Skip Menu |
 

From: ghudson@mit.edu
Subject: SVN Commit

In the kadmin protocol, make the access controls for
get_strings/set_string mirror those of get_principal/modify_principal.
Previously, anyone with global list privileges could get or modify
string attributes on any principal. The impact of this depends on how
generous the kadmind acl is with list permission and whether string
attributes are used in a deployment (nothing in the core code uses
them yet).

CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C

https://github.com/krb5/krb5/commit/e31c182a5ddbdf21490d18fe308a50d82a7d7453
Commit By: ghudson
Revision: 25704
Changed Files:
U trunk/src/kadmin/server/server_stubs.c
From: tlyu@mit.edu
Subject: SVN Commit

Pull up r25704 from trunk

------------------------------------------------------------------------
r25704 | ghudson | 2012-02-21 14:14:47 -0500 (Tue, 21 Feb 2012) | 15 lines

ticket: 7093
subject: Access controls for string RPCs [CVE-2012-1012]
target_version: 1.10.1
tags: pullup

In the kadmin protocol, make the access controls for
get_strings/set_string mirror those of get_principal/modify_principal.
Previously, anyone with global list privileges could get or modify
string attributes on any principal. The impact of this depends on how
generous the kadmind acl is with list permission and whether string
attributes are used in a deployment (nothing in the core code uses
them yet).

CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C

https://github.com/krb5/krb5/commit/d83bc412c6e56463f1e333a61cc1f600ed9a65fe
Commit By: tlyu
Revision: 25709
Changed Files:
U branches/krb5-1-10/src/kadmin/server/server_stubs.c