[17049] in Kerberos-V5-bugs

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[krbdev.mit.edu #9181] git commit

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Wed Aug 20 14:31:03 2025

From: "Greg Hudson via RT" <rt@krbdev.mit.edu>
In-Reply-To: 
Message-ID: <rt-4.4.3-2-4052408-1755714656-957.9181-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9181":;
Date: Wed, 20 Aug 2025 14:30:57 -0400
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu


<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9181 >


Fix krb5 GSS MIC verification

Commit 7ae0adcdf16687810f747e284c9fb571a561c5bd contains a pair of
bugs that, in combination, result in the acceptance of MIC tokens with
invalid checksums.

In kg_verify_checksum_v3(), properly set bytes 4..7 to 0xFF in the
composed token header for MIC tokens.  In verify_mic_v3(), properly
check the return value of kg_verify_checksum_v3().  In t_invalid.c,
test invalid MIC tokens by altering the bytes of a valid MIC.

Reported by Francis Dupont.

CVE-2025-57736:

MIT krb5 release 1.22 incorrectly accepts krb5 GSS-API MIC tokens with
invalid checksums.

(cherry picked from commit 83cd76b11b069afbc6162edecb30096571e89dd5)

https://github.com/krb5/krb5/commit/2531770c10115cb8b5ff529f813d86fa5a36db4c
Author: Greg Hudson <ghudson@mit.edu>
Commit: 2531770c10115cb8b5ff529f813d86fa5a36db4c
Branch: krb5-1.22
 src/lib/gssapi/krb5/util_crypt.c | 10 +++++++---
 src/lib/gssapi/krb5/verify_mic.c | 11 ++++-------
 src/tests/gssapi/t_invalid.c     | 29 +++++++++++++++++++++++++++++
 3 files changed, 40 insertions(+), 10 deletions(-)

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

home	help	back	first	fref	pref	prev	next	nref	lref	last	post