IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2019-14867: Make sure to have storage space for tag

Browse Source 
ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.

It's also possible for unprivileged end users to trigger parsing of the
krbPrincipalKey.

Fixes #8071: CVE-2019-14867

Reported by Todd Lipcon from Cloudera

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
(cherry picked from commit d2e0d94521)
This commit is contained in:
Simo Sorce
2019-09-16 11:12:25 -04:00
committed by Alexander Bokovoy
parent 9dfce7a69c
commit e11e73abc1
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
util/ipa_krb5.c
View File

@@ -554,7 +554,7 @@ int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno,
retag = ber_peek_tag(be, &setlen);
if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) {
/* not supported yet, skip */
retag = ber_scanf(be, "t[x]}");
retag = ber_scanf(be, "t[x]}", &tag);
} else {
retag = ber_scanf(be, "}");
}