Skip Menu |
 

From: ghudson@mit.edu
Subject: git commit

Fix S4U2Self KDC crash when anon is restricted

In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.

CVE-2016-3120:

In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.

CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C

https://github.com/krb5/krb5/commit/93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7
Author: Greg Hudson <ghudson@mit.edu>
Commit: 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7
Branch: master
src/kdc/kdc_util.c | 2 +-
src/tests/t_pkinit.py | 5 +++++
2 files changed, 6 insertions(+), 1 deletions(-)
Reported by Diogenes S. Jesus.
From: tlyu@mit.edu
Subject: git commit

Fix S4U2Self KDC crash when anon is restricted

In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.

CVE-2016-3120:

In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.

CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C

(cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7)

https://github.com/krb5/krb5/commit/85c3046d42eeb821967ad5625fcb08e8c6177b1a
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 85c3046d42eeb821967ad5625fcb08e8c6177b1a
Branch: krb5-1.14
src/kdc/kdc_util.c | 2 +-
src/tests/t_pkinit.py | 5 +++++
2 files changed, 6 insertions(+), 1 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Fix S4U2Self KDC crash when anon is restricted

In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.

CVE-2016-3120:

In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.

CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C

(cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7)
[tlyu@mit.edu: removed test case depending on absent functionality]

https://github.com/krb5/krb5/commit/cce19103f7673edb54b1b8e5fa0a516bd009d2c3
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: cce19103f7673edb54b1b8e5fa0a516bd009d2c3
Branch: krb5-1.13
src/kdc/kdc_util.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)