Commit aa4e888e authored by Cy Schubert's avatar Cy Schubert
Browse files

security/krb5-121: Fix double-free in KDC TGS processing 

Upstream's commit log message:

    When issuing a ticket for a TGS renew or validate request, copy only
    the server field from the outer part of the header ticket to the new
    ticket.  Copying the whole structure causes the enc_part pointer to be
    aliased to the header ticket until krb5_encrypt_tkt_part() is called,
    resulting in a double-free if handle_authdata() fails.

    [ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
    than check for aliasing before freeing; rewrote commit message]

    CVE-2023-39975:

    In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
    free the same pointer twice if it can induce a failure in
    authorization data handling.

    ticket: 9101 (new)
    tags: pullup
    target_version: 1.21-next

Obtained from:	Upstream git commit 88a1701b4
MFH:		2023Q3

(cherry picked from commit 73ac8e03)
parent 07dc31ec
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment