diff options
author | Greg Hudson <ghudson@mit.edu> | 2016-07-19 11:00:28 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2016-07-19 12:35:42 -0400 |
commit | 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 (patch) | |
tree | b55091f944b6bfc2a71eb0bf5ce752c5eb1437f2 /src/tests | |
parent | 560e11dabb63b141df29c54aaa2e120309a1e021 (diff) | |
download | krb5-93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7.zip krb5-93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7.tar.gz krb5-93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7.tar.bz2 |
Fix S4U2Self KDC crash when anon is restricted
In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.
CVE-2016-3120:
In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
ticket: 8458 (new)
target_version: 1.14-next
target_version: 1.13-next
Diffstat (limited to 'src/tests')
-rwxr-xr-x | src/tests/t_pkinit.py | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py index b66c458..f0214b6 100755 --- a/src/tests/t_pkinit.py +++ b/src/tests/t_pkinit.py @@ -93,6 +93,11 @@ out = realm.run([kvno, realm.host_princ], expected_code=1) if 'KDC policy rejects request' not in out: fail('Wrong error for restricted anonymous PKINIT') +# Regression test for #8458: S4U2Self requests crash the KDC if +# anonymous is restricted. +realm.kinit(realm.host_princ, flags=['-k']) +realm.run([kvno, '-U', 'user', realm.host_princ]) + # Go back to a normal KDC and disable anonymous PKINIT. realm.stop_kdc() realm.start_kdc() |