Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | Subject: kerb: Fix LDAP null deref on empty arg [CVE-2016-3119] |
| 2 | From: Greg Hudson |
| 3 | |
| 4 | In the LDAP KDB module's process_db_args(), strtok_r() may return NULL |
| 5 | if there is an empty string in the db_args array. Check for this case |
| 6 | and avoid dereferencing a null pointer. |
| 7 | |
| 8 | CVE-2016-3119: |
| 9 | |
| 10 | In MIT krb5 1.6 and later, an authenticated attacker with permission |
| 11 | to modify a principal entry can cause kadmind to dereference a null |
| 12 | pointer by supplying an empty DB argument to the modify_principal |
| 13 | command, if kadmind is configured to use the LDAP KDB module. |
| 14 | |
| 15 | CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND |
| 16 | |
| 17 | ticket: 8383 (new) |
| 18 | target_version: 1.14-next |
| 19 | target_version: 1.13-next |
| 20 | tags: pullup |
| 21 | |
| 22 | Upstream-Status: Backport |
| 23 | |
| 24 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> |
| 25 | Index: krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c |
| 26 | =================================================================== |
| 27 | --- krb5-1.13.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-05-09 07:27:02.000000000 +0800 |
| 28 | +++ krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2016-04-11 15:17:12.874140518 +0800 |
| 29 | @@ -267,6 +267,7 @@ |
| 30 | if (db_args) { |
| 31 | for (i=0; db_args[i]; ++i) { |
| 32 | arg = strtok_r(db_args[i], "=", &arg_val); |
| 33 | + arg = (arg != NULL) ? arg : ""; |
| 34 | if (strcmp(arg, TKTPOLICY_ARG) == 0) { |
| 35 | dptr = &xargs->tktpolicydn; |
| 36 | } else { |