{"schema_version":"1.7.2","id":"OESA-2023-1116","modified":"2023-02-24T11:04:57Z","published":"2023-02-24T11:04:57Z","upstream":["CVE-2023-25564","CVE-2023-25565","CVE-2023-25567"],"summary":"gssntlmssp security update","details":"Implementing the GSSAPI mechanism of NTLMSSP.\r\n\r\nSecurity Fix(es):\r\n\r\nGSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, memory corruption can be triggered when decoding UTF16 strings. The variable `outlen` was not initialized and could cause writing a zero to an arbitrary place in memory if `ntlm_str_convert()` were to fail, which would leave `outlen` uninitialized. This can lead to a denial of service if the write hits unmapped memory or randomly corrupts a byte in the application memory space. This vulnerability can trigger an out-of-bounds write, leading to memory corruption. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This issue is fixed in version 1.2.0.(CVE-2023-25564)\r\n\r\nGSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, an incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the `cb` and `sh` buffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This will likely trigger an assertion failure in `free`, causing a denial-of-service. This issue is fixed in version 1.2.0.(CVE-2023-25565)\r\n\r\nGSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication, has an out-of-bounds read when decoding target information prior to version 1.2.0. The length of the `av_pair` is not checked properly for two of the elements which can trigger an out-of-bound read. The out-of-bounds read can be triggered via the main `gss_accept_sec_context` entry point and could cause a denial-of-service if the memory is unmapped. The issue is fixed in version 1.2.0.(CVE-2023-25567)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"gssntlmssp","purl":"pkg:rpm/openEuler/gssntlmssp\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.7.0-9.oe1"}]}],"ecosystem_specific":{"aarch64":["gssntlmssp-debuginfo-0.7.0-9.oe1.aarch64.rpm","gssntlmssp-0.7.0-9.oe1.aarch64.rpm","gssntlmssp-devel-0.7.0-9.oe1.aarch64.rpm","gssntlmssp-help-0.7.0-9.oe1.aarch64.rpm","gssntlmssp-debugsource-0.7.0-9.oe1.aarch64.rpm"],"src":["gssntlmssp-0.7.0-9.oe1.src.rpm"],"x86_64":["gssntlmssp-debuginfo-0.7.0-9.oe1.x86_64.rpm","gssntlmssp-help-0.7.0-9.oe1.x86_64.rpm","gssntlmssp-0.7.0-9.oe1.x86_64.rpm","gssntlmssp-debugsource-0.7.0-9.oe1.x86_64.rpm","gssntlmssp-devel-0.7.0-9.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP3","name":"gssntlmssp","purl":"pkg:rpm/openEuler/gssntlmssp\u0026distro=openEuler-20.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.7.0-9.oe1"}]}],"ecosystem_specific":{"aarch64":["gssntlmssp-debuginfo-0.7.0-9.oe1.aarch64.rpm","gssntlmssp-0.7.0-9.oe1.aarch64.rpm","gssntlmssp-debugsource-0.7.0-9.oe1.aarch64.rpm","gssntlmssp-devel-0.7.0-9.oe1.aarch64.rpm","gssntlmssp-help-0.7.0-9.oe1.aarch64.rpm"],"src":["gssntlmssp-0.7.0-9.oe1.src.rpm"],"x86_64":["gssntlmssp-debugsource-0.7.0-9.oe1.x86_64.rpm","gssntlmssp-devel-0.7.0-9.oe1.x86_64.rpm","gssntlmssp-help-0.7.0-9.oe1.x86_64.rpm","gssntlmssp-0.7.0-9.oe1.x86_64.rpm","gssntlmssp-debuginfo-0.7.0-9.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS","name":"gssntlmssp","purl":"pkg:rpm/openEuler/gssntlmssp\u0026distro=openEuler-22.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.7.0-10.oe2203sp1"}]}],"ecosystem_specific":{"aarch64":["gssntlmssp-debugsource-0.7.0-9.oe2203.aarch64.rpm","gssntlmssp-0.7.0-9.oe2203.aarch64.rpm","gssntlmssp-help-0.7.0-9.oe2203.aarch64.rpm","gssntlmssp-debuginfo-0.7.0-9.oe2203.aarch64.rpm","gssntlmssp-devel-0.7.0-9.oe2203.aarch64.rpm","gssntlmssp-debuginfo-0.7.0-10.oe2203sp1.aarch64.rpm","gssntlmssp-help-0.7.0-10.oe2203sp1.aarch64.rpm","gssntlmssp-debugsource-0.7.0-10.oe2203sp1.aarch64.rpm","gssntlmssp-0.7.0-10.oe2203sp1.aarch64.rpm","gssntlmssp-devel-0.7.0-10.oe2203sp1.aarch64.rpm"],"src":["gssntlmssp-0.7.0-9.oe2203.src.rpm","gssntlmssp-0.7.0-10.oe2203sp1.src.rpm"],"x86_64":["gssntlmssp-help-0.7.0-9.oe2203.x86_64.rpm","gssntlmssp-devel-0.7.0-9.oe2203.x86_64.rpm","gssntlmssp-0.7.0-9.oe2203.x86_64.rpm","gssntlmssp-debuginfo-0.7.0-9.oe2203.x86_64.rpm","gssntlmssp-debugsource-0.7.0-9.oe2203.x86_64.rpm","gssntlmssp-help-0.7.0-10.oe2203sp1.x86_64.rpm","gssntlmssp-debuginfo-0.7.0-10.oe2203sp1.x86_64.rpm","gssntlmssp-debugsource-0.7.0-10.oe2203sp1.x86_64.rpm","gssntlmssp-0.7.0-10.oe2203sp1.x86_64.rpm","gssntlmssp-devel-0.7.0-10.oe2203sp1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS-SP1","name":"gssntlmssp","purl":"pkg:rpm/openEuler/gssntlmssp\u0026distro=openEuler-22.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.7.0-10.oe2203sp1"}]}],"ecosystem_specific":{"aarch64":["gssntlmssp-debuginfo-0.7.0-10.oe2203sp1.aarch64.rpm","gssntlmssp-help-0.7.0-10.oe2203sp1.aarch64.rpm","gssntlmssp-debugsource-0.7.0-10.oe2203sp1.aarch64.rpm","gssntlmssp-0.7.0-10.oe2203sp1.aarch64.rpm","gssntlmssp-devel-0.7.0-10.oe2203sp1.aarch64.rpm"],"src":["gssntlmssp-0.7.0-10.oe2203sp1.src.rpm"],"x86_64":["gssntlmssp-help-0.7.0-10.oe2203sp1.x86_64.rpm","gssntlmssp-debuginfo-0.7.0-10.oe2203sp1.x86_64.rpm","gssntlmssp-debugsource-0.7.0-10.oe2203sp1.x86_64.rpm","gssntlmssp-0.7.0-10.oe2203sp1.x86_64.rpm","gssntlmssp-devel-0.7.0-10.oe2203sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1116"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25564"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25565"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25567"}],"database_specific":{"severity":"High"}}