41 lines
1.7 KiB
Plaintext
41 lines
1.7 KiB
Plaintext
|
commit cd5ff932c9d1439c961b0cf9ccff979356686aff
|
||
|
|
Author: Nalin Dahyabhai <nalin@redhat.com>
|
||
|
|
Date: Thu Dec 13 14:26:07 2012 -0500
|
||
|
|
|
||
|
|
PKINIT (draft9) null ptr deref [CVE-2012-1016]
|
||
|
|
|
||
|
|
Don't check for an agility KDF identifier in the non-draft9 reply
|
||
|
|
structure when we're building a draft9 reply, because it'll be NULL.
|
||
|
|
|
||
|
|
The KDC plugin for PKINIT can dereference a null pointer when handling
|
||
|
|
a draft9 request, leading to a crash of the KDC process. An attacker
|
||
|
|
would need to have a valid PKINIT certificate, or an unauthenticated
|
||
|
|
attacker could execute the attack if anonymous PKINIT is enabled.
|
||
|
|
|
||
|
|
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
|
||
|
|
|
||
|
|
[tlyu@mit.edu: reformat comment and edit log message]
|
||
|
|
|
||
|
|
ticket: 7506 (new)
|
||
|
|
target_version: 1.11
|
||
|
|
tags: pullup
|
||
|
|
|
||
|
|
Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
|
||
|
|
===================================================================
|
||
|
|
--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_srv.c
|
||
|
|
+++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
|
||
|
|
@@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context
|
||
|
|
rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
|
||
|
|
(rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
|
||
|
|
|
||
|
|
- /* If mutually supported KDFs were found, use the alg agility KDF */
|
||
|
|
- if (rep->u.dh_Info.kdfID) {
|
||
|
|
- secret.data = server_key;
|
||
|
|
+ /* If we're not doing draft 9, and mutually supported KDFs were found,
|
||
|
|
+ * use the algorithm agility KDF. */
|
||
|
|
+ if (rep != NULL && rep->u.dh_Info.kdfID) {
|
||
|
|
+ secret.data = (char *)server_key;
|
||
|
|
secret.length = server_key_len;
|
||
|
|
|
||
|
|
retval = pkinit_alg_agility_kdf(context, &secret,
|