diff options
author | Isaac Boukris <iboukris@gmail.com> | 2018-12-15 11:56:36 +0200 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2019-01-06 22:40:58 -0500 |
commit | 17cc01779e8e40cc414b39bc2a99fd48bb064124 (patch) | |
tree | 554d65b7e5b9ad9660a57b101e2ee4f54c42ac08 | |
parent | 51246e3c5b1f7650660d562669228d5b6fe26796 (diff) | |
download | krb5-17cc01779e8e40cc414b39bc2a99fd48bb064124.zip krb5-17cc01779e8e40cc414b39bc2a99fd48bb064124.tar.gz krb5-17cc01779e8e40cc414b39bc2a99fd48bb064124.tar.bz2 |
Remove incorrect KDC assertion
The assertion in return_enc_padata() is reachable because
kdc_make_s4u2self_rep() may have previously added encrypted padata.
It is no longer necessary because the code uses add_pa_data_element()
instead of allocating a new list.
CVE-2018-20217:
In MIT krb5 1.8 or later, an authenticated user who can obtain a TGT
using an older encryption type (DES, DES3, or RC4) can cause an
assertion failure in the KDC by sending an S4U2Self request.
[ghudson@mit.edu: rewrote commit message with CVE description]
(cherry picked from commit 94e5eda5bb94d1d44733a49c3d9b6d1e42c74def)
ticket: 8767
version_fixed: 1.15.5
-rw-r--r-- | src/kdc/kdc_preauth.c | 1 | ||||
-rwxr-xr-x | src/tests/gssapi/t_s4u.py | 7 |
2 files changed, 7 insertions, 1 deletions
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 605fcb7..0708f4d 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -1609,7 +1609,6 @@ return_enc_padata(krb5_context context, krb5_data *req_pkt, krb5_error_code code = 0; /* This should be initialized and only used for Win2K compat and other * specific standardized uses such as FAST negotiation. */ - assert(reply_encpart->enc_padata == NULL); if (is_referral) { code = return_referral_enc_padata(context, reply_encpart, server); if (code) diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py index 07e6d5a..c1a585a 100755 --- a/src/tests/gssapi/t_s4u.py +++ b/src/tests/gssapi/t_s4u.py @@ -144,6 +144,13 @@ if 'auth1: user@' not in out or 'auth2: user@' not in out: realm.stop() +for realm in multipass_realms(create_host=False, get_creds=False): + service1 = 'service/1@%s' % realm.realm + realm.addprinc(service1) + realm.extract_keytab(service1, realm.keytab) + realm.kinit(service1, None, ['-k']) + realm.run(['./t_s4u', 'p:user', '-']) + # Exercise cross-realm S4U2Self. The query in the foreign realm will # fail, but we can check that the right server principal was used. # Include a regression test for #8741 by unsetting the default realm. |