Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix double-free in KDC TGS processing
When issuing a ticket for a TGS renew or validate request, copy only the server field from the outer part of the header ticket to the new ticket. Copying the whole structure causes the enc_part pointer to be aliased to the header ticket until krb5_encrypt_tkt_part() is called, resulting in a double-free if handle_authdata() fails. [ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather than check for aliasing before freeing; rewrote commit message] CVE-2023-39975: In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to free the same pointer twice if it can induce a failure in authorization data handling. ticket: 9101 (new) tags: pullup target_version: 1.21-next
- Loading branch information