[krbdev.mit.edu #8244] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Oct 26 15:04:40 EDT 2015
Fix IAKERB context aliasing bugs [CVE-2015-2696]
The IAKERB mechanism currently replaces its context handle with the
krb5 mechanism handle upon establishment, under the assumption that
most GSS functions are only called after context establishment. This
assumption is incorrect, and can lead to aliasing violations for some
programs. Maintain the IAKERB context structure after context
establishment and add new IAKERB entry points to refer to it with that
type. Add initiate and established flags to the IAKERB context
structure for use in gss_inquire_context() prior to context
establishment.
CVE-2015-2696:
In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash. Java server applications using the
native JGSS provider are vulnerable to this bug. A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
[ghudson at mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]
https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a
Author: Nicolas Williams <nico at twosigma.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: e04f0283516e80d2f93366e0d479d13c9b5c8c2a
Branch: master
src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++
src/lib/gssapi/krb5/gssapi_krb5.c | 105 ++++++++++--
src/lib/gssapi/krb5/iakerb.c | 351 +++++++++++++++++++++++++++++++++---
3 files changed, 529 insertions(+), 41 deletions(-)
More information about the krb5-bugs
mailing list