From f8c4316342857a4fa4a05c1cb6ab16992faddb69 Mon Sep 17 00:00:00 2001 From: Cy Schubert Date: Sat, 26 Nov 2022 08:27:08 -0800 Subject: [PATCH] security/heimdal: Fix uninitialized pointer dereference krb5_ret_preincipal() returns a non-zero return code when a garbage principal is passed to it. Unfortunately ret_principal_ent() does not check the return code, with garbage pointing to what would have been the principal. This results in a segfault when free() is called. PR: 267944, 267972 Reported by: Robert Morris MFH: 2024Q1 --- security/heimdal/Makefile | 2 +- .../heimdal/files/patch-lib_kadm5_marshall.c | 31 +++++++++++++++++-- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/security/heimdal/Makefile b/security/heimdal/Makefile index cdef0c697067..3508ad2f8f0c 100644 --- a/security/heimdal/Makefile +++ b/security/heimdal/Makefile @@ -1,6 +1,6 @@ PORTNAME= heimdal PORTVERSION= 7.8.0 -PORTREVISION= 7 +PORTREVISION= 8 CATEGORIES= security MASTER_SITES= https://github.com/heimdal/heimdal/releases/download/${DISTNAME}/ diff --git a/security/heimdal/files/patch-lib_kadm5_marshall.c b/security/heimdal/files/patch-lib_kadm5_marshall.c index d44311d5edbf..8e01bbe30354 100644 --- a/security/heimdal/files/patch-lib_kadm5_marshall.c +++ b/security/heimdal/files/patch-lib_kadm5_marshall.c @@ -1,6 +1,33 @@ --- lib/kadm5/marshall.c.orig 2022-09-15 16:54:19.000000000 -0700 -+++ lib/kadm5/marshall.c 2022-11-24 08:47:40.099673000 -0800 -@@ -407,10 +407,40 @@ ++++ lib/kadm5/marshall.c 2022-11-26 08:20:41.302104000 -0800 +@@ -261,9 +261,9 @@ + int i; + int32_t tmp; + +- if (mask & KADM5_PRINCIPAL) +- krb5_ret_principal(sp, &princ->principal); +- ++ if (mask & KADM5_PRINCIPAL) ++ if (krb5_ret_principal(sp, &princ->principal)) ++ return EINVAL; + if (mask & KADM5_PRINC_EXPIRE_TIME) { + krb5_ret_int32(sp, &tmp); + princ->princ_expire_time = tmp; +@@ -282,9 +282,10 @@ + } + if (mask & KADM5_MOD_NAME) { + krb5_ret_int32(sp, &tmp); +- if(tmp) +- krb5_ret_principal(sp, &princ->mod_name); +- else ++ if(tmp) { ++ if (krb5_ret_principal(sp, &princ->mod_name)) ++ return EINVAL; ++ } else + princ->mod_name = NULL; + } + if (mask & KADM5_MOD_TIME) { +@@ -407,10 +408,40 @@ ret = krb5_ret_int32(sp, &mask); if (ret) goto out;