Fix KDC heap corruption vuln [CVE-2012-1015]

Fix KDC heap corruption vulnerability [MITKRB5-SA-2012-001
CVE-2012-1015].  The cleanup code in
kdc_handle_protected_negotiation() in kdc_util.c could free an
uninitialized pointer in some error conditions involving "similar"
enctypes and a failure in krb5_c_make_checksum().

Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of this
vulnerability (possibly in unpatched KDCs).

Note that CVE-2012-1014 (also described in MITKRB5-SA-2012-001) only
applies to the krb5-1.10 branch and doesn't affect the master branch
or releases prior to krb5-1.10.

ticket: 7225 (new)
target_version: 1.9.5
tags: pullup

2 files changed, 3 insertions, 1 deletions

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 7cc0ccb28..5ca36769d 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1375,7 +1375,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
                 continue;
 
             }
-            if (request_contains_enctype(context, request, db_etype)) {
+            if (krb5_is_permitted_enctype(context, db_etype) &&
+                request_contains_enctype(context, request, db_etype)) {
                 retval = _make_etype_info_entry(context, client->princ,
                                                 client_key, db_etype,
                                                 &entry[i], etype_info2);
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index d3babe7f9..a2a9b4b07 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -2490,6 +2490,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request,
         return 0;
     pa.magic = KV5M_PA_DATA;
     pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
+    memset(&checksum, 0, sizeof(checksum));
     retval = krb5_c_make_checksum(kdc_context,0, reply_key,
                                   KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
     if (retval != 0)