diff options
| author | Richard Basch <basch@alum.mit.edu> | 2012-05-29 14:07:03 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-05-29 14:10:27 -0400 |
| commit | c5be6209311d4a8f10fda37d0d3f876c1b33b77b (patch) | |
| tree | 7788c82ab07f3de54c633d0f8982cf9bad6fc029 /src/lib/kadm5 | |
| parent | eebe17cce0dfaaeb403fe97c6e2048dda32226f1 (diff) | |
| download | krb5-c5be6209311d4a8f10fda37d0d3f876c1b33b77b.tar.gz krb5-c5be6209311d4a8f10fda37d0d3f876c1b33b77b.tar.xz krb5-c5be6209311d4a8f10fda37d0d3f876c1b33b77b.zip | |
Null pointer deref in kadmind [CVE-2012-1013]
The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name"). Only clients authorized to create principals can trigger the
bug. Fix the bug by testing for a null password in check_1_6_dummy.
CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
[ghudson@mit.edu: Minor style change and commit message]
ticket: 7152
target_version: 1.10.2
tags: pullup
Diffstat (limited to 'src/lib/kadm5')
| -rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index a0b110def..f5ea005b2 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -186,7 +186,7 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask, char *password = *passptr; /* Old-style randkey operations disallowed tickets to start. */ - if (!(mask & KADM5_ATTRIBUTES) || + if (password == NULL || !(mask & KADM5_ATTRIBUTES) || !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX)) return; |