Browse files

Null pointer deref in kadmind [CVE-2012-1013]

The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name").  Only clients authorized to create principals can trigger the
bug.  Fix the bug by testing for a null password in check_1_6_dummy.

CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C

[ Minor style change and commit message]

(cherry picked from commit c5be620)

ticket: 7152
version_fixed: 1.10.2
status: resolved
  • Loading branch information...
1 parent 3707cc9 commit ca2909440015d33be42e77d1955194963d8c0955 Richard Basch committed with tlyu May 29, 2012
Showing with 1 addition and 1 deletion.
  1. +1 −1 src/lib/kadm5/srv/svr_principal.c
@@ -187,7 +187,7 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
char *password = *passptr;
/* Old-style randkey operations disallowed tickets to start. */
- if (!(mask & KADM5_ATTRIBUTES) ||
+ if (password == NULL || !(mask & KADM5_ATTRIBUTES) ||
!(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))

0 comments on commit ca29094

Please sign in to comment.