]> git.ipfire.org Git - thirdparty/krb5.git/commit
projects / thirdparty / krb5.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 560e11d) | patch
Fix S4U2Self KDC crash when anon is restricted 485/head
authorGreg Hudson <ghudson@mit.edu>
Tue, 19 Jul 2016 15:00:28 +0000 (11:00 -0400)
committerGreg Hudson <ghudson@mit.edu>
Tue, 19 Jul 2016 16:35:42 +0000 (12:35 -0400)
commit93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7
treeb55091f944b6bfc2a71eb0bf5ce752c5eb1437f2tree
parent560e11dabb63b141df29c54aaa2e120309a1e021commit | diff
Fix S4U2Self KDC crash when anon is restricted

In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.

CVE-2016-3120:

In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.

  CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C

ticket: 8458 (new)
target_version: 1.14-next
target_version: 1.13-next
src/kdc/kdc_util.c diff | blob | blame | history
src/tests/t_pkinit.py diff | blob | blame | history
Mirror of https://github.com/krb5/krb5.git