[29511] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit [krb5-1.13]: Fix S4U2Self KDC crash when anon is

daemon@ATHENA.MIT.EDU (Tom Yu)
Fri Jul 22 16:04:18 2016

Date: Fri, 22 Jul 2016 16:04:14 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201607222004.u6MK4Evl013580@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/cce19103f7673edb54b1b8e5fa0a516bd009d2c3
commit cce19103f7673edb54b1b8e5fa0a516bd009d2c3
Author: Greg Hudson <ghudson@mit.edu>
Date:   Tue Jul 19 11:00:28 2016 -0400

    Fix S4U2Self KDC crash when anon is restricted
    
    In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
    use client.princ instead of request->client; the latter is NULL when
    validating S4U2Self requests.
    
    CVE-2016-3120:
    
    In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
    to dereference a null pointer if the restrict_anonymous_to_tgt option
    is set to true, by making an S4U2Self request.
    
      CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
    
    (cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7)
    [tlyu@mit.edu: removed test case depending on absent functionality]
    
    ticket: 8458
    version_fixed: 1.13.6

 src/kdc/kdc_util.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 48be1ae..10daec4 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -700,7 +700,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
         return(KDC_ERR_MUST_USE_USER2USER);
     }
 
-    if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
+    if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
         *status = "ANONYMOUS NOT ALLOWED";
         return(KDC_ERR_POLICY);
     }
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post