From 0b11a472cf0e83972228ad9ca6ee645e4ffd4c24 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Fri, 15 Jun 2012 14:13:35 -0400 Subject: [PATCH] Null pointer deref in kadmind [CVE-2012-1013] The fix for #6626 could cause kadmind to dereference a null pointer if a create-principal request contains no password but does contain the KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix name"). Only clients authorized to create principals can trigger the bug. Fix the bug by testing for a null password in check_1_6_dummy. CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C [ghudson@mit.edu: Minor style change and commit message] (cherry picked from commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b) ticket: 7178 (new) version_fixed: 1.8.7 status: resolved --- src/lib/kadm5/srv/svr_principal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 469a8e885a..c9a6881d94 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -196,7 +196,7 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask, char *password = *passptr; /* Old-style randkey operations disallowed tickets to start. */ - if (!(mask & KADM5_ATTRIBUTES) || + if (password == NULL || !(mask & KADM5_ATTRIBUTES) || !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX)) return; -- 2.47.2