RT RT/krbdev.mit.edu: Ticket #7506 PKINIT (draft9) null ptr deref [CVE-2012-1016] Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
7506
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Version_reported
Version_Fixed
  • 1.11
Target_Version
  • 1.11
Tags
  • pullup
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 7527: (tlyu) PKINIT (draft9) null ptr deref [CVE-2012-1016] [resolved]
 
 Dates  
Created: Fri Dec 14 18:22:09 2012
Starts: Not set
Started: Fri Dec 14 18:22:10 2012
Last Contact: Not set
Due: Not set
Updated: Sun Dec 16 21:30:48 2012 by tlyu
 

 People  
Owner
 tlyu
Requestors
 tlyu@mit.edu
Cc
 
AdminCc
 
 

 More about Tom Yu  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Fri Dec 14 18:22:09 2012  tlyu - Ticket created    
     
From: tlyu@mit.edu
Subject: SVN Commit


PKINIT (draft9) null ptr deref [CVE-2012-1016]

Don't check for an agility KDF identifier in the non-draft9 reply
structure when we're building a draft9 reply, because it'll be NULL.

The KDC plugin for PKINIT can dereference a null pointer when handling
a draft9 request, leading to a crash of the KDC process.  An attacker
would need to have a valid PKINIT certificate, or an unauthenticated
attacker could execute the attack if anonymous PKINIT is enabled.

CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C

[tlyu@mit.edu: reformat comment and edit log message]

https://github.com/krb5/krb5/commit/cd5ff932c9d1439c961b0cf9ccff979356686aff
Author: Nalin Dahyabhai <nalin@redhat.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: cd5ff932c9d1439c961b0cf9ccff979356686aff
Branch: master
 src/plugins/preauth/pkinit/pkinit_srv.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)


Download (untitled) 895b
      Fri Dec 14 18:22:10 2012  tlyu - Requestor tlyu@mit.edu added    
      Fri Dec 14 18:22:10 2012  tlyu - Status changed from new to review    
      Fri Dec 14 18:22:10 2012  tlyu - Tags pullup added    
      Fri Dec 14 18:22:10 2012  tlyu - Target_Version 1.11 added    
      Sun Dec 16 21:30:47 2012  tlyu - Status changed from review to resolved    
      Sun Dec 16 21:30:48 2012  tlyu - Version_Fixed 1.11 added    
      Sun Dec 16 21:30:48 2012  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: SVN Commit


PKINIT (draft9) null ptr deref [CVE-2012-1016]

Don't check for an agility KDF identifier in the non-draft9 reply
structure when we're building a draft9 reply, because it'll be NULL.

The KDC plugin for PKINIT can dereference a null pointer when handling
a draft9 request, leading to a crash of the KDC process.  An attacker
would need to have a valid PKINIT certificate, or an unauthenticated
attacker could execute the attack if anonymous PKINIT is enabled.

CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C

[tlyu@mit.edu: reformat comment and edit log message]

(cherry picked from commit cd5ff932c9d1439c961b0cf9ccff979356686aff)

https://github.com/krb5/krb5/commit/6550da5ecc58af19bc2e4e6c1108d25b210c6ef8
Author: Nalin Dahyabhai <nalin@redhat.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 6550da5ecc58af19bc2e4e6c1108d25b210c6ef8
Branch: krb5-1.11
 src/plugins/preauth/pkinit/pkinit_srv.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)


Download (untitled) 968b