diff options
author | Tom Yu <tlyu@mit.edu> | 2012-07-31 22:45:08 -0400 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2012-08-01 13:42:26 -0400 |
commit | 3551501359c6d2396fa4779d378ae165f5b37242 (patch) | |
tree | d5d9c24305b0d2468d5b1f0f7de9d3cf18af2928 /src/lib/kdb | |
parent | f6f5c680aa0a57f581e5f192cef46567cc7415e2 (diff) | |
download | krb5-3551501359c6d2396fa4779d378ae165f5b37242.tar.gz krb5-3551501359c6d2396fa4779d378ae165f5b37242.tar.xz krb5-3551501359c6d2396fa4779d378ae165f5b37242.zip |
Fix KDC heap corruption vuln [CVE-2012-1015]
Fix KDC heap corruption vulnerability [MITKRB5-SA-2012-001
CVE-2012-1015]. The cleanup code in
kdc_handle_protected_negotiation() in kdc_util.c could free an
uninitialized pointer in some error conditions involving "similar"
enctypes and a failure in krb5_c_make_checksum().
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of this
vulnerability (possibly in unpatched KDCs).
Note that CVE-2012-1014 (also described in MITKRB5-SA-2012-001) only
applies to the krb5-1.10 branch and doesn't affect the master branch
or releases prior to krb5-1.10.
ticket: 7225 (new)
target_version: 1.9.5
tags: pullup
Diffstat (limited to 'src/lib/kdb')
-rw-r--r-- | src/lib/kdb/kdb_default.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index cdb9dccb28..ee01d9d21c 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) krb5_boolean saw_non_permitted = FALSE; ret = 0; + if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype)) + return KRB5_KDB_NO_PERMITTED_KEY; + if (kvno == -1 && stype == -1 && ktype == -1) kvno = 0; |