RT RT/krbdev.mit.edu: Ticket #6764 has_mandatory_for_kdc_authdata checks only first authdata element Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
6764
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.8.4
Target_Version
  • 1.8.4
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Fri Aug 27 14:16:37 2010
Starts: Not set
Started: Thu Sep 2 11:35:28 2010
Last Contact: Fri Oct 15 17:42:23 2010
Due: Not set
Updated: Wed Dec 16 18:02:56 2015 by tlyu
 

 People  
Owner
 ghudson
Requestors
 roszkowski@wisc.edu
Cc
 
AdminCc
 
 

 More about Mike Roszkowski  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Fri Aug 27 14:16:37 2010  roszkowski@wisc.edu - Ticket created    
     
Date: Thu, 26 Aug 2010 09:37:57 -0500
From: Mike Roszkowski <roszkowski@wisc.edu>
Subject: has_mandatory_for_kdc_authdata checks only first authdata element
To: krb5-bugs@mit.edu


 >Submitter-Id:	net
 >Originator:	Mike Roszkowski
 >Organization:  University of Wisconsin-Madison

 >Confidential:	no
 >Synopsis:	has_mandatory_for_kdc_authdata checks only first authdata element
 >Severity:	non-critical
 >Priority:	low
 >Category:	krb5-kdc
 >Class:		sw-bug
 >Release:	1.8.2
 >Environment:

System: Linux sugar.doit.wisc.edu 2.6.18-194.3.1.el5 #1 SMP Sun May 2 04:17:42 EDT
2010 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

 >Description:

I was trying to debug a kdc crash and was looking at kdc_authdata.c and found
what looks to be a typo in has_mandatory_for_kdc_authdata:

1    if (authdata != NULL) {
2        for (i = 0; authdata[i] != NULL; i++) {
3            if (authdata[0]->ad_type == KRB5_AUTHDATA_MANDATORY_FOR_KDC) {
4                ret = TRUE;
5                break;
6            }
7        }
8    }


In the line marked "3" above, only authdata[0] is being checked. I think the
intention was to check all the authdata elements, so it should be
authdata[i].

 >How-To-Repeat:

 >Fix:




Download (untitled) 1k
      Thu Sep  2 11:35:28 2010  ghudson - Given to ghudson    
      Thu Sep  2 11:35:28 2010  ghudson - Status changed from new to review    
      Thu Sep  2 11:35:28 2010  ghudson - Tags pullup added    
      Thu Sep  2 11:35:28 2010  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: SVN Commit


Properly search for MANDATORY-FOR-KDC authdata elements.  Reported by
Mike Roszkowski.


https://github.com/krb5/krb5/commit/e1365586bae0591541b72ca8a223fa73a57aa2bd
Commit By: ghudson
Revision: 24286
Changed Files:
U   trunk/src/kdc/kdc_authdata.c


Download (untitled) 250b
      Thu Sep  2 11:37:35 2010  glenn.barry@oracle.com - Comments added    
     
Date: Thu, 2 Sep 2010 08:37:28 -0700 (PDT)
From: glenn.barry@oracle.com
To: rt-comment@krbdev.mit.edu
Subject: Auto Reply: [krbdev.mit.edu #6764] SVN Commit
RT-Send-Cc: 

I'll be out of the office from Sep 2 - 10.  Pls contact Anup.Sekhar@oracle.com if it
can't wait till I get back.


Download (untitled) 113b
      Thu Sep  2 11:39:27 2010  ghudson - Comments added    
     
A brief security analysis:

For application servers, authdata elements are supposed to be mandatory
by default, meaning the server should reject the request if it doesn't
understand the authdata.  For KDCs, authdata elements are only mandatory
if they are embedded in a MANDATORY-FOR-KDC container.

Because of this bug, the KDC might not properly reject a request which
contains a MANDATORY-FOR-KDC container.  This is no worse than the
behavior in 1.7 and prior, so this does not constitute a serious security
issue.  I'm not aware of any defined authdata types which make use of
MANDATORY-FOR-KDC.


Download (untitled) 607b
      Thu Sep  2 11:39:46 2010  glenn.barry@oracle.com - Comments added    
     
Date: Thu, 2 Sep 2010 08:38:36 -0700 (PDT)
From: glenn.barry@oracle.com
To: rt-comment@krbdev.mit.edu
Subject: Auto Reply: Auto Reply: [krbdev.mit.edu #6764] SVN Commit
RT-Send-Cc: 

I'll be out of the office from Sep 2 - 10.  Pls contact Anup.Sekhar@oracle.com if it
can't wait till I get back.


Download (untitled) 113b
      Fri Oct 15 17:42:23 2010  tlyu - Target_Version 1.8.4 added    
      Fri Oct 15 17:42:23 2010  tlyu - Status changed from review to resolved    
      Fri Oct 15 17:42:23 2010  tlyu - Version_Fixed 1.8.4 added    
      Fri Oct 15 17:42:23 2010  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: SVN Commit


pull up r24286 from trunk

 ------------------------------------------------------------------------
 r24286 | ghudson | 2010-09-02 11:35:25 -0400 (Thu, 02 Sep 2010) | 7 lines

 ticket: 6764
 tags: pullup
 target_version: 1.8.4

 Properly search for MANDATORY-FOR-KDC authdata elements.  Reported by
 Mike Roszkowski.

https://github.com/krb5/krb5/commit/d4da5fa8b83164300b97d0d3b1a859c76335c65a
Commit By: tlyu
Revision: 24459
Changed Files:
U   branches/krb5-1-8/src/kdc/kdc_authdata.c


Download (untitled) 489b
      Wed Dec 16 18:02:56 2015  tlyu - Keyword pullup deleted