git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Tue, 19 Jul 2016 15:00:28 +0000 (11:00 -0400)
committer	Tom Yu <tlyu@mit.edu>
	Thu, 21 Jul 2016 19:05:33 +0000 (15:05 -0400)
commit	cce19103f7673edb54b1b8e5fa0a516bd009d2c3
tree	0c502fafb7f178362d96188a7361d34ee294d412	tree
parent	c1804f6b7674e7d18847ac11aa02b8b33ea93a6a	commit \| diff

Fix S4U2Self KDC crash when anon is restricted

In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.

CVE-2016-3120:

In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.

CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C

(cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7)
[tlyu@mit.edu: removed test case depending on absent functionality]

ticket: 8458
version_fixed: 1.13.6