers in that (now freed) memory. This triggers a segmentation fault with recent versions of MIT Kerberos. Patch to fix this attached.