Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
krb5-mini
0108-Fix-S4U2Self-KDC-crash-when-anon-is-restri...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0108-Fix-S4U2Self-KDC-crash-when-anon-is-restricted.patch of Package krb5-mini
From 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Tue, 19 Jul 2016 11:00:28 -0400 Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted In validate_as_request(), when enforcing restrict_anonymous_to_tgt, use client.princ instead of request->client; the latter is NULL when validating S4U2Self requests. CVE-2016-3120: In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc to dereference a null pointer if the restrict_anonymous_to_tgt option is set to true, by making an S4U2Self request. CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C ticket: 8458 (new) target_version: 1.14-next target_version: 1.13-next Line numbers are slightly adjusted by Howard Guo <hguo@suse.com> to fit into this older version of Kerberos. diff -rupN krb5-1.12.1/src/kdc/kdc_util.c krb5-1.12.1-patched/src/kdc/kdc_util.c --- krb5-1.12.1/src/kdc/kdc_util.c 2016-07-28 16:31:24.670405088 +0200 +++ krb5-1.12.1-patched/src/kdc/kdc_util.c 2016-07-28 16:35:18.717040802 +0200 @@ -688,7 +688,7 @@ validate_as_request(kdc_realm_t *kdc_act return(KDC_ERR_MUST_USE_USER2USER); } - if (check_anon(kdc_active_realm, request->client, request->server) != 0) { + if (check_anon(kdc_active_realm, client.princ, request->server) != 0) { *status = "ANONYMOUS NOT ALLOWED"; return(KDC_ERR_POLICY); } diff -rupN krb5-1.12.1/src/tests/t_pkinit.py krb5-1.12.1-patched/src/tests/t_pkinit.py --- krb5-1.12.1/src/tests/t_pkinit.py 2016-07-28 16:31:24.654404908 +0200 +++ krb5-1.12.1-patched/src/tests/t_pkinit.py 2016-07-28 16:35:18.717040802 +0200 @@ -81,6 +81,11 @@ out = realm.run([kvno, realm.host_princ] if 'KDC policy rejects request' not in out: fail('Wrong error for restricted anonymous PKINIT') +# Regression test for #8458: S4U2Self requests crash the KDC if +# anonymous is restricted. +realm.kinit(realm.host_princ, flags=['-k']) +realm.run([kvno, '-U', 'user', realm.host_princ]) + # Go back to a normal KDC and disable anonymous PKINIT. realm.stop_kdc() realm.start_kdc()
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor