Bug 2230178 (TRIAGE-CVE-2023-36054)

Summary: TRIAGE-CVE-2023-36054 krb5: Denial of service through freeing uninitialized pointer
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acrosby, adudiak, agarcial, aoconnor, asegurap, asoldano, bbaranow, bdettelb, bmaxwell, brian.stansberry, caswilli, cdewolf, chazlett, darran.lofthouse, dhalasz, dkreling, dkuc, dosoudil, fjansen, fjuma, hkataria, ivassile, iweiss, jburrell, jmitchel, jplans, jrische, jsamir, jsherril, jtanner, kaycoth, kshier, lgao, mosmerov, msochure, mstefank, msvehla, nalin, nwallace, nweather, pjindal, pmackay, psegedy, rstancel, smaestri, stcannon, sthirugn, tcarlin, tom.jenkinson, tsasak, vkrizan, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: krb5 1.20.2, krb5 1.21.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2230182, 2229113, 2230179, 2230181    
Bug Blocks: 2230180    

Description Pedro Sampaio 2023-08-08 20:17:11 UTC 
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

References:

https://web.mit.edu/kerberos/www/advisories/
https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final
https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final
Comment 1 Pedro Sampaio 2023-08-08 20:17:41 UTC 
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 2230179]