krb5 commit: PKINIT (draft9) null ptr deref [CVE-2012-1016]
Tom Yu
tlyu at MIT.EDU
Fri Dec 14 18:22:09 EST 2012
https://github.com/krb5/krb5/commit/cd5ff932c9d1439c961b0cf9ccff979356686aff
commit cd5ff932c9d1439c961b0cf9ccff979356686aff
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Thu Dec 13 14:26:07 2012 -0500
PKINIT (draft9) null ptr deref [CVE-2012-1016]
Don't check for an agility KDF identifier in the non-draft9 reply
structure when we're building a draft9 reply, because it'll be NULL.
The KDC plugin for PKINIT can dereference a null pointer when handling
a draft9 request, leading to a crash of the KDC process. An attacker
would need to have a valid PKINIT certificate, or an unauthenticated
attacker could execute the attack if anonymous PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
[tlyu at mit.edu: reformat comment and edit log message]
ticket: 7506 (new)
target_version: 1.11
tags: pullup
src/plugins/preauth/pkinit/pkinit_srv.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index dcfda89..132eef6 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1026,8 +1026,9 @@ pkinit_server_return_padata(krb5_context context,
rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
(rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
- /* If mutually supported KDFs were found, use the alg agility KDF */
- if (rep->u.dh_Info.kdfID) {
+ /* If we're not doing draft 9, and mutually supported KDFs were found,
+ * use the algorithm agility KDF. */
+ if (rep != NULL && rep->u.dh_Info.kdfID) {
secret.data = (char *)server_key;
secret.length = server_key_len;
More information about the cvs-krb5
mailing list