Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) From: tlyu@mit.edu Subject: git commit RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 915 Fix S4U2Self KDC crash when anon is restricted In validate_as_request(), when enforcing restrict_anonymous_to_tgt, use client.princ instead of request->client; the latter is NULL when validating S4U2Self requests. CVE-2016-3120: In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc to dereference a null pointer if the restrict_anonymous_to_tgt option is set to true, by making an S4U2Self request. CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C (cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7) [tlyu@mit.edu: removed test case depending on absent functionality] https://github.com/krb5/krb5/commit/cce19103f7673edb54b1b8e5fa0a516bd009d2c3 Author: Greg Hudson Committer: Tom Yu Commit: cce19103f7673edb54b1b8e5fa0a516bd009d2c3 Branch: krb5-1.13 src/kdc/kdc_util.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)