]> git.ipfire.org Git - thirdparty/krb5.git/commit
projects / thirdparty / krb5.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f18ddf5) | patch
Fix null deref in SPNEGO acceptor [CVE-2014-4344]
authorGreg Hudson <ghudson@mit.edu>
Tue, 15 Jul 2014 16:56:01 +0000 (12:56 -0400)
committerGreg Hudson <ghudson@mit.edu>
Mon, 21 Jul 2014 16:53:18 +0000 (12:53 -0400)
commit524688ce87a15fc75f87efc8c039ba4c7d5c197b
tree2ed1cefc720ae109c04374d7bbed327c754827cdtree | snapshot
parentf18ddf5d82de0ab7591a36e465bc24225776940fcommit | diff
Fix null deref in SPNEGO acceptor [CVE-2014-4344]

When processing a continuation token, acc_ctx_cont was dereferencing
the initial byte of the token without checking the length.  This could
result in a null dereference.

CVE-2014-4344:

In MIT krb5 1.5 and newer, an unauthenticated or partially
authenticated remote attacker can cause a NULL dereference and
application crash during a SPNEGO negotiation by sending an empty
token as the second or later context token from initiator to acceptor.
The attacker must provide at least one valid context token in the
security context negotiation before sending the empty token.  This can
be done by an unauthenticated attacker by forcing SPNEGO to
renegotiate the underlying mechanism, or by using IAKERB to wrap an
unauthenticated AS-REQ as the first token.

    CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[kaduk@mit.edu: CVE summary, CVSSv2 vector]

ticket: 7970 (new)
subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]
target_version: 1.12.2
tags: pullup
src/lib/gssapi/spnego/spnego_mech.c diff | blob | blame | history
Mirror of https://github.com/krb5/krb5.git