diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-07-07 11:47:44 +1200 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2021-07-12 10:37:30 -0400 |
commit | fc98f520caefff2e5ee9a0026fdf5109944b3562 (patch) | |
tree | 04f7e1e47780d8baa711856d9cd2f0e39cce571e /src/tests/Makefile.in | |
parent | f573f7f8ee5269103a0492d6521a3242c5ffb63b (diff) | |
download | krb5-fc98f520caefff2e5ee9a0026fdf5109944b3562.zip krb5-fc98f520caefff2e5ee9a0026fdf5109944b3562.tar.gz krb5-fc98f520caefff2e5ee9a0026fdf5109944b3562.tar.bz2 |
Fix KDC null deref on bad encrypted challenge
The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
to avoid further processing if the armor key is NULL. However, this
check is bypassed by a call to k5memdup0() which overwrites retval
with 0 if the allocation succeeds. If the armor key is NULL, a call
to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
crash. Add a check before the k5memdup0() call to avoid overwriting
retval.
CVE-2021-36222:
In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
cause a null dereference in the KDC by sending a request containing a
PA-ENCRYPTED-CHALLENGE padata element without using FAST.
[ghudson@mit.edu: trimmed patch; added test case; edited commit
message]
ticket: 9007 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
Diffstat (limited to 'src/tests/Makefile.in')
-rw-r--r-- | src/tests/Makefile.in | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index fc6fcc0..1a19383 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -166,6 +166,7 @@ check-pytests: unlockiter s4u2self $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS) $(RM) au.log $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \ |