Headline
CVE-2023-39975: Fix double-free in KDC TGS processing · krb5/krb5@88a1701
kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.
Commit
Permalink
Browse files
Browse the repository at this point in the history
Fix double-free in KDC TGS processing
When issuing a ticket for a TGS renew or validate request, copy only the server field from the outer part of the header ticket to the new ticket. Copying the whole structure causes the enc_part pointer to be aliased to the header ticket until krb5_encrypt_tkt_part() is called, resulting in a double-free if handle_authdata() fails.
[[email protected]: changed the fix to avoid aliasing enc_part rather than check for aliasing before freeing; rewrote commit message]
CVE-2023-39975:
In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to free the same pointer twice if it can induce a failure in authorization data handling.
ticket: 9101 (new) tags: pullup target_version: 1.21-next
- Loading branch information
Related news
Gentoo Linux Security Advisory 202405-11 - Multiple vulnerabilities have been discovered in MIT krb5, the worst of which could lead to remote code execution. Versions greater than or equal to 1.21.2 are affected.