Skip Menu |
 

Download (untitled) / with headers
text/plain 4.6KiB
From krb5-bugs-incoming-bounces@PCH.mit.edu Fri Mar 12 17:09:51 2010
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 6F5423F0EA;
Fri, 12 Mar 2010 17:09:51 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o2CM9pvo013889;
Fri, 12 Mar 2010 17:09:51 -0500
Received: from mailhub-dmz-4.mit.edu (MAILHUB-DMZ-4.MIT.EDU [18.7.62.38])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o2CK6PZa027250
for <krb5-bugs-incoming@PCH.mit.edu>; Fri, 12 Mar 2010 15:06:25 -0500
Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU
[18.7.68.37])
by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id o2CK5ubG002176
for <krb5-bugs@mit.edu>; Fri, 12 Mar 2010 15:06:25 -0500
X-AuditID: 12074425-b7d00ae000002295-a4-4b9a9ec07b72
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
by dmz-mailsec-scanner-8.mit.edu (Symantec Brightmail Gateway) with
SMTP id 62.03.08853.1CE9A9B4; Fri, 12 Mar 2010 15:06:25 -0500 (EST)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com
(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2CK6OnX015470
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Fri, 12 Mar 2010 15:06:24 -0500
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id o2CK6NEF027566
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Fri, 12 Mar 2010 15:06:23 -0500
Received: from blade.bos.redhat.com (localhost [127.0.0.1])
by blade.bos.redhat.com (8.14.4/8.14.3) with ESMTP id o2CK6M6f022913
for <krb5-bugs@mit.edu>; Fri, 12 Mar 2010 15:06:22 -0500
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.4/8.14.4/Submit) id o2CK6M6N022912;
Fri, 12 Mar 2010 15:06:22 -0500
Date: Fri, 12 Mar 2010 15:06:22 -0500
Message-Id: <201003122006.o2CK6M6N022912@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: krb5_get_init_creds_password() can crash with NULL options and
expired keys
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
X-Brightmail-Tracker: AAAAAhM9I9YTPgcy
X-Mailman-Approved-At: Fri, 12 Mar 2010 17:09:50 -0500
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin@redhat.com
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu


Show quoted text
>Submitter-Id: net
>Originator: Nalin Dahyabhai
>Organization:
>Confidential: no
>Synopsis: krb5_get_init_creds_password() can crash with NULL options and expired keys
>Severity: non-critical
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.8
>Environment:

System: Linux blade.bos.redhat.com 2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

Show quoted text
>Description:
Bert Barbé noted, on kerberos@, that krb5_get_init_creds_password(),
if it was dealing with an expired key, could try to dereference its
"options" argument to read flags before checking that "options"
wasn't NULL.
Show quoted text
>Fix:
This patch creates an krb5_gic_opt_ext structure using the passed-in
options value, which ensures that when we go to check the flags, we
get the library defaults if we were passed NULL.

Index: src/lib/krb5/krb/gic_pwd.c
===================================================================
--- src/lib/krb5/krb/gic_pwd.c (revision 23799)
+++ src/lib/krb5/krb/gic_pwd.c (working copy)
@@ -123,6 +123,7 @@
int tries;
krb5_creds chpw_creds;
krb5_get_init_creds_opt *chpw_opts = NULL;
+ krb5_gic_opt_ext *opte = NULL;
krb5_data pw0, pw1;
char banner[1024], pw0array[1024], pw1array[1024];
krb5_prompt prompt[2];
@@ -218,7 +219,8 @@
* to prompt. Prompting is only disabled if the option has been set
* and the value has been set to false.
*/
- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
+ krb5int_gic_opt_to_opte(context, options, &opte, 1, NULL);
+ if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
goto cleanup;

/* ok, we have an expired password. Give the user a few chances
@@ -332,6 +334,8 @@
&use_master, &as_reply);

cleanup:
+ if (opte != options)
+ krb5_get_init_creds_opt_free(context, opte);
krb5int_set_prompt_types(context, 0);
/* if getting the password was successful, then check to see if the
password is about to expire, and warn if so */
From: ghudson@mit.edu
Subject: SVN Commit

When checking for KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT, don't
dereference options if it's NULL.


https://github.com/krb5/krb5/commit/8b640863c756137b3bc8d3146cbd74040b3b1088
Commit By: ghudson
Revision: 23815
Changed Files:
U trunk/src/lib/krb5/krb/gic_pwd.c
From: tlyu@mit.edu
Subject: SVN Commit

pull up r23815 from trunk

------------------------------------------------------------------------
r23815 | ghudson | 2010-03-17 14:10:10 -0700 (Wed, 17 Mar 2010) | 7 lines

ticket: 6681
target_version: 1.8.1
tags: pullup

When checking for KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT, don't
dereference options if it's NULL.

https://github.com/krb5/krb5/commit/faf1d49929ff39c32e50ceabdce69bbebfc23652
Commit By: tlyu
Revision: 23825
Changed Files:
U branches/krb5-1-8/src/lib/krb5/krb/gic_pwd.c