RT RT/krbdev.mit.edu: Ticket #8252 Fix build_principal memory bug [CVE-2015-2697] Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
8252
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.14
Target_Version
  • 1.14
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 8283: (tlyu) Fix build_principal memory bug [CVE-2015-2697] [resolved]
  • 8315: (tlyu) Fix build_principal memory bug [CVE-2015-2697] [resolved]
 
 Dates  
Created: Mon Oct 26 13:44:51 2015
Starts: Not set
Started: Mon Oct 26 13:44:52 2015
Last Contact: Mon Oct 26 15:39:42 2015
Due: Not set
Updated: Wed Dec 16 18:03:04 2015 by tlyu
 

 People  
Owner
 ghudson
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Mon Oct 26 13:44:51 2015  ghudson - Ticket created    
     
From: ghudson@mit.edu
Subject: git commit


Fix build_principal memory bug [CVE-2015-2697]

In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string.  This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va().  krb5_build_principal_ext() is not
affected.

CVE-2015-2697:

In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte.  If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm.  Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.

CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789
Author: Greg Hudson <ghudson@mit.edu>
Commit: f0c094a1b745d91ef2f9a4eae2149aac026a5789
Branch: master
 src/lib/krb5/krb/bld_princ.c |    6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)


Download (untitled) 1.3k
      Mon Oct 26 13:44:52 2015  ghudson - Requestor ghudson@mit.edu added    
      Mon Oct 26 13:44:52 2015  ghudson - Status changed from new to review    
      Mon Oct 26 13:44:52 2015  ghudson - Tags pullup added    
      Mon Oct 26 13:44:52 2015  ghudson - Target_Version 1.14 added    
      Mon Oct 26 15:39:42 2015  tlyu - Status changed from review to resolved    
      Mon Oct 26 15:39:42 2015  tlyu - Version_Fixed 1.14 added    
      Mon Oct 26 15:39:42 2015  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Fix build_principal memory bug [CVE-2015-2697]

In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string.  This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va().  krb5_build_principal_ext() is not
affected.

CVE-2015-2697:

In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte.  If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm.  Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.

CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

(cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789)

https://github.com/krb5/krb5/commit/67bdf8189b24efca8a244316e7d51bd52d0dbda9
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 67bdf8189b24efca8a244316e7d51bd52d0dbda9
Branch: krb5-1.14
 src/lib/krb5/krb/bld_princ.c |    6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)


Download (untitled) 1.4k
      Wed Dec 16 18:03:04 2015  tlyu - Keyword pullup deleted