From: Andreas Schneider Date: Fri, 4 Aug 2023 07:54:06 +0000 (+0200) Subject: Fix double-free in KDC TGS processing X-Git-Tag: krb5-1.22-beta1~142 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1312%2Fhead;p=thirdparty%2Fkrb5.git Fix double-free in KDC TGS processing When issuing a ticket for a TGS renew or validate request, copy only the server field from the outer part of the header ticket to the new ticket. Copying the whole structure causes the enc_part pointer to be aliased to the header ticket until krb5_encrypt_tkt_part() is called, resulting in a double-free if handle_authdata() fails. [ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather than check for aliasing before freeing; rewrote commit message] CVE-2023-39975: In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to free the same pointer twice if it can induce a failure in authorization data handling. ticket: 9101 (new) tags: pullup target_version: 1.21-next --- diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 6e4c8fa9f3..0acc45850f 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1010,8 +1010,9 @@ tgs_issue_ticket(kdc_realm_t *realm, struct tgs_req_info *t, } if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) { - /* Copy the whole header ticket except for authorization data. */ - ticket_reply = *t->header_tkt; + /* Copy the header ticket server and all enc-part fields except for + * authorization data. */ + ticket_reply.server = t->header_tkt->server; enc_tkt_reply = *t->header_tkt->enc_part2; enc_tkt_reply.authorization_data = NULL; } else {