[31269] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.21]: Fix double-free in KDC TGS processing
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Mon Aug 14 01:59:47 2023
From: ghudson@mit.edu
To: <cvs-krb5@mit.edu>
Message-ID: <20230814055935.8AC23104D67@krbdev.mit.edu>
Date: Mon, 14 Aug 2023 01:59:35 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/f4dcb7e442e0f314db5b4f7449aa101cbb28bdd4
commit f4dcb7e442e0f314db5b4f7449aa101cbb28bdd4
Author: Andreas Schneider <asn@samba.org>
Date: Fri Aug 4 09:54:06 2023 +0200
Fix double-free in KDC TGS processing
When issuing a ticket for a TGS renew or validate request, copy only
the server field from the outer part of the header ticket to the new
ticket. Copying the whole structure causes the enc_part pointer to be
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
resulting in a double-free if handle_authdata() fails.
[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
than check for aliasing before freeing; rewrote commit message]
CVE-2023-39975:
In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
free the same pointer twice if it can induce a failure in
authorization data handling.
(cherry picked from commit 88a1701b423c13991a8064feeb26952d3641d840)
ticket: 9101
version_fixed: 1.21.2
src/kdc/do_tgs_req.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 6e4c8fa9f..0acc45850 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1010,8 +1010,9 @@ tgs_issue_ticket(kdc_realm_t *realm, struct tgs_req_info *t,
}
if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) {
- /* Copy the whole header ticket except for authorization data. */
- ticket_reply = *t->header_tkt;
+ /* Copy the header ticket server and all enc-part fields except for
+ * authorization data. */
+ ticket_reply.server = t->header_tkt->server;
enc_tkt_reply = *t->header_tkt->enc_part2;
enc_tkt_reply.authorization_data = NULL;
} else {
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
