diff options
| author | Tom Yu <tlyu@mit.edu> | 2010-05-19 21:23:09 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2010-05-19 21:23:09 +0000 |
| commit | e57ea6ff9470d12fd912a1ff00dada11621ed8a1 (patch) | |
| tree | acfc400ca883690030d7ffae03ba3eefe19d034d | |
| parent | 9c0f73bd27b7778435f32e8c5dbec97ffb00109e (diff) | |
| download | krb5-e57ea6ff9470d12fd912a1ff00dada11621ed8a1.zip krb5-e57ea6ff9470d12fd912a1ff00dada11621ed8a1.tar.gz krb5-e57ea6ff9470d12fd912a1ff00dada11621ed8a1.tar.bz2 | |
CVE-2010-1320 KDC double free caused by ticket renewal (MITKRB5-SA-2010-004)
pull up r23912 from trunk
------------------------------------------------------------------------
r23912 | tlyu | 2010-04-20 17:12:10 -0400 (Tue, 20 Apr 2010) | 11 lines
ticket: 6702
target_version: 1.8.2
tags: pullup
Fix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered
by ticket renewal. Add a test case.
See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490
Thanks to Joel Johnson and Brian Almeida for the reports.
ticket: 6727
tags: pullup
target_version: 1.7.2
version_fixed: 1.7.2
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@24065 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/kdc/do_tgs_req.c | 2 | ||||
| -rw-r--r-- | src/tests/dejagnu/config/default.exp | 34 | ||||
| -rw-r--r-- | src/tests/dejagnu/krb-standalone/standalone.exp | 4 |
3 files changed, 40 insertions, 0 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index c8cf692..2db5baf 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -492,6 +492,7 @@ tgt_again: to the caller */ ticket_reply = *(header_ticket); enc_tkt_reply = *(header_ticket->enc_part2); + enc_tkt_reply.authorization_data = NULL; clear(enc_tkt_reply.flags, TKT_FLG_INVALID); } @@ -503,6 +504,7 @@ tgt_again: to the caller */ ticket_reply = *(header_ticket); enc_tkt_reply = *(header_ticket->enc_part2); + enc_tkt_reply.authorization_data = NULL; old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime; diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index 5c2da50..833a8a1 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -2230,6 +2230,40 @@ proc kinit { name pass standalone } { return 1 } +proc kinit_renew { name pass standalone } { + global REALMNAME + global KINIT + global spawn_id + + spawn $KINIT -5 -f $name@$REALMNAME + expect { + "Password for $name@$REALMNAME:" { + verbose "kinit started" + } + timeout { + fail "kinit" + return 0 + } + eof { + fail "kinit" + return 0 + } + } + send "$pass\r" + expect eof + if ![check_exit_status kinit] { + return 0 + } + + spawn $KINIT -R + expect eof + if ![check_exit_status "kinit_renew"] { + return 0 + } + + return 1 +} + proc kinit_kt { name keytab standalone testname } { global REALMNAME global KINIT diff --git a/src/tests/dejagnu/krb-standalone/standalone.exp b/src/tests/dejagnu/krb-standalone/standalone.exp index ca1c34d..ddbf3fe 100644 --- a/src/tests/dejagnu/krb-standalone/standalone.exp +++ b/src/tests/dejagnu/krb-standalone/standalone.exp @@ -199,6 +199,10 @@ proc doit { } { return } + if ![kinit_renew krbtest/admin adminpass$KEY 1] { + return + } + # Make sure that klist can see the ticket. if ![do_klist "krbtest/admin@$REALMNAME" "krbtgt/$REALMNAME@$REALMNAME" "klist"] { return |