e206af5319
- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch (bsc#963968) - Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch (bsc#963975) - Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch (bsc#963964) OBS-URL: https://build.opensuse.org/request/show/357309 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=158
76 lines
2.7 KiB
Diff
76 lines
2.7 KiB
Diff
From b863de7fbf080b15e347a736fdda0a82d42f4f6b Mon Sep 17 00:00:00 2001
|
|
From: Greg Hudson <ghudson@mit.edu>
|
|
Date: Fri, 8 Jan 2016 12:52:28 -0500
|
|
Subject: [PATCH] Check for null kadm5 policy name [CVE-2015-8630]
|
|
|
|
In kadm5_create_principal_3() and kadm5_modify_principal(), check for
|
|
entry->policy being null when KADM5_POLICY is included in the mask.
|
|
|
|
CVE-2015-8630:
|
|
|
|
In MIT krb5 1.12 and later, an authenticated attacker with permission
|
|
to modify a principal entry can cause kadmind to dereference a null
|
|
pointer by supplying a null policy value but including KADM5_POLICY in
|
|
the mask.
|
|
|
|
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
|
|
|
|
ticket: 8342 (new)
|
|
target_version: 1.14-next
|
|
target_version: 1.13-next
|
|
tags: pullup
|
|
|
|
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
|
|
index 5b95fa3..1d4365c 100644
|
|
--- a/src/lib/kadm5/srv/svr_principal.c
|
|
+++ b/src/lib/kadm5/srv/svr_principal.c
|
|
@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle,
|
|
/*
|
|
* Argument sanity checking, and opening up the DB
|
|
*/
|
|
+ if (entry == NULL)
|
|
+ return EINVAL;
|
|
if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) ||
|
|
(mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) ||
|
|
(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
|
|
@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle,
|
|
return KADM5_BAD_MASK;
|
|
if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0)
|
|
return KADM5_BAD_MASK;
|
|
+ if((mask & KADM5_POLICY) && entry->policy == NULL)
|
|
+ return KADM5_BAD_MASK;
|
|
if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
|
|
return KADM5_BAD_MASK;
|
|
if((mask & ~ALL_PRINC_MASK))
|
|
return KADM5_BAD_MASK;
|
|
- if (entry == NULL)
|
|
- return EINVAL;
|
|
|
|
/*
|
|
* Check to see if the principal exists
|
|
@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle,
|
|
|
|
krb5_clear_error_message(handle->context);
|
|
|
|
+ if(entry == NULL)
|
|
+ return EINVAL;
|
|
if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) ||
|
|
(mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) ||
|
|
(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
|
|
@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle,
|
|
return KADM5_BAD_MASK;
|
|
if((mask & ~ALL_PRINC_MASK))
|
|
return KADM5_BAD_MASK;
|
|
+ if((mask & KADM5_POLICY) && entry->policy == NULL)
|
|
+ return KADM5_BAD_MASK;
|
|
if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
|
|
return KADM5_BAD_MASK;
|
|
- if(entry == (kadm5_principal_ent_t) NULL)
|
|
- return EINVAL;
|
|
if (mask & KADM5_TL_DATA) {
|
|
tl_data_orig = entry->tl_data;
|
|
while (tl_data_orig) {
|
|
--
|
|
2.7.0
|
|
|