Skip Menu |
 

From: ghudson@mit.edu
Subject: git commit

Fix LDAP null deref on empty arg [CVE-2016-3119]

In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
if there is an empty string in the db_args array. Check for this case
and avoid dereferencing a null pointer.

CVE-2016-3119:

In MIT krb5 1.6 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying an empty DB argument to the modify_principal
command, if kadmind is configured to use the LDAP KDB module.

CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND

https://github.com/krb5/krb5/commit/08c642c09c38a9c6454ab43a9b53b2a89b9eef99
Author: Greg Hudson <ghudson@mit.edu>
Commit: 08c642c09c38a9c6454ab43a9b53b2a89b9eef99
Branch: master
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Fix LDAP null deref on empty arg [CVE-2016-3119]

In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
if there is an empty string in the db_args array. Check for this case
and avoid dereferencing a null pointer.

CVE-2016-3119:

In MIT krb5 1.6 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying an empty DB argument to the modify_principal
command, if kadmind is configured to use the LDAP KDB module.

CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND

(cherry picked from commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99)

https://github.com/krb5/krb5/commit/b5abd8c4872d7a024d49439342a6643f774afb1c
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: b5abd8c4872d7a024d49439342a6643f774afb1c
Branch: krb5-1.14
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Fix LDAP null deref on empty arg [CVE-2016-3119]

In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
if there is an empty string in the db_args array. Check for this case
and avoid dereferencing a null pointer.

CVE-2016-3119:

In MIT krb5 1.6 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying an empty DB argument to the modify_principal
command, if kadmind is configured to use the LDAP KDB module.

CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND

(cherry picked from commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99)

https://github.com/krb5/krb5/commit/e4c219e8d0208fb6b3ee9037d3dc2ef1a3003c56
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: e4c219e8d0208fb6b3ee9037d3dc2ef1a3003c56
Branch: krb5-1.13
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)