Ticket History #9101: Fix double-free in KDC TGS processing

# Mon Aug 07 17:54:44 2023 ghudson@mit.edu (Greg Hudson) - Ticket created

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 989B

Fix double-free in KDC TGS processing

When issuing a ticket for a TGS renew or validate request, copy only
the server field from the outer part of the header ticket to the new
ticket. Copying the whole structure causes the enc_part pointer to be
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
resulting in a double-free if handle_authdata() fails.

[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
than check for aliasing before freeing; rewrote commit message]

CVE-2023-39975:

In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
free the same pointer twice if it can induce a failure in
authorization data handling.

https://github.com/krb5/krb5/commit/88a1701b423c13991a8064feeb26952d3641d840
Author: Andreas Schneider <asn@samba.org>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 88a1701b423c13991a8064feeb26952d3641d840
Branch: master
src/kdc/do_tgs_req.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

# Mon Aug 07 17:54:44 2023 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Mon Aug 07 17:54:44 2023 ghudson@mit.edu (Greg Hudson) - Requestor ghudson@mit.edu (Greg Hudson) added

# Mon Aug 07 17:54:44 2023 ghudson@mit.edu (Greg Hudson) - Target_Version 1.21-next added

# Mon Aug 07 17:54:44 2023 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'resolved'

# Mon Aug 14 01:59:42 2023 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.21.2 added

# Mon Aug 14 01:59:42 2023 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1KiB

Fix double-free in KDC TGS processing

When issuing a ticket for a TGS renew or validate request, copy only
the server field from the outer part of the header ticket to the new
ticket. Copying the whole structure causes the enc_part pointer to be
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
resulting in a double-free if handle_authdata() fails.

[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
than check for aliasing before freeing; rewrote commit message]

CVE-2023-39975:

In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
free the same pointer twice if it can induce a failure in
authorization data handling.

(cherry picked from commit 88a1701b423c13991a8064feeb26952d3641d840)

https://github.com/krb5/krb5/commit/f4dcb7e442e0f314db5b4f7449aa101cbb28bdd4
Author: Andreas Schneider <asn@samba.org>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: f4dcb7e442e0f314db5b4f7449aa101cbb28bdd4
Branch: krb5-1.21
src/kdc/do_tgs_req.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

# Mon Aug 14 02:00:08 2023 ghudson@mit.edu (Greg Hudson) - Tags pullup deleted