Content-Transfer-Encoding: binary Content-Disposition: inline X-RT-Interface: API MIME-Version: 1.0 Subject: git commit X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset="utf-8" From: ghudson@mit.edu X-RT-Original-Encoding: ascii RT-Message-ID: Content-Length: 1277 Fix KDC null deref on bad encrypted challenge The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check to avoid further processing if the armor key is NULL. However, this check is bypassed by a call to k5memdup0() which overwrites retval with 0 if the allocation succeeds. If the armor key is NULL, a call to krb5_c_fx_cf2_simple() will then dereference it, resulting in a crash. Add a check before the k5memdup0() call to avoid overwriting retval. CVE-2021-36222: In MIT krb5 releases 1.16 and later, an unauthenticated attacker can cause a null dereference in the KDC by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST. [ghudson@mit.edu: trimmed patch; added test case; edited commit message] (cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562) https://github.com/krb5/krb5/commit/83f701ee212122471f42bdfe3195d5c1c2cdb09d Author: Joseph Sutton Committer: Greg Hudson Commit: 83f701ee212122471f42bdfe3195d5c1c2cdb09d Branch: krb5-1.19 src/kdc/kdc_preauth_ec.c | 3 +- src/tests/Makefile.in | 1 + src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletions(-)