Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.507 (Entity 5.507) From: ghudson@mit.edu Subject: git commit X-RT-Original-Encoding: iso-8859-1 Content-Length: 1942 Fix flaws in LDAP DN checking KDB_TL_USER_INFO tl-data is intended to be internal to the LDAP KDB module, and not used in disk or wire principal entries. Prevent kadmin clients from sending KDB_TL_USER_INFO tl-data by giving it a type number less than 256 and filtering out type numbers less than 256 in kadm5_create_principal_3(). (We already filter out low type numbers in kadm5_modify_principal()). In the LDAP KDB module, if containerdn and linkdn are both specified in a put_principal operation, check both linkdn and the computed standalone_principal_dn for container membership. To that end, factor out the checks into helper functions and call them on all applicable client-influenced DNs. CVE-2018-5729: In MIT krb5 1.6 or later, an authenticated kadmin user with permission to add principals to an LDAP Kerberos database can cause a null dereference in kadmind, or circumvent a DN container check, by supplying tagged data intended to be internal to the database module. Thanks to Sharwan Ram and Pooja Anil for discovering the potential null dereference. CVE-2018-5730: In MIT krb5 1.6 or later, an authenticated kadmin user with permission to add principals to an LDAP Kerberos database can circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN. https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1 Author: Greg Hudson Commit: e1caf6fb74981da62039846931ebdffed71309d1 Branch: master src/lib/kadm5/srv/svr_principal.c | 7 + src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 2 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 200 +++++++++++--------- src/tests/t_kdb.py | 11 + 4 files changed, 125 insertions(+), 95 deletions(-)