krb5 commit [krb5-1.14]: Fix LDAP null deref on empty arg [CVE-2016-3119]

Tom Yu tlyu at mit.edu
Tue Apr 5 23:02:56 EDT 2016


https://github.com/krb5/krb5/commit/b5abd8c4872d7a024d49439342a6643f774afb1c
commit b5abd8c4872d7a024d49439342a6643f774afb1c
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Mar 14 17:26:34 2016 -0400

    Fix LDAP null deref on empty arg [CVE-2016-3119]
    
    In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
    if there is an empty string in the db_args array.  Check for this case
    and avoid dereferencing a null pointer.
    
    CVE-2016-3119:
    
    In MIT krb5 1.6 and later, an authenticated attacker with permission
    to modify a principal entry can cause kadmind to dereference a null
    pointer by supplying an empty DB argument to the modify_principal
    command, if kadmind is configured to use the LDAP KDB module.
    
        CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
    
    (cherry picked from commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99)
    
    ticket: 8383
    version_fixed: 1.14.2

 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 5def4b7..ef72ac6 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -267,6 +267,7 @@ process_db_args(krb5_context context, char **db_args, xargs_t *xargs,
     if (db_args) {
         for (i=0; db_args[i]; ++i) {
             arg = strtok_r(db_args[i], "=", &arg_val);
+            arg = (arg != NULL) ? arg : "";
             if (strcmp(arg, TKTPOLICY_ARG) == 0) {
                 dptr = &xargs->tktpolicydn;
             } else {


More information about the cvs-krb5 mailing list