[17118] in Kerberos-V5-bugs
[krbdev.mit.edu #9223] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Thu Jul 9 22:22:20 2026
From: "Greg Hudson via RT" <rt@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-388531-1783650130-1592.9223-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9223":;
Date: Thu, 09 Jul 2026 22:22:10 -0400
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9223 >
Fix key usage list parsing in PKINIT matching code
pkinit_matching.c:parse_list_value() uses strncasecmp() to compare a
comma-delimited substring of the configured input rule (value) against
a string literal (ku->value). The strncasecmp() call uses the wrong
bound, so could erroneously match a prefix of ku->value. When this
happens, the pointer into the rule is incremented by the full length
of the string literal (not the matched prefix), possibly advancing
past the end of the rule and causing a subsequent undefined memory
read.
Fix this bug by checking the rule substring length against the string
literal length before comparing. Reported by Aisle Research (Ze
Sheng, Dmitrijs Trizna, Luigino Camastra, Guido Vranken).
https://github.com/krb5/krb5/commit/53be0c473f8a0bc88e0f0d99544034b04edacb7b
Author: Greg Hudson <ghudson@mit.edu>
Commit: 53be0c473f8a0bc88e0f0d99544034b04edacb7b
Branch: master
src/plugins/preauth/pkinit/pkinit_matching.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs