krb5 commit [krb5-1.9]: Fix KDC heap corruption vuln [CVE-2012-1015]

Tom Yu tlyu at MIT.EDU
Wed Aug 1 15:58:57 EDT 2012


https://github.com/krb5/krb5/commit/eea40a7476f3fe8e1047349eaaf7c0e9426196d2
commit eea40a7476f3fe8e1047349eaaf7c0e9426196d2
Author: Tom Yu <tlyu at mit.edu>
Date:   Tue Jul 31 22:45:08 2012 -0400

    Fix KDC heap corruption vuln [CVE-2012-1015]
    
    Fix KDC heap corruption vulnerability [MITKRB5-SA-2012-001
    CVE-2012-1015].  The cleanup code in
    kdc_handle_protected_negotiation() in kdc_util.c could free an
    uninitialized pointer in some error conditions involving "similar"
    enctypes and a failure in krb5_c_make_checksum().
    
    Additionally, adjust the handling of "similar" enctypes to avoid
    advertising enctypes that could lead to inadvertent triggering of this
    vulnerability (possibly in unpatched KDCs).
    
    Note that CVE-2012-1014 (also described in MITKRB5-SA-2012-001) only
    applies to the krb5-1.10 branch and doesn't affect the master branch
    or releases prior to krb5-1.10.
    
    (cherry picked from commit 3551501359c6d2396fa4779d378ae165f5b37242)
    
    ticket: 7225
    version_fixed: 1.9.5
    status: resolved

 src/kdc/kdc_preauth.c     |    3 ++-
 src/kdc/kdc_util.c        |    1 +
 src/lib/kdb/kdb_default.c |    3 +++
 3 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 52fb51a..fd3b580 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1562,7 +1562,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
                 continue;
 
             }
-            if (request_contains_enctype(context, request, db_etype)) {
+            if (krb5_is_permitted_enctype(context, db_etype) &&
+                request_contains_enctype(context, request, db_etype)) {
                 retval = _make_etype_info_entry(context, client->princ,
                                                 client_key, db_etype,
                                                 &entry[i], etype_info2);
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 2913738..3940943 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -2469,6 +2469,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request,
         return 0;
     pa.magic = KV5M_PA_DATA;
     pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
+    memset(&checksum, 0, sizeof(checksum));
     retval = krb5_c_make_checksum(kdc_context,0, reply_key,
                                   KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
     if (retval != 0)
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index 18de7c7..ae184c4 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -64,6 +64,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
     krb5_boolean        saw_non_permitted = FALSE;
 
     ret = 0;
+    if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
+        return KRB5_KDB_NO_PERMITTED_KEY;
+
     if (kvno == -1 && stype == -1 && ktype == -1)
         kvno = 0;
 


More information about the cvs-krb5 mailing list