diff options
| author | Tom Yu <tlyu@mit.edu> | 2012-07-31 22:45:08 -0400 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2012-08-01 14:12:48 -0400 |
| commit | eea40a7476f3fe8e1047349eaaf7c0e9426196d2 (patch) | |
| tree | 99289f954853573718f35ad723f71d36d9a53569 | |
| parent | e194611339abb75521d6267c612c63332ce3747b (diff) | |
| download | krb5-eea40a7476f3fe8e1047349eaaf7c0e9426196d2.zip krb5-eea40a7476f3fe8e1047349eaaf7c0e9426196d2.tar.gz krb5-eea40a7476f3fe8e1047349eaaf7c0e9426196d2.tar.bz2 | |
Fix KDC heap corruption vuln [CVE-2012-1015]
Fix KDC heap corruption vulnerability [MITKRB5-SA-2012-001
CVE-2012-1015]. The cleanup code in
kdc_handle_protected_negotiation() in kdc_util.c could free an
uninitialized pointer in some error conditions involving "similar"
enctypes and a failure in krb5_c_make_checksum().
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of this
vulnerability (possibly in unpatched KDCs).
Note that CVE-2012-1014 (also described in MITKRB5-SA-2012-001) only
applies to the krb5-1.10 branch and doesn't affect the master branch
or releases prior to krb5-1.10.
(cherry picked from commit 3551501359c6d2396fa4779d378ae165f5b37242)
ticket: 7225
version_fixed: 1.9.5
status: resolved
| -rw-r--r-- | src/kdc/kdc_preauth.c | 3 | ||||
| -rw-r--r-- | src/kdc/kdc_util.c | 1 | ||||
| -rw-r--r-- | src/lib/kdb/kdb_default.c | 3 |
3 files changed, 6 insertions, 1 deletions
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 52fb51a..fd3b580 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -1562,7 +1562,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request, continue; } - if (request_contains_enctype(context, request, db_etype)) { + if (krb5_is_permitted_enctype(context, db_etype) && + request_contains_enctype(context, request, db_etype)) { retval = _make_etype_info_entry(context, client->princ, client_key, db_etype, &entry[i], etype_info2); diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 2913738..3940943 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -2469,6 +2469,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request, return 0; pa.magic = KV5M_PA_DATA; pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP; + memset(&checksum, 0, sizeof(checksum)); retval = krb5_c_make_checksum(kdc_context,0, reply_key, KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum); if (retval != 0) diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 18de7c7..ae184c4 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -64,6 +64,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) krb5_boolean saw_non_permitted = FALSE; ret = 0; + if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype)) + return KRB5_KDB_NO_PERMITTED_KEY; + if (kvno == -1 && stype == -1 && ktype == -1) kvno = 0; |