[3.4] krb5: S4U2Self KDC crash when anon is restricted (CVE-2016-3120)
The validate_as_request function in kdc_util.c in the Key
Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and
1.4.x before 1.14.3,
when restrict_anonymous_to_tgt is enabled, uses an incorrect client
data structure, which allows remote authenticated users to cause
a denial of service (NULL pointer dereference and daemon crash) via an
S4U2Self request.
References:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8458
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3120
Patch:
https://github.com/krb5/krb5/commit/93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7
(from redmine: issue id 6158, created on 2016-09-14, closed on 2016-10-14)
- Relations:
- parent #6156 (closed)
- Changesets:
- Revision b1878b63 by Natanael Copa on 2016-09-14T14:34:21Z:
main/krb5: security upgrade to 1.14.3 (CVE-2016-3120)
fixes #6158