HomeFreeBSD

security/krb5-121: Fix double-free in KDC TGS processing

Description

security/krb5-121: Fix double-free in KDC TGS processing

Upstream's commit log message:

When issuing a ticket for a TGS renew or validate request, copy only
the server field from the outer part of the header ticket to the new
ticket.  Copying the whole structure causes the enc_part pointer to be
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
resulting in a double-free if handle_authdata() fails.

[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
than check for aliasing before freeing; rewrote commit message]

CVE-2023-39975:

In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
free the same pointer twice if it can induce a failure in
authorization data handling.

ticket: 9101 (new)
tags: pullup
target_version: 1.21-next

Obtained from: Upstream git commit 88a1701b4
MFH: 2023Q3

Details

Provenance
cyAuthored on Aug 14 2023, 2:43 PM
Parents
R11:907b15ca59ec: security/krb5-devel: update to the latest MIT/KRB5 github commit
Branches
Unknown
Tags
Unknown