diff options
| author | Andreas Schneider <asn@samba.org> | 2023-08-04 09:54:06 +0200 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2023-08-14 01:17:57 -0400 |
| commit | f4dcb7e442e0f314db5b4f7449aa101cbb28bdd4 (patch) | |
| tree | d972a6a525c4dd5943e02d0e322656c342acb15b /src/po/mit-krb5.pot | |
| parent | 4d2efc18f2a758962d2151e24f3fb5c51a9f708c (diff) | |
| download | krb5-f4dcb7e442e0f314db5b4f7449aa101cbb28bdd4.zip krb5-f4dcb7e442e0f314db5b4f7449aa101cbb28bdd4.tar.gz krb5-f4dcb7e442e0f314db5b4f7449aa101cbb28bdd4.tar.bz2 | |
Fix double-free in KDC TGS processing
When issuing a ticket for a TGS renew or validate request, copy only
the server field from the outer part of the header ticket to the new
ticket. Copying the whole structure causes the enc_part pointer to be
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
resulting in a double-free if handle_authdata() fails.
[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
than check for aliasing before freeing; rewrote commit message]
CVE-2023-39975:
In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
free the same pointer twice if it can induce a failure in
authorization data handling.
(cherry picked from commit 88a1701b423c13991a8064feeb26952d3641d840)
ticket: 9101
version_fixed: 1.21.2
Diffstat (limited to 'src/po/mit-krb5.pot')
0 files changed, 0 insertions, 0 deletions