krb5 commit: PKINIT null pointer deref [CVE-2013-1415]
Benjamin Kaduk
kaduk at MIT.EDU
Fri Feb 15 14:29:06 EST 2013
https://github.com/krb5/krb5/commit/c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
Author: Xi Wang <xi.wang at gmail.com>
Date: Thu Feb 14 18:17:40 2013 -0500
PKINIT null pointer deref [CVE-2013-1415]
Don't dereference a null pointer when cleaning up.
The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process. An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C
This is a minimal commit for pullup; style fixes in a followup.
[kaduk at mit.edu: reformat and edit commit message]
ticket: 7570 (new)
target_version: 1.11.1
tags: pullup
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 0360736..827280b 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -3253,7 +3253,7 @@ pkinit_check_kdc_pkid(krb5_context context,
pkiDebug("found kdcPkId in AS REQ\n");
is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
if (is == NULL)
- goto cleanup;
+ return retval;
status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
if (!status) {
@@ -3263,7 +3263,6 @@ pkinit_check_kdc_pkid(krb5_context context,
}
retval = 0;
-cleanup:
X509_NAME_free(is->issuer);
ASN1_INTEGER_free(is->serial);
free(is);
More information about the cvs-krb5
mailing list