[17118] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #9223] git commit

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Thu Jul 9 22:22:20 2026

From: "Greg Hudson via RT" <rt@krbdev.mit.edu>
In-Reply-To: 
Message-ID: <rt-4.4.3-2-388531-1783650130-1592.9223-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9223":;
Date: Thu, 09 Jul 2026 22:22:10 -0400
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu


<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9223 >


Fix key usage list parsing in PKINIT matching code

pkinit_matching.c:parse_list_value() uses strncasecmp() to compare a
comma-delimited substring of the configured input rule (value) against
a string literal (ku->value).  The strncasecmp() call uses the wrong
bound, so could erroneously match a prefix of ku->value.  When this
happens, the pointer into the rule is incremented by the full length
of the string literal (not the matched prefix), possibly advancing
past the end of the rule and causing a subsequent undefined memory
read.

Fix this bug by checking the rule substring length against the string
literal length before comparing.  Reported by Aisle Research (Ze
Sheng, Dmitrijs Trizna, Luigino Camastra, Guido Vranken).

https://github.com/krb5/krb5/commit/53be0c473f8a0bc88e0f0d99544034b04edacb7b
Author: Greg Hudson <ghudson@mit.edu>
Commit: 53be0c473f8a0bc88e0f0d99544034b04edacb7b
Branch: master
 src/plugins/preauth/pkinit/pkinit_matching.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

home help back first fref pref prev next nref lref last post