svn rev #24065: branches/krb5-1-7/src/ kdc/ tests/dejagnu/config/ tests/dejagnu/krb-standalone/
tlyu@MIT.EDU
tlyu at MIT.EDU
Wed May 19 17:23:09 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24065
Commit By: tlyu
Log Message:
ticket: 6727
tags: pullup
target_version: 1.7.2
version_fixed: 1.7.2
subject: CVE-2010-1320 KDC double free caused by ticket renewal (MITKRB5-SA-2010-004)
pull up r23912 from trunk
------------------------------------------------------------------------
r23912 | tlyu | 2010-04-20 17:12:10 -0400 (Tue, 20 Apr 2010) | 11 lines
ticket: 6702
target_version: 1.8.2
tags: pullup
Fix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered
by ticket renewal. Add a test case.
See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490
Thanks to Joel Johnson and Brian Almeida for the reports.
Changed Files:
U branches/krb5-1-7/src/kdc/do_tgs_req.c
U branches/krb5-1-7/src/tests/dejagnu/config/default.exp
U branches/krb5-1-7/src/tests/dejagnu/krb-standalone/standalone.exp
Modified: branches/krb5-1-7/src/kdc/do_tgs_req.c
===================================================================
--- branches/krb5-1-7/src/kdc/do_tgs_req.c 2010-05-19 19:53:03 UTC (rev 24064)
+++ branches/krb5-1-7/src/kdc/do_tgs_req.c 2010-05-19 21:23:09 UTC (rev 24065)
@@ -492,6 +492,7 @@
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
+ enc_tkt_reply.authorization_data = NULL;
clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
}
@@ -503,6 +504,7 @@
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
+ enc_tkt_reply.authorization_data = NULL;
old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
Modified: branches/krb5-1-7/src/tests/dejagnu/config/default.exp
===================================================================
--- branches/krb5-1-7/src/tests/dejagnu/config/default.exp 2010-05-19 19:53:03 UTC (rev 24064)
+++ branches/krb5-1-7/src/tests/dejagnu/config/default.exp 2010-05-19 21:23:09 UTC (rev 24065)
@@ -2230,6 +2230,40 @@
return 1
}
+proc kinit_renew { name pass standalone } {
+ global REALMNAME
+ global KINIT
+ global spawn_id
+
+ spawn $KINIT -5 -f $name@$REALMNAME
+ expect {
+ "Password for $name@$REALMNAME:" {
+ verbose "kinit started"
+ }
+ timeout {
+ fail "kinit"
+ return 0
+ }
+ eof {
+ fail "kinit"
+ return 0
+ }
+ }
+ send "$pass\r"
+ expect eof
+ if ![check_exit_status kinit] {
+ return 0
+ }
+
+ spawn $KINIT -R
+ expect eof
+ if ![check_exit_status "kinit_renew"] {
+ return 0
+ }
+
+ return 1
+}
+
proc kinit_kt { name keytab standalone testname } {
global REALMNAME
global KINIT
Modified: branches/krb5-1-7/src/tests/dejagnu/krb-standalone/standalone.exp
===================================================================
--- branches/krb5-1-7/src/tests/dejagnu/krb-standalone/standalone.exp 2010-05-19 19:53:03 UTC (rev 24064)
+++ branches/krb5-1-7/src/tests/dejagnu/krb-standalone/standalone.exp 2010-05-19 21:23:09 UTC (rev 24065)
@@ -199,6 +199,10 @@
return
}
+ if ![kinit_renew krbtest/admin adminpass$KEY 1] {
+ return
+ }
+
# Make sure that klist can see the ticket.
if ![do_klist "krbtest/admin@$REALMNAME" "krbtgt/$REALMNAME@$REALMNAME" "klist"] {
return
More information about the cvs-krb5
mailing list