37 lines
1.6 KiB
Diff
37 lines
1.6 KiB
Diff
From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001
|
|
From: Greg Hudson <ghudson@mit.edu>
|
|
Date: Mon, 14 Mar 2016 17:26:34 -0400
|
|
Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119]
|
|
|
|
In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
|
|
if there is an empty string in the db_args array. Check for this case
|
|
and avoid dereferencing a null pointer.
|
|
|
|
CVE-2016-3119:
|
|
|
|
In MIT krb5 1.6 and later, an authenticated attacker with permission
|
|
to modify a principal entry can cause kadmind to dereference a null
|
|
pointer by supplying an empty DB argument to the modify_principal
|
|
command, if kadmind is configured to use the LDAP KDB module.
|
|
|
|
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
|
|
|
|
ticket: 8383 (new)
|
|
target_version: 1.14-next
|
|
target_version: 1.13-next
|
|
tags: pullup
|
|
|
|
Line numbers are slightly adjusted by Howard Guo <hguo@suse.com> to fit into this older version of Kerberos.
|
|
|
|
diff -rupN krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
|
|
--- krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-03-23 14:00:44.669126353 +0100
|
|
+++ krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-03-23 14:01:45.993680720 +0100
|
|
@@ -267,6 +267,7 @@ process_db_args(krb5_context context, ch
|
|
if (db_args) {
|
|
for (i=0; db_args[i]; ++i) {
|
|
arg = strtok_r(db_args[i], "=", &arg_val);
|
|
+ arg = (arg != NULL) ? arg : "";
|
|
if (strcmp(arg, TKTPOLICY_ARG) == 0) {
|
|
dptr = &xargs->tktpolicydn;
|
|
} else {
|