------------------------------------------------------------------------
r23912 | tlyu | 2010-04-20 17:12:10 -0400 (Tue, 20 Apr 2010) | 11 lines
ticket: 6702
target_version: 1.8.2
tags: pullup
Fix CVE-2010-1230 (MITKRB5-SA-2010-004) double-free in KDC triggered
by ticket renewal. Add a test case.
See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490
Thanks to Joel Johnson and Brian Almeida for the reports.
ticket: 6702
version_fixed: 1.8.2
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23914
dc483132-0cff-0310-8789-
dd5450dbe970
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
+ enc_tkt_reply.authorization_data = NULL;
clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
}
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
+ enc_tkt_reply.authorization_data = NULL;
old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
return 1
}
+
+proc kinit_renew { name pass standalone } {
+ global REALMNAME
+ global KINIT
+ global spawn_id
+
+ spawn $KINIT -5 -f $name@$REALMNAME
+ expect {
+ "Password for $name@$REALMNAME:" {
+ verbose "kinit started"
+ }
+ timeout {
+ fail "kinit"
+ return 0
+ }
+ eof {
+ fail "kinit"
+ return 0
+ }
+ }
+ send "$pass\r"
+ expect eof
+ if ![check_exit_status kinit] {
+ return 0
+ }
+
+ spawn $KINIT -R
+ expect eof
+ if ![check_exit_status "kinit_renew"] {
+ return 0
+ }
+
+ return 1
+}
+
# Retrieve a ticket using FAST armor
proc kinit_fast { name pass standalone } {
global REALMNAME
return
}
+ if ![kinit_renew krbtest/admin adminpass$KEY 1] {
+ return
+ }
+
# Make sure that klist can see the ticket.
if ![do_klist "krbtest/admin@$REALMNAME" "krbtgt/$REALMNAME@$REALMNAME" "klist"] {
return
projects / krb5.git / commitdiff