File bug-765485-CVE-2012-1013-kadmind_dos_via_null_p... of Package krb5

Overview Repositories Revisions Requests Users Attributes Meta

File bug-765485-CVE-2012-1013-kadmind_dos_via_null_pointer_dereference.dif of Package krb5

commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b
Author: Richard Basch <basch@alum.mit.edu>
Date:   Tue May 29 14:07:03 2012 -0400

Null pointer deref in kadmind [CVE-2012-1013]
    
    The fix for #6626 could cause kadmind to dereference a null pointer if
    a create-principal request contains no password but does contain the
    KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
    name").  Only clients authorized to create principals can trigger the
    bug.  Fix the bug by testing for a null password in check_1_6_dummy.
    
    CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
    
    [ghudson@mit.edu: Minor style change and commit message]
    
    ticket: 7152
    target_version: 1.10.2
    tags: pullup

Index: krb5-1.8.3/src/lib/kadm5/srv/svr_principal.c
===================================================================
--- krb5-1.8.3.orig/src/lib/kadm5/srv/svr_principal.c
+++ krb5-1.8.3/src/lib/kadm5/srv/svr_principal.c
@@ -196,7 +196,7 @@ check_1_6_dummy(kadm5_principal_ent_t en
     char *password = *passptr;
 
     /* Old-style randkey operations disallowed tickets to start. */
-    if (!(mask & KADM5_ATTRIBUTES) ||
+    if (password == NULL || !(mask & KADM5_ATTRIBUTES) ||
         !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))
         return;

Places

File bug-765485-CVE-2012-1013-kadmind_dos_via_null_pointer_dereference.dif of Package krb5

Places