[krbdev.mit.edu #7506] SVN Commit
Tom Yu via RT
rt-comment at krbdev.mit.edu
Sun Dec 16 21:30:48 EST 2012
PKINIT (draft9) null ptr deref [CVE-2012-1016]
Don't check for an agility KDF identifier in the non-draft9 reply
structure when we're building a draft9 reply, because it'll be NULL.
The KDC plugin for PKINIT can dereference a null pointer when handling
a draft9 request, leading to a crash of the KDC process. An attacker
would need to have a valid PKINIT certificate, or an unauthenticated
attacker could execute the attack if anonymous PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
[tlyu at mit.edu: reformat comment and edit log message]
(cherry picked from commit cd5ff932c9d1439c961b0cf9ccff979356686aff)
https://github.com/krb5/krb5/commit/6550da5ecc58af19bc2e4e6c1108d25b210c6ef8
Author: Nalin Dahyabhai <nalin at redhat.com>
Committer: Tom Yu <tlyu at mit.edu>
Commit: 6550da5ecc58af19bc2e4e6c1108d25b210c6ef8
Branch: krb5-1.11
src/plugins/preauth/pkinit/pkinit_srv.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
More information about the krb5-bugs
mailing list