krb5 commit [krb5-1.13]: Fix kadmind server validation [CVE-2014-9422]
Tom Yu
tlyu at mit.edu
Wed Feb 4 15:49:58 EST 2015
https://github.com/krb5/krb5/commit/2bc4bb02a70d7537baf1c3f6ebc126ded42ea133
commit 2bc4bb02a70d7537baf1c3f6ebc126ded42ea133
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Dec 29 13:27:42 2014 -0500
Fix kadmind server validation [CVE-2014-9422]
[MITKRB5-SA-2015-001] In kadmind's check_rpcsec_auth(), use
data_eq_string() instead of strncmp() to check components of the
server principal, so that we don't erroneously match left substrings
of "kadmin", "history", or the realm.
(cherry picked from commit 6609658db0799053fbef0d7d0aa2f1fd68ef32d8)
ticket: 8057
version_fixed: 1.13.1
status: resolved
src/kadmin/server/kadm_rpc_svc.c | 12 +++---------
1 files changed, 3 insertions(+), 9 deletions(-)
diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c
index 3837931..f4d2a7c 100644
--- a/src/kadmin/server/kadm_rpc_svc.c
+++ b/src/kadmin/server/kadm_rpc_svc.c
@@ -4,7 +4,7 @@
*
*/
-#include <k5-platform.h>
+#include <k5-int.h>
#include <gssrpc/rpc.h>
#include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */
#include <syslog.h>
@@ -296,14 +296,8 @@ check_rpcsec_auth(struct svc_req *rqstp)
c1 = krb5_princ_component(kctx, princ, 0);
c2 = krb5_princ_component(kctx, princ, 1);
realm = krb5_princ_realm(kctx, princ);
- if (strncmp(handle->params.realm, realm->data, realm->length) == 0
- && strncmp("kadmin", c1->data, c1->length) == 0) {
-
- if (strncmp("history", c2->data, c2->length) == 0)
- goto fail_princ;
- else
- success = 1;
- }
+ success = data_eq_string(*realm, handle->params.realm) &&
+ data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history");
fail_princ:
if (!success) {
More information about the cvs-krb5
mailing list