2013-11-04 20:55:03 +00:00
|
|
|
commit 05c544eef3633b774ca38154ba4c2bf3416b471b
|
2013-11-04 20:47:55 +00:00
|
|
|
Author: Tom Yu <tlyu@mit.edu>
|
2013-11-04 20:55:03 +00:00
|
|
|
Date: Mon Nov 4 15:33:09 2013 -0500
|
2013-11-04 20:47:55 +00:00
|
|
|
|
|
|
|
|
Multi-realm KDC null deref [CVE-2013-1418]
|
|
|
|
|
|
|
|
|
|
If a KDC serves multiple realms, certain requests can cause
|
|
|
|
|
setup_server_realm() to dereference a null pointer, crashing the KDC.
|
|
|
|
|
|
|
|
|
|
CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
|
|
|
|
|
|
|
|
|
|
A related but more minor vulnerability requires authentication to
|
|
|
|
|
exploit, and is only present if a third-party KDC database module can
|
|
|
|
|
dereference a null pointer under certain conditions.
|
|
|
|
|
|
2013-11-04 20:55:03 +00:00
|
|
|
(back ported from commit 5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf)
|
|
|
|
|
|
|
|
|
|
ticket: 7756 (new)
|
|
|
|
|
version_fixed: 1.11.4
|
|
|
|
|
status: resolved
|
2013-11-04 20:47:55 +00:00
|
|
|
|
|
|
|
|
diff --git a/src/kdc/main.c b/src/kdc/main.c
|
2013-11-04 20:55:03 +00:00
|
|
|
index 1624046..8a085a2 100644
|
2013-11-04 20:47:55 +00:00
|
|
|
--- a/src/kdc/main.c
|
|
|
|
|
+++ b/src/kdc/main.c
|
2013-11-04 20:55:03 +00:00
|
|
|
@@ -125,6 +125,9 @@ setup_server_realm(struct server_handle *handle, krb5_principal sprinc)
|
2013-11-04 20:47:55 +00:00
|
|
|
int kdc_numrealms = handle->kdc_numrealms;
|
|
|
|
|
|
2013-11-04 20:55:03 +00:00
|
|
|
kret = 0;
|
2013-11-04 20:47:55 +00:00
|
|
|
+ if (sprinc == NULL)
|
|
|
|
|
+ return NULL;
|
|
|
|
|
+
|
|
|
|
|
if (kdc_numrealms > 1) {
|
|
|
|
|
if (!(newrealm = find_realm_data(handle, sprinc->realm.data,
|
2013-11-04 20:55:03 +00:00
|
|
|
(krb5_ui_4) sprinc->realm.length)))
|
