mirror of
https://git.freebsd.org/ports.git
synced 2025-05-12 15:21:51 -04:00
73ac8e0369
Upstream's commit log message:
When issuing a ticket for a TGS renew or validate request, copy only
the server field from the outer part of the header ticket to the new
ticket. Copying the whole structure causes the enc_part pointer to be
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
resulting in a double-free if handle_authdata() fails.
[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
than check for aliasing before freeing; rewrote commit message]
CVE-2023-39975:
In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
free the same pointer twice if it can induce a failure in
authorization data handling.
ticket: 9101 (new)
tags: pullup
target_version: 1.21-next
Obtained from: Upstream git commit 88a1701b4
MFH: 2023Q3
14 lines
616 B
C
14 lines
616 B
C
--- kdc/do_tgs_req.c.orig 2023-07-10 13:58:20.000000000 -0700
|
|
+++ kdc/do_tgs_req.c 2023-08-14 07:23:14.383349000 -0700
|
|
@@ -1010,8 +1010,9 @@
|
|
}
|
|
|
|
if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) {
|
|
- /* Copy the whole header ticket except for authorization data. */
|
|
- ticket_reply = *t->header_tkt;
|
|
+ /* Copy the header ticket server and all enc-part fields except for
|
|
+ * authorization data. */
|
|
+ ticket_reply.server = t->header_tkt->server;
|
|
enc_tkt_reply = *t->header_tkt->enc_part2;
|
|
enc_tkt_reply.authorization_data = NULL;
|
|
} else {
|