krb5 commit [krb5-1.14]: Check for null kadm5 policy name [CVE-2015-8630]

Tom Yu tlyu at mit.edu
Mon Feb 8 17:44:23 EST 2016


https://github.com/krb5/krb5/commit/46ed05100ed8b0a82e047089cec94147ff471fb1
commit 46ed05100ed8b0a82e047089cec94147ff471fb1
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Jan 8 12:52:28 2016 -0500

    Check for null kadm5 policy name [CVE-2015-8630]
    
    In kadm5_create_principal_3() and kadm5_modify_principal(), check for
    entry->policy being null when KADM5_POLICY is included in the mask.
    
    CVE-2015-8630:
    
    In MIT krb5 1.12 and later, an authenticated attacker with permission
    to modify a principal entry can cause kadmind to dereference a null
    pointer by supplying a null policy value but including KADM5_POLICY in
    the mask.
    
        CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
    
    (cherry picked from commit b863de7fbf080b15e347a736fdda0a82d42f4f6b)
    
    ticket: 8342
    version_fixed: 1.14.1

 src/lib/kadm5/srv/svr_principal.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 5b95fa3..1d4365c 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle,
     /*
      * Argument sanity checking, and opening up the DB
      */
+    if (entry == NULL)
+        return EINVAL;
     if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) ||
        (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) ||
        (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle,
         return KADM5_BAD_MASK;
     if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0)
         return KADM5_BAD_MASK;
+    if((mask & KADM5_POLICY) && entry->policy == NULL)
+        return KADM5_BAD_MASK;
     if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
         return KADM5_BAD_MASK;
     if((mask & ~ALL_PRINC_MASK))
         return KADM5_BAD_MASK;
-    if (entry == NULL)
-        return EINVAL;
 
     /*
      * Check to see if the principal exists
@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle,
 
     krb5_clear_error_message(handle->context);
 
+    if(entry == NULL)
+        return EINVAL;
     if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) ||
        (mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) ||
        (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle,
         return KADM5_BAD_MASK;
     if((mask & ~ALL_PRINC_MASK))
         return KADM5_BAD_MASK;
+    if((mask & KADM5_POLICY) && entry->policy == NULL)
+        return KADM5_BAD_MASK;
     if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
         return KADM5_BAD_MASK;
-    if(entry == (kadm5_principal_ent_t) NULL)
-        return EINVAL;
     if (mask & KADM5_TL_DATA) {
         tl_data_orig = entry->tl_data;
         while (tl_data_orig) {


More information about the cvs-krb5 mailing list