[28029] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.10]: Multi-realm KDC null deref [CVE-2013-1418]
daemon@ATHENA.MIT.EDU (Tom Yu)
Mon Nov 4 16:25:14 2013
Date: Mon, 4 Nov 2013 16:25:04 -0500
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201311042125.rA4LP4GP028929@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/c2ccf4197f697c4ff143b8a786acdd875e70a89d
commit c2ccf4197f697c4ff143b8a786acdd875e70a89d
Author: Tom Yu <tlyu@mit.edu>
Date: Mon Nov 4 15:49:03 2013 -0500
Multi-realm KDC null deref [CVE-2013-1418]
If a KDC serves multiple realms, certain requests can cause
setup_server_realm() to dereference a null pointer, crashing the KDC.
CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
A related but more minor vulnerability requires authentication to
exploit, and is only present if a third-party KDC database module can
dereference a null pointer under certain conditions.
(back ported from commit 5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf)
ticket: 7757 (new)
version_fixed: 1.10.7
status: resolved
src/kdc/main.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/src/kdc/main.c b/src/kdc/main.c
index b56ec19..7160607 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -140,6 +140,9 @@ setup_server_realm(krb5_principal sprinc)
kdc_realm_t *newrealm;
kret = 0;
+ if (sprinc == NULL)
+ return NULL;
+
if (kdc_numrealms > 1) {
if (!(newrealm = find_realm_data(sprinc->realm.data,
(krb5_ui_4) sprinc->realm.length)))
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
