Ticket History #8343: Fix leaks in kadmin server stubs [CVE-2015-8631]

# Wed Jan 27 15:59:27 2016 ghudson@mit.edu (Greg Hudson) - Ticket created

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1KiB

Fix leaks in kadmin server stubs [CVE-2015-8631]

In each kadmind server stub, initialize the client_name and
server_name variables, and release them in the cleanup handler. Many
of the stubs will otherwise leak the client and server name if
krb5_unparse_name() fails. Also make sure to free the prime_arg
variables in rename_principal_2_svc(), or we can leak the first one if
unparsing the second one fails. Discovered by Simo Sorce.

CVE-2015-8631:

In all versions of MIT krb5, an authenticated attacker can cause
kadmind to leak memory by supplying a null principal name in a request
which uses one. Repeating these requests will eventually cause
kadmind to exhaust all available memory.

CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

https://github.com/krb5/krb5/commit/83ed75feba32e46f736fcce0d96a0445f29b96c2
Author: Greg Hudson <ghudson@mit.edu>
Commit: 83ed75feba32e46f736fcce0d96a0445f29b96c2
Branch: master
src/kadmin/server/server_stubs.c | 151 +++++++++++++++++++-------------------
1 files changed, 77 insertions(+), 74 deletions(-)

# Wed Jan 27 15:59:27 2016 ghudson@mit.edu (Greg Hudson) - Requestor ghudson@mit.edu (Greg Hudson) added

# Wed Jan 27 15:59:27 2016 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Wed Jan 27 15:59:27 2016 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Wed Jan 27 15:59:27 2016 ghudson@mit.edu (Greg Hudson) - Target_Version 1.13-next added

# Wed Jan 27 16:01:14 2016 ghudson@mit.edu (Greg Hudson) - Target_Version 1.14-next added

# Mon Feb 08 17:44:24 2016 tlyu (Taylor Yu) - Version_Fixed 1.14.1 added

# Mon Feb 08 17:44:24 2016 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1.1KiB

Fix leaks in kadmin server stubs [CVE-2015-8631]

In each kadmind server stub, initialize the client_name and
server_name variables, and release them in the cleanup handler. Many
of the stubs will otherwise leak the client and server name if
krb5_unparse_name() fails. Also make sure to free the prime_arg
variables in rename_principal_2_svc(), or we can leak the first one if
unparsing the second one fails. Discovered by Simo Sorce.

CVE-2015-8631:

In all versions of MIT krb5, an authenticated attacker can cause
kadmind to leak memory by supplying a null principal name in a request
which uses one. Repeating these requests will eventually cause
kadmind to exhaust all available memory.

CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

(cherry picked from commit 83ed75feba32e46f736fcce0d96a0445f29b96c2)

https://github.com/krb5/krb5/commit/9285cbd39d4c68416b057761f2859c275707c12a
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 9285cbd39d4c68416b057761f2859c275707c12a
Branch: krb5-1.14
src/kadmin/server/server_stubs.c | 151 +++++++++++++++++++-------------------
1 files changed, 77 insertions(+), 74 deletions(-)

# Mon Feb 08 18:38:10 2016 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Mon Feb 08 18:38:10 2016 tlyu (Taylor Yu) - Version_Fixed 1.13.4 added

# Mon Feb 08 18:38:10 2016 tlyu (Taylor Yu) - CustomField pullup deleted

# Mon Feb 08 18:38:10 2016 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1.1KiB

Fix leaks in kadmin server stubs [CVE-2015-8631]

In each kadmind server stub, initialize the client_name and
server_name variables, and release them in the cleanup handler. Many
of the stubs will otherwise leak the client and server name if
krb5_unparse_name() fails. Also make sure to free the prime_arg
variables in rename_principal_2_svc(), or we can leak the first one if
unparsing the second one fails. Discovered by Simo Sorce.

CVE-2015-8631:

In all versions of MIT krb5, an authenticated attacker can cause
kadmind to leak memory by supplying a null principal name in a request
which uses one. Repeating these requests will eventually cause
kadmind to exhaust all available memory.

CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

(cherry picked from commit 83ed75feba32e46f736fcce0d96a0445f29b96c2)

https://github.com/krb5/krb5/commit/3421a1471d635256432f37325310e49a6d039413
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 3421a1471d635256432f37325310e49a6d039413
Branch: krb5-1.13
src/kadmin/server/server_stubs.c | 151 +++++++++++++++++++-------------------
1 files changed, 77 insertions(+), 74 deletions(-)