pull up r23912 from trunk
authorTom Yu <tlyu@mit.edu>
Tue, 20 Apr 2010 22:37:22 +0000 (22:37 +0000)
committerTom Yu <tlyu@mit.edu>
Tue, 20 Apr 2010 22:37:22 +0000 (22:37 +0000)
 ------------------------------------------------------------------------
 r23912 | tlyu | 2010-04-20 17:12:10 -0400 (Tue, 20 Apr 2010) | 11 lines

 ticket: 6702
 target_version: 1.8.2
 tags: pullup

 Fix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered
 by ticket renewal.  Add a test case.

 See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490

 Thanks to Joel Johnson and Brian Almeida for the reports.

ticket: 6702
version_fixed: 1.8.2
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23914 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/do_tgs_req.c
src/tests/dejagnu/config/default.exp
src/tests/dejagnu/krb-standalone/standalone.exp

index b2f065514098c1ebb3be3b143587dec25c52bdbd..76ca94abc0696b1ccdbfa1f07bcf6524fc18239a 100644 (file)
@@ -543,6 +543,7 @@ tgt_again:
            to the caller */
         ticket_reply = *(header_ticket);
         enc_tkt_reply = *(header_ticket->enc_part2);
+        enc_tkt_reply.authorization_data = NULL;
         clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
     }
 
@@ -554,6 +555,7 @@ tgt_again:
            to the caller */
         ticket_reply = *(header_ticket);
         enc_tkt_reply = *(header_ticket->enc_part2);
+        enc_tkt_reply.authorization_data = NULL;
 
         old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
 
index 98a9a439bb89be2ea0de41339159747ed021734a..79afd09e6ce3277837b481c19198b7b41c3fd637 100644 (file)
@@ -2226,6 +2226,41 @@ proc kinit { name pass standalone } {
 
     return 1
 }
+
+proc kinit_renew { name pass standalone } {
+    global REALMNAME
+    global KINIT
+    global spawn_id
+
+    spawn $KINIT -5 -f $name@$REALMNAME
+    expect {
+       "Password for $name@$REALMNAME:" {
+           verbose "kinit started"
+       }
+       timeout {
+           fail "kinit"
+           return 0
+       }
+       eof {
+           fail "kinit"
+           return 0
+       }
+    }
+    send "$pass\r"
+    expect eof
+    if ![check_exit_status kinit] {
+       return 0
+    }
+
+    spawn $KINIT -R
+    expect eof
+    if ![check_exit_status "kinit_renew"] {
+       return 0
+    }
+
+    return 1
+}
+
 # Retrieve a ticket using FAST armor
 proc kinit_fast { name pass standalone } {
     global REALMNAME
index c511798b445d80f5a8cc1894cc2e78cfaa12c95a..dbaf95dbd75983ac6043d62cd4c9c557acb25517 100644 (file)
@@ -201,6 +201,10 @@ proc doit { } {
        return
     }
 
+    if ![kinit_renew krbtest/admin adminpass$KEY 1] {
+       return
+    }
+
     # Make sure that klist can see the ticket.
     if ![do_klist "krbtest/admin@$REALMNAME" "krbtgt/$REALMNAME@$REALMNAME" "klist"] {
        return