Ticket History #7527: PKINIT (draft9) null ptr deref [CVE-2012-1016]

# Wed Jan 02 18:59:33 2013 tlyu (Taylor Yu) - Ticket created

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 968B

PKINIT (draft9) null ptr deref [CVE-2012-1016]

Don't check for an agility KDF identifier in the non-draft9 reply
structure when we're building a draft9 reply, because it'll be NULL.

The KDC plugin for PKINIT can dereference a null pointer when handling
a draft9 request, leading to a crash of the KDC process. An attacker
would need to have a valid PKINIT certificate, or an unauthenticated
attacker could execute the attack if anonymous PKINIT is enabled.

CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C

[tlyu@mit.edu: reformat comment and edit log message]

(back ported from commit cd5ff932c9d1439c961b0cf9ccff979356686aff)

https://github.com/krb5/krb5/commit/db64ca25d661a47b996b4e2645998b5d7f0eb52c
Author: Nalin Dahyabhai <nalin@redhat.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: db64ca25d661a47b996b4e2645998b5d7f0eb52c
Branch: krb5-1.10
src/plugins/preauth/pkinit/pkinit_srv.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)

# Wed Jan 02 18:59:34 2013 tlyu (Taylor Yu) - Requestor tlyu (Taylor Yu) added

# Wed Jan 02 18:59:34 2013 tlyu (Taylor Yu) - Status changed from 'new' to 'resolved'

# Wed Jan 02 18:59:34 2013 tlyu (Taylor Yu) - Version_Fixed 1.10.4 added

# Wed Jan 02 19:00:27 2013 tlyu (Taylor Yu) - Ticket 7527 RefersTo ticket 7506.