Package: krb5 / 1.12.1+dfsg-19+deb8u4

fix-s4u2self-kdc-crash-when-anon-is-rest.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 19 Jul 2016 11:00:28 -0400
X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3 862d5e532d03db566ee2955f69e008a253d39dec
Subject: Fix S4U2Self KDC crash when anon is restricted

In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.

CVE-2016-3120:

In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.

  CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C

(cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7)

ticket: 8458
version_fixed: 1.14.3

(cherry picked from commit 85c3046d42eeb821967ad5625fcb08e8c6177b1a)

---

--- krb5-1.12.1+dfsg.orig/src/kdc/kdc_util.c
+++ krb5-1.12.1+dfsg/src/kdc/kdc_util.c
@@ -688,7 +688,7 @@ validate_as_request(kdc_realm_t *kdc_act
         return(KDC_ERR_MUST_USE_USER2USER);
     }
 
-    if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
+    if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
         *status = "ANONYMOUS NOT ALLOWED";
         return(KDC_ERR_POLICY);
     }
--- krb5-1.12.1+dfsg.orig/src/tests/t_pkinit.py
+++ krb5-1.12.1+dfsg/src/tests/t_pkinit.py
@@ -81,6 +81,11 @@ out = realm.run([kvno, realm.host_princ]
 if 'KDC policy rejects request' not in out:
     fail('Wrong error for restricted anonymous PKINIT')
 
+# Regression test for #8458: S4U2Self requests crash the KDC if
+# anonymous is restricted.
+realm.kinit(realm.host_princ, flags=['-k'])
+realm.run([kvno, '-U', 'user', realm.host_princ])
+
 # Go back to a normal KDC and disable anonymous PKINIT.
 realm.stop_kdc()
 realm.start_kdc()