From: Richard Basch <basch@alum.mit.edu>
Date: Tue, 29 May 2012 18:07:03 +0000 (-0400)
Subject: Null pointer deref in kadmind [CVE-2012-1013]
X-Git-Tag: krb5-1.9.4-final~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7d42a08d9a4e4559e3efa3ed199927407be658e;p=thirdparty%2Fkrb5.git

Null pointer deref in kadmind [CVE-2012-1013]

The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name").  Only clients authorized to create principals can trigger the
bug.  Fix the bug by testing for a null password in check_1_6_dummy.

CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C

[ghudson@mit.edu: Minor style change and commit message]

(cherry picked from commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b)

ticket: 7168 (new)
version_fixed: 1.9.4
status: resolved
---

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index ba76b5d8ec..2b630afc97 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -194,7 +194,7 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
     char *password = *passptr;
 
     /* Old-style randkey operations disallowed tickets to start. */
-    if (!(mask & KADM5_ATTRIBUTES) ||
+    if (password == NULL || !(mask & KADM5_ATTRIBUTES) ||
         !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))
         return;