Inquiry Regarding CVE-2024-26461 Fix in Upcoming krb5 Release
Greg Hudson
ghudson at mit.edu
Fri Nov 8 12:18:51 EST 2024
On 11/8/24 01:43, Zhang, Shawn via Kerberos wrote:
> I can see that commit c5f9c816107f70139de11b38aa02db2f1774ee0d <https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d> includes the fix for CVE NVD - CVE-2024-26461<https://nvd.nist.gov/vuln/detail/CVE-2024-26461>. However, these changes are not yet included in the latest krb5 release, which is 1.21.3 (krb5-1.21.3-final <https://github.com/krb5/krb5/tree/krb5-1.21.3-final> ).
In my view as the upstream maintainer, these logic errors have zero
impact and should not have been assigned any CVEs. Therefore I have no
intent to backport the fixes to a stable release branch. This CVE is
part of an unfortunate trend where researchers discover "defects" using
static analysis tools and allocate CVEs with no meaningful analysis of
whether there is an actual vulnerability [1].
The logic error in gss_krb5int_make_seal_token_v3() could only result in
a memory leak if the bounds check "SIZE_MAX - 300 < message->length"
triggers, meaning the application asked to wrap or MIC a message of
almost the entire addressable memory. This is of course impossible;
more than 300 bytes of address space will be used by other parts of a
program.
The other logic error is in xdr_rmtcallres(), which I believe (with high
confidence) is unused in this implementation of the RPC library.
[1] https://daniel.haxx.se/blog/2023/09/05/bogus-cve-follow-ups/
More information about the Kerberos
mailing list