PKINIT null pointer deref [CVE-2013-1415]
Don't dereference a null pointer when cleaning up.
The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process. An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C
This bug has been present since the initial import of PKINIT for 1.6.3; all later releases are affected.
+*mit-krb5-1.11.1 (22 Feb 2013)
+ 22 Feb 2013; Eray Aslan <email@example.com> +mit-krb5-1.11.1.ebuild:
+ Security bump - bug #458712
@security: We can stabilize =app-crypt/mit-krb5-1.11.1. But please note that a bunch of keywords are missing (see bug #412489). Thanks.
As requested by Ago on irc:
Arches, please test and mark stable =app-crypt/mit-krb5-1.11.1. Thank you.
alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos
The pkinit_check_kdc_pkid function in
plugins/preauth/pkinit/pkinit_crypto_openssl.c in the PKINIT implementation
in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before
1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during
extraction of fields from an X.509 certificate, which allows remote
attackers to cause a denial of service (NULL pointer dereference and daemon
crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request.
Ready for vote, I vote NO.
GLSA vote: no.