Regression tests for CVE-2012-1014, CVE-2012-1015

ticket: 7231 (new) target_version: 1.10.3 tags: pullup
krb5 · Aug 8, 2012 · 98d2c88 · 98d2c88
1 parent 0474c48
commit 98d2c88
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 0 deletions.
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
@@ -81,6 +81,8 @@ check-pytests:: hist
 	$(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kadmin_acl.py $(PYTESTFLAGS)
 #	$(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_cve-2012-1014.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
 
 clean::
 	$(RM) krb5.conf kdc.conf

diff --git a/src/tests/t_cve-2012-1014.py b/src/tests/t_cve-2012-1014.py
@@ -0,0 +1,31 @@
+#!/usr/bin/python
+
+import base64
+import socket
+from k5test import *
+
+realm = K5Realm()
+
+# CVE-2012-1014 KDC dereferences uninitialized pointer
+
+# Affects only krb5-1.10.x.
+
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+a = (hostname, realm.portbase)
+
+x1 = base64.b16decode('6A5E305BA103020105A2030201')
+x2 = base64.b16decode('A44F304DA007030500FEDCBA90A10E30' +
+                      '0CA003020101A10530031B0141A2031B' +
+                      '0141A30E300CA003020101A10530031B' +
+                      '0141A511180F31393934303631303036' +
+                      '303331375AA70302012AA80530030201' +
+                      '01')
+
+for x in range(11, 128):
+    s.sendto(''.join([x1, chr(x), x2]), a)
+
+# Make sure kinit still works.
+
+realm.kinit(realm.user_princ, password('user'))
+
+success('CVE-2012-1014 regression test')
diff --git a/src/tests/t_cve-2012-1015.py b/src/tests/t_cve-2012-1015.py
@@ -0,0 +1,38 @@
+#!/usr/bin/python
+
+import base64
+import socket
+from k5test import *
+
+realm = K5Realm()
+
+# CVE-2012-1015 KDC frees uninitialized pointer
+
+# Force a failure in krb5_c_make_checksum(), which causes the cleanup
+# code in kdc_handle_protected_negotiation() to free an uninitialized
+# pointer in an unpatched KDC.
+
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+a = (hostname, realm.portbase)
+
+x1 = base64.b16decode('6A81A030819DA103020105A20302010A' +
+                      'A30E300C300AA10402020095A2020400' +
+                      'A48180307EA00703050000000000A120' +
+                      '301EA003020101A11730151B066B7262' +
+                      '7467741B0B4B5242544553542E434F4D' +
+                      'A20D1B0B4B5242544553542E434F4DA3' +
+                      '20301EA003020101A11730151B066B72' +
+                      '627467741B0B4B5242544553542E434F' +
+                      '4DA511180F3139393430363130303630' +
+                      '3331375AA7030201')
+
+x2 = base64.b16decode('A8083006020106020112')
+
+for x in range(0, 128):
+    s.sendto(''.join([x1, chr(x), x2]), a)
+
+# Make sure kinit still works.
+
+realm.kinit(realm.user_princ, password('user'))
+
+success('CVE-2012-1015 regression test')