Re: git: c9dd7bffa58c - main - krb5: Fix two NegoEx parsing vulnerabilities

In reply to: Cy Schubert : "git: c9dd7bffa58c - main - krb5: Fix two NegoEx parsing vulnerabilities"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Fri, 01 May 2026 00:19:47 UTC

In message <69f3efba.307f2.6f425dba@gitrepo.freebsd.org>, Cy Schubert 
writes:
> The branch main has been updated by cy:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=c9dd7bffa58c50b2f7ed9e66ace39197
> c468d8e6
>
> commit c9dd7bffa58c50b2f7ed9e66ace39197c468d8e6
> Author:     Cy Schubert <cy@FreeBSD.org>
> AuthorDate: 2026-04-30 19:27:31 +0000
> Commit:     Cy Schubert <cy@FreeBSD.org>
> CommitDate: 2026-05-01 00:11:25 +0000
>
>     krb5: Fix two NegoEx parsing vulnerabilities
>     
>     Bring in upstream commit 2e75f0d93 fixing two CVEs. Upstream commit
>     log is:
>     
>      In parse_nego_message(), check the result of the second call to
>      vector_base() before dereferencing it.  In parse_message(), check for
>      a short header_len to prevent an integer underflow when calculating
>      the remaining message length.
>     
>      Reported by Cem Onat Karagun.
>     
>      CVE-2026-40355:
>     
>      In MIT krb5 release 1.18 and later, if an application calls
>      gss_accept_sec_context() on a system with a NegoEx mechanism
>      registered in /etc/gss/mech, an unauthenticated remote attacker can
>      trigger a null pointer dereference, causing the process to terminate.
>     
>      CVE-2026-40356:
>     
>      In MIT krb5 release 1.18 and later, if an application calls
>      gss_accept_sec_context() on a system with a NegoEx mechanism
>      registered in /etc/gss/mech, an unauthenticated remote attacker can
>      trigger a read overrun of up to 52 bytes, possibly causing the process
>      to terminate.  Exfiltration of the bytes read does not appear
>      possible.
> ---

FreeBSD is not vulnerable to this Microsoft NegoEx extension. But it is a 
good idea include this anyway. Though it is still good to include this 
patch. I was notified about this at $JOB.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e**(i*pi)+1=0