Debian Patches
Status for munge/0.5.16-1.1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| oob-read-fix.patch | [PATCH 1/2] Fix out-of-bounds read in credential decoding Add missing bounds check before copying MAC in dec_unpack_outer(). All other fields unpacked in dec_unpack_outer() validate that sufficient data remains in the buffer before reading. However, the MAC was copied without checking if c->mac_len bytes were available. An attacker can craft a credential specifying a large MAC type while providing a truncated credential with insufficient data. When memcpy() attempts to copy c->mac_len bytes, it reads beyond the received buffer, potentially reading up to 64 bytes of process memory (for SHA-512 MACs). Additionally, subtracting c->mac_len from the remaining length causes an integer underflow, making c->inner_len negative and resulting in undefined behavior in subsequent operations. While this is a memory safety violation, subsequent validation prevents information disclosure. When encryption is enabled, either malloc() fails with the negative (wrapped to huge) buffer size or cipher_update() rejects the negative srclen. When encryption is disabled, mac_update() rejects the negative srclen. In all cases, the credential is rejected before any leaked data could be disclosed to the attacker. |
Chris Dunlap <cdunlap@llnl.gov> | no | 2026-01-26 | ||
| buffer-overflow-fix.patch | [PATCH 2/2] Fix buffer overflow when unpacking message address length Add validation that addr_len does not exceed the size of the addr field before copying IP address data in _msg_unpack(). The m_msg structure contains a 4-byte struct in_addr for the IP address. When unpacking a MUNGE_MSG_DEC_RSP message, the addr_len field (uint8_t) was read from untrusted message data and used directly in _copy() without validation. An attacker setting addr_len to 255 causes _copy() to write 251 bytes past the end of the addr field, corrupting subsequent structure members. This buffer overflow corrupts munged's internal state and can be exploited by a local attacker to leak conf->mac_key and other cryptographic secrets from process memory. With the leaked key, an attacker can forge arbitrary MUNGE credentials to impersonate any user to services that rely on MUNGE for authentication. Any local user can trigger this by connecting to munged's Unix socket and sending a crafted MUNGE_MSG_DEC_RSP message. While message type validation in job_exec() will reject response-type messages, this validation occurs after m_msg_recv() has already called _msg_unpack() to process the message body. The buffer overflow occurs during the unpacking phase, before the message type is validated and rejected. A working proof-of-concept exploit exists that demonstrates key leakage and credential forgery. |
Chris Dunlap <cdunlap@llnl.gov> | no | 2026-01-26 |
All known versions for source package 'munge'
- 0.5.16-1.1 (forky, sid)
- 0.5.16-1.1~deb13u1 (trixie-proposed-updates, trixie-security)
- 0.5.16-1 (trixie)
- 0.5.15-2+deb12u1 (bookworm-security, bookworm-proposed-updates)
- 0.5.15-2 (bookworm)