git.ipfire.org Git - thirdparty/krb5.git/commit

]> git.ipfire.org Git - thirdparty/krb5.git/commit

projects / thirdparty / krb5.git / commit

author	Greg Hudson <ghudson@mit.edu>
	Wed, 5 Nov 2014 16:58:04 +0000 (11:58 -0500)
committer	Greg Hudson <ghudson@mit.edu>
	Wed, 4 Feb 2015 19:26:15 +0000 (14:26 -0500)
commit	82dc33da50338ac84c7b4102dc6513d897d0506a
tree	087e8351d9b2ea3c6211d7c19b8b06779b2a33ad	tree
parent	19bb843b40d3f62f4e29f4847717862f1423135e	commit \| diff

Fix gss_process_context_token() [CVE-2014-5352]

[MITKRB5-SA-2015-001] The krb5 gss_process_context_token() should not
actually delete the context; that leaves the caller with a dangling
pointer and no way to know that it is invalid. Instead, mark the
context as terminated, and check for terminated contexts in the GSS
functions which expect established contexts. Also add checks in
export_sec_context and pseudo_random, and adjust t_prf.c for the
pseudo_random check.

ticket: 8055 (new)
target_version: 1.13.1
tags: pullup

14 files changed:

src/lib/gssapi/krb5/context_time.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/export_sec_context.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/gssapiP_krb5.h		diff \| blob \| blame \| history
src/lib/gssapi/krb5/gssapi_krb5.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/inq_context.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/k5seal.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/k5sealiov.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/k5unseal.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/k5unsealiov.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/lucid_context.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/prf.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/process_context_token.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/wrap_size_limit.c		diff \| blob \| blame \| history
src/tests/gssapi/t_prf.c		diff \| blob \| blame \| history

Mirror of https://github.com/krb5/krb5.git

RSS Atom