[krbdev.mit.edu #9223] git commit
Greg Hudson via RT
rt at krbdev.mit.edu
Thu Jul 9 22:22:10 EDT 2026
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9223 >
Fix key usage list parsing in PKINIT matching code
pkinit_matching.c:parse_list_value() uses strncasecmp() to compare a
comma-delimited substring of the configured input rule (value) against
a string literal (ku->value). The strncasecmp() call uses the wrong
bound, so could erroneously match a prefix of ku->value. When this
happens, the pointer into the rule is incremented by the full length
of the string literal (not the matched prefix), possibly advancing
past the end of the rule and causing a subsequent undefined memory
read.
Fix this bug by checking the rule substring length against the string
literal length before comparing. Reported by Aisle Research (Ze
Sheng, Dmitrijs Trizna, Luigino Camastra, Guido Vranken).
https://github.com/krb5/krb5/commit/53be0c473f8a0bc88e0f0d99544034b04edacb7b
Author: Greg Hudson <ghudson at mit.edu>
Commit: 53be0c473f8a0bc88e0f0d99544034b04edacb7b
Branch: master
src/plugins/preauth/pkinit/pkinit_matching.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
More information about the krb5-bugs
mailing list