diff -pruN 1.17-10/debian/changelog 1.17-10ubuntu1/debian/changelog --- 1.17-10/debian/changelog 2020-06-09 13:52:34.000000000 +0000 +++ 1.17-10ubuntu1/debian/changelog 2020-11-11 14:22:12.000000000 +0000 @@ -1,3 +1,12 @@ +krb5 (1.17-10ubuntu1) hirsute; urgency=medium + + * SECURITY UPDATE: Unbounded recursion + - debian/patches/CVE-2020-28196.patch: adds recursion limit for ASN.1 + indefinite lengths in src/lib/krb5/asn.1/asn1_encode.c. + - CVE-2020-28196 + + -- Leonidas S. Barbosa Wed, 11 Nov 2020 11:22:12 -0300 + krb5 (1.17-10) unstable; urgency=low * Also set localstatedir to be consistent with old builds, Closes: #962522 diff -pruN 1.17-10/debian/control 1.17-10ubuntu1/debian/control --- 1.17-10/debian/control 2020-06-09 13:39:02.000000000 +0000 +++ 1.17-10ubuntu1/debian/control 2020-11-11 14:22:12.000000000 +0000 @@ -8,7 +8,8 @@ Build-Depends: debhelper-compat (= 13), libverto-dev (>= 0.2.4), pkg-config Build-Depends-Indep: python3, python3-cheetah, python3-lxml, python3-sphinx, doxygen, doxygen-latex Standards-Version: 4.5.0 -Maintainer: Sam Hartman +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Sam Hartman Uploaders: Russ Allbery , Benjamin Kaduk Homepage: http://web.mit.edu/kerberos/ VCS-Git: https://salsa.debian.org/debian/krb5 diff -pruN 1.17-10/debian/patches/CVE-2020-28196.patch 1.17-10ubuntu1/debian/patches/CVE-2020-28196.patch --- 1.17-10/debian/patches/CVE-2020-28196.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.17-10ubuntu1/debian/patches/CVE-2020-28196.patch 2020-11-11 14:22:12.000000000 +0000 @@ -0,0 +1,95 @@ +From 57415dda6cf04e73ffc3723be518eddfae599bfd Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sat, 31 Oct 2020 17:07:05 -0400 +Subject: [PATCH] Add recursion limit for ASN.1 indefinite lengths + +The libkrb5 ASN.1 decoder supports BER indefinite lengths. It +computes the tag length using recursion; the lack of a recursion limit +allows an attacker to overrun the stack and cause the process to +crash. Reported by Demi Obenour. + +CVE-2020-28196: + +In MIT krb5 releases 1.11 and later, an unauthenticated attacker can +cause a denial of service for any client or server to which it can +send an ASN.1-encoded Kerberos message of sufficient length. + +ticket: 8959 (new) +tags: pullup +target_version: 1.18-next +target_version: 1.17-next +--- + src/lib/krb5/asn.1/asn1_encode.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c +index a160cf4fe8..cd6b879f77 100644 +--- a/src/lib/krb5/asn.1/asn1_encode.c ++++ b/src/lib/krb5/asn.1/asn1_encode.c +@@ -356,7 +356,7 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len) + static krb5_error_code + get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out, + const uint8_t **contents_out, size_t *clen_out, +- const uint8_t **remainder_out, size_t *rlen_out) ++ const uint8_t **remainder_out, size_t *rlen_out, int recursion) + { + krb5_error_code ret; + uint8_t o; +@@ -394,9 +394,11 @@ get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out, + /* Indefinite form (should not be present in DER, but we accept it). */ + if (tag_out->construction != CONSTRUCTED) + return ASN1_MISMATCH_INDEF; ++ if (recursion >= 32) ++ return ASN1_OVERFLOW; + p = asn1; + while (!(len >= 2 && p[0] == 0 && p[1] == 0)) { +- ret = get_tag(p, len, &t, &c, &clen, &p, &len); ++ ret = get_tag(p, len, &t, &c, &clen, &p, &len, recursion + 1); + if (ret) + return ret; + } +@@ -613,7 +615,7 @@ split_der(asn1buf *buf, uint8_t *const *der, size_t len, taginfo *tag_out) + const uint8_t *contents, *remainder; + size_t clen, rlen; + +- ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen); ++ ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen, 0); + if (ret) + return ret; + if (rlen != 0) +@@ -1199,7 +1201,7 @@ decode_atype(const taginfo *t, const uint8_t *asn1, size_t len, + const uint8_t *rem; + size_t rlen; + if (!tag->implicit) { +- ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen); ++ ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen, 0); + if (ret) + return ret; + /* Note: we don't check rlen (it should be 0). */ +@@ -1420,7 +1422,7 @@ decode_sequence(const uint8_t *asn1, size_t len, const struct seq_info *seq, + for (i = 0; i < seq->n_fields; i++) { + if (len == 0) + break; +- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len); ++ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0); + if (ret) + goto error; + /* +@@ -1478,7 +1480,7 @@ decode_sequence_of(const uint8_t *asn1, size_t len, + *seq_out = NULL; + *count_out = 0; + while (len > 0) { +- ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len); ++ ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0); + if (ret) + goto error; + if (!check_atype_tag(elemtype, &t)) { +@@ -1584,7 +1586,7 @@ k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a, + + *retrep = NULL; + ret = get_tag((uint8_t *)code->data, code->length, &t, &contents, +- &clen, &remainder, &rlen); ++ &clen, &remainder, &rlen, 0); + if (ret) + return ret; + /* rlen should be 0, but we don't check it (and due to padding in diff -pruN 1.17-10/debian/patches/series 1.17-10ubuntu1/debian/patches/series --- 1.17-10/debian/patches/series 2020-05-28 19:20:09.000000000 +0000 +++ 1.17-10ubuntu1/debian/patches/series 2020-11-11 14:22:12.000000000 +0000 @@ -16,3 +16,4 @@ debian-local/0015-Some-more-des-test-fai 0016-Filter-enctypes-in-gss_set_allowable_enctypes.patch 0017-Don-t-error-on-invalid-enctypes-in-keytab.patch 0018-Update-doxygen-RST-bridge-to-Python-3.patch +CVE-2020-28196.patch