Fix KDC heap corruption vulnerability [MITKRB5-SA-2012-001
CVE-2012-1015]. The cleanup code in
kdc_handle_protected_negotiation() in kdc_util.c could free an
uninitialized pointer in some error conditions involving "similar"
enctypes and a failure in krb5_c_make_checksum().
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of this
vulnerability (possibly in unpatched KDCs).
Note that CVE-2012-1014 (also described in MITKRB5-SA-2012-001) only
applies to the krb5-1.10 branch and doesn't affect the master branch
or releases prior to krb5-1.10.
(cherry picked from commit
3551501359c6d2396fa4779d378ae165f5b37242)
ticket: 7225
version_fixed: 1.9.5
status: resolved
continue;
}
- if (request_contains_enctype(context, request, db_etype)) {
+ if (krb5_is_permitted_enctype(context, db_etype) &&
+ request_contains_enctype(context, request, db_etype)) {
retval = _make_etype_info_entry(context, client->princ,
client_key, db_etype,
&entry[i], etype_info2);
return 0;
pa.magic = KV5M_PA_DATA;
pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
+ memset(&checksum, 0, sizeof(checksum));
retval = krb5_c_make_checksum(kdc_context,0, reply_key,
KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
if (retval != 0)
krb5_boolean saw_non_permitted = FALSE;
ret = 0;
+ if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
+ return KRB5_KDB_NO_PERMITTED_KEY;
+
if (kvno == -1 && stype == -1 && ktype == -1)
kvno = 0;
projects / thirdparty / krb5.git / commitdiff
