[26614] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit [krb5-1.9]: Null pointer deref in kadmind [CVE-2012-1013]

daemon@ATHENA.MIT.EDU (Tom Yu)
Mon Jun 11 19:00:20 2012

Date: Mon, 11 Jun 2012 19:00:17 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201206112300.q5BN0HJi024823@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/f7d42a08d9a4e4559e3efa3ed199927407be658e
commit f7d42a08d9a4e4559e3efa3ed199927407be658e
Author: Richard Basch <basch@alum.mit.edu>
Date:   Tue May 29 14:07:03 2012 -0400

    Null pointer deref in kadmind [CVE-2012-1013]
    
    The fix for #6626 could cause kadmind to dereference a null pointer if
    a create-principal request contains no password but does contain the
    KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
    name").  Only clients authorized to create principals can trigger the
    bug.  Fix the bug by testing for a null password in check_1_6_dummy.
    
    CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
    
    [ghudson@mit.edu: Minor style change and commit message]
    
    (cherry picked from commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b)
    
    ticket: 7168 (new)
    version_fixed: 1.9.4
    status: resolved

 src/lib/kadm5/srv/svr_principal.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index ba76b5d..2b630af 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -194,7 +194,7 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
     char *password = *passptr;
 
     /* Old-style randkey operations disallowed tickets to start. */
-    if (!(mask & KADM5_ATTRIBUTES) ||
+    if (password == NULL || !(mask & KADM5_ATTRIBUTES) ||
         !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))
         return;
 
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post