tags 702633 + patch
thanks
Hello,
After checking the source code, this part of the code does not seem to
have changed between 1.10.1 and 1.10.4, so AFAIU this bug affects at
least the version available in testing and unstable. The current code
is:
if ((rep9 != NULL &&
rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
(rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
/* If mutually supported KDFs were found, use the alg agility KDF */
if (rep->u.dh_Info.kdfID) {
Thus, rep could be NULL which has been addressed by the following
upstream patch:
https://github.com/krb5/krb5/commit/cd5ff932c9d1439c961b0cf9ccff979356686aff
I also prepared a NMU[0] in case it helps (it builds fine with
cowbuilder but I could not test it though) and attached the diff to this
email.
Cheers,
--
Arnaud Fontaine
[0] http://people.debian.org/~arnau/packages/krb5/
diff -Nru krb5-1.10.1+dfsg/debian/changelog krb5-1.10.1+dfsg/debian/changelog
--- krb5-1.10.1+dfsg/debian/changelog 2013-02-20 10:54:44.000000000 +0900
+++ krb5-1.10.1+dfsg/debian/changelog 2013-03-15 17:03:05.000000000 +0900
@@ -1,3 +1,10 @@
+krb5 (1.10.1+dfsg-4.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * KDC null pointer dereference with PKINIT, CVE-2012-1016. Closes: #702633.
+
+ -- Arnaud Fontaine <[email protected]> Fri, 15 Mar 2013 17:01:29 +0900
+
krb5 (1.10.1+dfsg-4) unstable; urgency=high
* KDC null pointer dereference with PKINIT, CVE-2013-1415
diff -Nru krb5-1.10.1+dfsg/debian/patches/0022-PKINIT-null-pointer-deref-CVE-2012-1016.patch krb5-1.10.1+dfsg/debian/patches/0022-PKINIT-null-pointer-deref-CVE-2012-1016.patch
--- krb5-1.10.1+dfsg/debian/patches/0022-PKINIT-null-pointer-deref-CVE-2012-1016.patch 1970-01-01 09:00:00.000000000 +0900
+++ krb5-1.10.1+dfsg/debian/patches/0022-PKINIT-null-pointer-deref-CVE-2012-1016.patch 2013-03-15 16:59:56.000000000 +0900
@@ -0,0 +1,38 @@
+commit cd5ff932c9d1439c961b0cf9ccff979356686aff
+Author: Nalin Dahyabhai <[email protected]>
+Date: Thu Dec 13 14:26:07 2012 -0500
+
+ PKINIT (draft9) null ptr deref [CVE-2012-1016]
+
+ Don't check for an agility KDF identifier in the non-draft9 reply
+ structure when we're building a draft9 reply, because it'll be NULL.
+
+ The KDC plugin for PKINIT can dereference a null pointer when handling
+ a draft9 request, leading to a crash of the KDC process. An attacker
+ would need to have a valid PKINIT certificate, or an unauthenticated
+ attacker could execute the attack if anonymous PKINIT is enabled.
+
+ CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
+
+ [[email protected]: reformat comment and edit log message]
+
+ ticket: 7506 (new)
+ target_version: 1.11
+ tags: pullup
+
+Index: krb5-1.10.1+dfsg/src/plugins/preauth/pkinit/pkinit_srv.c
+===================================================================
+--- krb5-1.10.1+dfsg.orig/src/plugins/preauth/pkinit/pkinit_srv.c 2013-03-15 16:52:57.703154249 +0900
++++ krb5-1.10.1+dfsg/src/plugins/preauth/pkinit/pkinit_srv.c 2013-03-15 16:58:58.971037553 +0900
+@@ -1016,8 +1016,9 @@
+ rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
+ (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
+
+- /* If mutually supported KDFs were found, use the alg agility KDF */
+- if (rep->u.dh_Info.kdfID) {
++ /* If we're not doing draft 9, and mutually supported KDFs were found,
++ * use the algorithm agility KDF. */
++ if (rep != NULL && rep->u.dh_Info.kdfID) {
+ secret.data = server_key;
+ secret.length = server_key_len;
+
diff -Nru krb5-1.10.1+dfsg/debian/patches/series krb5-1.10.1+dfsg/debian/patches/series
--- krb5-1.10.1+dfsg/debian/patches/series 2013-02-20 10:54:44.000000000 +0900
+++ krb5-1.10.1+dfsg/debian/patches/series 2013-03-15 16:52:26.000000000 +0900
@@ -19,3 +19,4 @@
upstream/0019-Null-pointer-deref-in-kadmind-CVE-2012-1013.patch
0020-gssapi-never-unload-mechanisms.patch
0021-PKINIT-null-pointer-deref-CVE-2013-1415.patch
+0022-PKINIT-null-pointer-deref-CVE-2012-1016.patch
