Package: krb5 / 1.12.1+dfsg-19+deb8u4

fix-ldap-null-deref-on-empty-arg-cve-201.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 14 Mar 2016 17:26:34 -0400
X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3 f7e4ca67d86a5a5b280b859072bbc5015a2ddd27
Subject: Fix LDAP null deref on empty arg [CVE-2016-3119]

In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
if there is an empty string in the db_args array.  Check for this case
and avoid dereferencing a null pointer.

CVE-2016-3119:

In MIT krb5 1.6 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying an empty DB argument to the modify_principal
command, if kadmind is configured to use the LDAP KDB module.

    CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND

(cherry picked from commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99)

ticket: 8383
version_fixed: 1.14.2

(cherry picked from commit b5abd8c4872d7a024d49439342a6643f774afb1c)

---

--- krb5-1.12.1+dfsg.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ krb5-1.12.1+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -268,6 +268,7 @@ process_db_args(krb5_context context, ch
     if (db_args) {
         for (i=0; db_args[i]; ++i) {
             arg = strtok_r(db_args[i], "=", &arg_val);
+            arg = (arg != NULL) ? arg : "";
             if (strcmp(arg, TKTPOLICY_ARG) == 0) {
                 dptr = &xargs->tktpolicydn;
             } else {