git.ipfire.org Git - thirdparty/krb5.git/commit

]> git.ipfire.org Git - thirdparty/krb5.git/commit

projects / thirdparty / krb5.git / commit

author	Tom Yu <tlyu@mit.edu>
	Wed, 4 Feb 2015 21:09:16 +0000 (16:09 -0500)
committer	Tom Yu <tlyu@mit.edu>
	Wed, 4 Feb 2015 22:21:14 +0000 (17:21 -0500)
commit	e76dbd8d163e235d821011ed9ea3baa5376da854
tree	4ecca52a41b617ec294378cff76e7f7ba87d3ae8	tree
parent	148cd34af730134141fac6e3907ab8627fff948b	commit \| diff

Fix gss_process_context_token() [CVE-2014-5352]

[MITKRB5-SA-2015-001] The krb5 gss_process_context_token() should not
actually delete the context; that leaves the caller with a dangling
pointer and no way to know that it is invalid. Instead, mark the
context as terminated, and check for terminated contexts in the GSS
functions which expect established contexts. Also add checks in
export_sec_context and pseudo_random, and adjust t_prf.c for the
pseudo_random check.

(back ported from commit 82dc33da50338ac84c7b4102dc6513d897d0506a)

ticket: 8067 (new)
version_fixed: 1.12.3
status: resolved

13 files changed:

src/lib/gssapi/krb5/context_time.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/export_sec_context.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/gssapiP_krb5.h		diff \| blob \| blame \| history
src/lib/gssapi/krb5/gssapi_krb5.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/inq_context.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/k5seal.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/k5sealiov.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/k5unseal.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/k5unsealiov.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/lucid_context.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/prf.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/process_context_token.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/wrap_size_limit.c		diff \| blob \| blame \| history

Mirror of https://github.com/krb5/krb5.git

RSS Atom