[16897] in Kerberos-V5-bugs
[krbdev.mit.edu #9101] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Aug 7 17:55:32 2023
From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-1239819-1691445284-100.9101-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9101":;
Date: Mon, 07 Aug 2023 17:54:44 -0400
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Mon Aug 07 17:54:44 2023: Request 9101 was acted upon.
Transaction: Ticket created by ghudson@mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson@mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9101 >
Fix double-free in KDC TGS processing
When issuing a ticket for a TGS renew or validate request, copy only
the server field from the outer part of the header ticket to the new
ticket. Copying the whole structure causes the enc_part pointer to be
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
resulting in a double-free if handle_authdata() fails.
[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
than check for aliasing before freeing; rewrote commit message]
CVE-2023-39975:
In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
free the same pointer twice if it can induce a failure in
authorization data handling.
https://github.com/krb5/krb5/commit/88a1701b423c13991a8064feeb26952d3641d840
Author: Andreas Schneider <asn@samba.org>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 88a1701b423c13991a8064feeb26952d3641d840
Branch: master
src/kdc/do_tgs_req.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
