File bug-806715-CVE-2013-1415-fix-PKINIT-null-pointe... of Package krb5

Overview Repositories Revisions Requests Users Attributes Meta

File bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif of Package krb5

commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Feb 14 18:17:40 2013 -0500

PKINIT null pointer deref [CVE-2013-1415]
    
    Don't dereference a null pointer when cleaning up.
    
    The KDC plugin for PKINIT can dereference a null pointer when a
    malformed packet causes processing to terminate early, leading to
    a crash of the KDC process.  An attacker would need to have a valid
    PKINIT certificate or have observed a successful PKINIT authentication,
    or an unauthenticated attacker could execute the attack if anonymous
    PKINIT is enabled.
    
    CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C
    
    This is a minimal commit for pullup; style fixes in a followup.
    [kaduk@mit.edu: reformat and edit commit message]
    
    ticket: 7570 (new)
    target_version: 1.11.1
    tags: pullup

--- krb5-1.7/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c.orig	2013-04-24 10:46:59.819058706 +0200
+++ krb5-1.7/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	2013-04-24 10:47:57.875487962 +0200
@@ -2787,7 +2787,7 @@
     pkiDebug("found kdcPkId in AS REQ\n");
     is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
     if (is == NULL)
-	goto cleanup;
+        return retval;
 
     status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
     if (!status) {
@@ -2797,7 +2797,6 @@
     }
 
     retval = 0;
-cleanup:
     X509_NAME_free(is->issuer);
     ASN1_INTEGER_free(is->serial);
     free(is);

Places

File bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif of Package krb5

Places