Inquiry Regarding CVE-2024-26461 Fix in Upcoming krb5 Release

Greg Hudson ghudson at mit.edu
Fri Nov 8 12:18:51 EST 2024


On 11/8/24 01:43, Zhang, Shawn via Kerberos wrote:
> I can see that commit c5f9c816107f70139de11b38aa02db2f1774ee0d <https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d> includes the fix for CVE NVD - CVE-2024-26461<https://nvd.nist.gov/vuln/detail/CVE-2024-26461>. However, these changes are not yet included in the latest krb5 release, which is 1.21.3 (krb5-1.21.3-final <https://github.com/krb5/krb5/tree/krb5-1.21.3-final> ).

In my view as the upstream maintainer, these logic errors have zero 
impact and should not have been assigned any CVEs.  Therefore I have no 
intent to backport the fixes to a stable release branch.  This CVE is 
part of an unfortunate trend where researchers discover "defects" using 
static analysis tools and allocate CVEs with no meaningful analysis of 
whether there is an actual vulnerability [1].

The logic error in gss_krb5int_make_seal_token_v3() could only result in 
a memory leak if the bounds check "SIZE_MAX - 300 < message->length" 
triggers, meaning the application asked to wrap or MIC a message of 
almost the entire addressable memory.  This is of course impossible; 
more than 300 bytes of address space will be used by other parts of a 
program.

The other logic error is in xdr_rmtcallres(), which I believe (with high 
confidence) is unused in this implementation of the RPC library.

[1] https://daniel.haxx.se/blog/2023/09/05/bogus-cve-follow-ups/


More information about the Kerberos mailing list