krb5 commit [krb5-1.8]: Null pointer deref in kadmind [CVE-2012-1013]
Tom Yu
tlyu at MIT.EDU
Fri Jun 15 14:44:00 EDT 2012
https://github.com/krb5/krb5/commit/0b11a472cf0e83972228ad9ca6ee645e4ffd4c24
commit 0b11a472cf0e83972228ad9ca6ee645e4ffd4c24
Author: Tom Yu <tlyu at mit.edu>
Date: Fri Jun 15 14:13:35 2012 -0400
Null pointer deref in kadmind [CVE-2012-1013]
The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name"). Only clients authorized to create principals can trigger the
bug. Fix the bug by testing for a null password in check_1_6_dummy.
CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
[ghudson at mit.edu: Minor style change and commit message]
(cherry picked from commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b)
ticket: 7178 (new)
version_fixed: 1.8.7
status: resolved
src/lib/kadm5/srv/svr_principal.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 469a8e8..c9a6881 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -196,7 +196,7 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
char *password = *passptr;
/* Old-style randkey operations disallowed tickets to start. */
- if (!(mask & KADM5_ATTRIBUTES) ||
+ if (password == NULL || !(mask & KADM5_ATTRIBUTES) ||
!(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))
return;
More information about the cvs-krb5
mailing list