Bug 753748 (CVE-2011-1530)
| Summary: | CVE-2011-1530 krb5 (krb5kdc): NULL pointer dereference in the TGS handling (MITKRB5-SA-2011-007) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dpal, jplans, nalin, prc, security-response-team, vdanen, zmraz |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 21:58:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 754046, 754047 | ||
| Bug Blocks: | 753754 | ||
|
Description
Jan Lieskovsky
2011-11-14 11:31:24 UTC
Acknowledgements: Red Hat would like to thank the MIT Kerberos project for reporting this issue. In krb5-1.3 and krb5-1.6 (shipped with Red Hat Enterprise Linux 4 and 5), the interface to find_alternate_tgs() is different than krb5-1.9 (shipped with Red Hat Enterprise Linux 6).
It uses two parameters called "more" and "nprincs". Just after the "tgt_again"
label there is a conditional that checks nprincs != 1.
Since firstpass == 0 now, the error handling portion of that block
calls krb5_db_free_principal() on line 185, but nprincs == 0 prevents
any null dereferences in there.
Relevant portions of code (from rhel-5):
159 tgt_again:
160 if (more) {
161 status = "NON_UNIQUE_PRINCIPAL";
162 errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
163 goto cleanup;
164 } else if (nprincs != 1) {
165 /*
....
176 if (!tgs_1 || server_1->length != tgs_1->length ||
177 memcmp(server_1->data, tgs_1->data, tgs_1->length)) {
178 krb5_db_free_principal(kdc_context, &server, nprincs);
179 find_alternate_tgs(request, &server, &more, &nprincs);
180 firstpass = 0;
181 goto tgt_again;
182 }
183 }
184 }
185 krb5_db_free_principal(kdc_context, &server, nprincs);
186 status = "UNKNOWN_SERVER";
187 errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
188 goto cleanup;
189 }
Secondly the server variable in rhel-4 and rhel-5 is not defined as a pointer to a structure, but rather a stack-base struct variable.
Therefore:
This issue does not affect the version of krb5 as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the version of krb5 as shipped with Red Hat Enterprise Linux 6.
This issue affects the version of krb5 shipped with Fedora release of 15 and 16.
External References: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2011-007.txt Statement: Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 4 and 5. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1790 https://rhn.redhat.com/errata/RHSA-2011-1790.html krb5-1.9.2-4.fc15 is heading to Fedora 15 to fix this flaw, and krb5-1.9.2-4.fc16 to Fedora 16. |