svn rev #23912: trunk/src/ kdc/ tests/dejagnu/config/ tests/dejagnu/krb-standalone/

tlyu@MIT.EDU tlyu at MIT.EDU
Tue Apr 20 17:12:10 EDT 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=23912
Commit By: tlyu
Log Message:
ticket: 6702
target_version: 1.8.2
tags: pullup

Fix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered
by ticket renewal.  Add a test case.

See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490

Thanks to Joel Johnson and Brian Almeida for the reports.


Changed Files:
U   trunk/src/kdc/do_tgs_req.c
U   trunk/src/tests/dejagnu/config/default.exp
U   trunk/src/tests/dejagnu/krb-standalone/standalone.exp
Modified: trunk/src/kdc/do_tgs_req.c
===================================================================
--- trunk/src/kdc/do_tgs_req.c	2010-04-20 08:02:40 UTC (rev 23911)
+++ trunk/src/kdc/do_tgs_req.c	2010-04-20 21:12:10 UTC (rev 23912)
@@ -543,6 +543,7 @@
            to the caller */
         ticket_reply = *(header_ticket);
         enc_tkt_reply = *(header_ticket->enc_part2);
+        enc_tkt_reply.authorization_data = NULL;
         clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
     }
 
@@ -554,6 +555,7 @@
            to the caller */
         ticket_reply = *(header_ticket);
         enc_tkt_reply = *(header_ticket->enc_part2);
+        enc_tkt_reply.authorization_data = NULL;
 
         old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
 

Modified: trunk/src/tests/dejagnu/config/default.exp
===================================================================
--- trunk/src/tests/dejagnu/config/default.exp	2010-04-20 08:02:40 UTC (rev 23911)
+++ trunk/src/tests/dejagnu/config/default.exp	2010-04-20 21:12:10 UTC (rev 23912)
@@ -2107,6 +2107,41 @@
 
     return 1
 }
+
+proc kinit_renew { name pass standalone } {
+    global REALMNAME
+    global KINIT
+    global spawn_id
+
+    spawn $KINIT -5 -f $name@$REALMNAME
+    expect {
+	"Password for $name@$REALMNAME:" {
+	    verbose "kinit started"
+	}
+	timeout {
+	    fail "kinit"
+	    return 0
+	}
+	eof {
+	    fail "kinit"
+	    return 0
+	}
+    }
+    send "$pass\r"
+    expect eof
+    if ![check_exit_status kinit] {
+	return 0
+    }
+
+    spawn $KINIT -R
+    expect eof
+    if ![check_exit_status "kinit_renew"] {
+	return 0
+    }
+
+    return 1
+}
+
 # Retrieve a ticket using FAST armor
 proc kinit_fast { name pass standalone } {
     global REALMNAME

Modified: trunk/src/tests/dejagnu/krb-standalone/standalone.exp
===================================================================
--- trunk/src/tests/dejagnu/krb-standalone/standalone.exp	2010-04-20 08:02:40 UTC (rev 23911)
+++ trunk/src/tests/dejagnu/krb-standalone/standalone.exp	2010-04-20 21:12:10 UTC (rev 23912)
@@ -201,6 +201,10 @@
 	return
     }
 
+    if ![kinit_renew krbtest/admin adminpass$KEY 1] {
+	return
+    }
+
     # Make sure that klist can see the ticket.
     if ![do_klist "krbtest/admin@$REALMNAME" "krbtgt/$REALMNAME@$REALMNAME" "klist"] {
 	return

More information about the cvs-krb5 mailing list