Bug 1302632 - (CVE-2015-8630) CVE-2015-8630 krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask
CVE-2015-8630 krb5: krb5 doesn't check for null policy when KADM5_POLICY is s...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1302633 1306969 1306970
Blocks: 1302647
  Show dependency treegraph
Reported: 2016-01-28 05:12 EST by Adam Mariš
Modified: 2016-04-03 19:18 EDT (History)
19 users (show)

See Also:
Fixed In Version: krb5 1.14.1, krb5 1.13.4
Doc Type: Bug Fix
Doc Text:
A NULL pointer dereference flaw was found in the procedure used by the MIT Kerberos kadmind service to store policies: the kadm5_create_principal_3() and kadm5_modify_principal() function did not ensure that a policy was given when KADM5_POLICY was set. An authenticated attacker with permissions to modify the database could use this flaw to add or modify a principal with a policy set to NULL, causing the kadmind service to crash.
Story Points: ---
Clone Of:
Last Closed: 2016-04-01 03:07:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-01-28 05:12:51 EST
It was reported that in MIT krb5 1.12 and later, an authenticated attacker with permission to modify a principal entry can cause kadmind to dereference a null pointer by supplying a null policy value but including KADM5_POLICY in the mask.

Upstream patch:

Comment 1 Adam Mariš 2016-01-28 05:13:22 EST
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1302633]
Comment 6 Tomas Hoger 2016-03-03 16:29:12 EST
Upstream bug report:


Fixed upstream in krb5 1.14.1:


The upstream bug report also indicates the issue will be fixed in 1.13.4.
Comment 7 errata-xmlrpc 2016-03-31 18:03:34 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0532 https://rhn.redhat.com/errata/RHSA-2016-0532.html

Note You need to log in before you can comment on or make changes to this bug.