[28785] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.12]: Add tests for LDAP ticket/policy name misuse
daemon@ATHENA.MIT.EDU (Tom Yu)
Mon Feb 9 22:29:42 2015
Date: Mon, 9 Feb 2015 22:27:42 -0500
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201502100327.t1A3RgM9011750@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/1d7c0f44dcfe4a87f82e53dd604f13c72f9f4aad
commit 1d7c0f44dcfe4a87f82e53dd604f13c72f9f4aad
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Dec 5 14:02:04 2014 -0500
Add tests for LDAP ticket/policy name misuse
(cherry picked from commit e8df0458673071e56346730fa843c83aca88631f)
ticket: 8137
version_fixed: 1.12.3
status: resolved
src/tests/t_kdb.py | 21 +++++++++++++++++++++
1 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 4ad4b15..99f043d 100644
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -228,6 +228,27 @@ if out:
# Create another ticket policy to be destroyed with the realm.
kldaputil(['create_policy', 'tktpol2'])
+# Try to create a password policy conflicting with a ticket policy.
+out = realm.run_kadminl('addpol tktpol2')
+if 'Already exists while creating policy "tktpol2"' not in out:
+ fail('Expected error not seen in kadmin.local output')
+
+# Try to create a ticket policy conflicting with a password policy.
+realm.run_kadminl('addpol pwpol')
+out = kldaputil(['create_policy', 'pwpol'], expected_code=1)
+if 'Already exists while creating policy object' not in out:
+ fail('Expected error not seen in kdb5_ldap_util output')
+
+# Try to use a password policy as a ticket policy.
+out = realm.run_kadminl('modprinc -x tktpolicy=pwpol princ4')
+if 'Object class violation' not in out:
+ fail('Expected error not seem in kadmin.local output')
+
+# Try to use a ticket policy as a password policy (CVE-2014-5353).
+out = realm.run_kadminl('modprinc -policy tktpol2 princ4')
+if 'WARNING: policy "tktpol2" does not exist' not in out:
+ fail('Expected error not seen in kadmin.local output')
+
# Do some basic tests with a KDC against the LDAP module, exercising the
# db_args processing code.
realm.start_kdc(['-x', 'nconns=3', '-x', 'host=' + ldap_uri,
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
