krb5: kadmin NULL pointer dereference issues (CVE-2014-5353, CVE-2014-5354)
CVE-2014-5353:
The krb5_ldap_get_password_policy_from_dn function in
plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka
krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated
users to cause a denial of service (daemon crash) via a successful LDAP
query with no results, as demonstrated by using an incorrect object type
for a password policy.
CVE-2014-5354:
plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka
krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows
remote authenticated users to cause a denial of service (NULL pointer
dereference and daemon crash) by creating a database entry for a keyless
principal, as demonstrated by a kadmin “add_principal -nokey” or
“purgekeys -all” command.
References:
http://seclists.org/oss-sec/2014/q4/1055
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5353
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5354
CVE-2014-5353:
https://github.com/krb5/krb5/commit/d1f707024f1d0af6e54a18885322d70fa15ec4d3
CVE-2014-5354:
https://github.com/krb5/krb5/commit/04038bf3633c4b909b5ded3072dc88c8c419bf16
(from redmine: issue id 3799, created on 2015-01-27, closed on 2015-12-09)
- Relations:
- child #3800 (closed)
- child #3801 (closed)
- child #3802 (closed)
- child #3803 (closed)
- Changesets:
- Revision 6c0f5b15 by Natanael Copa on 2015-01-30T10:39:05Z:
main/krb5: security fixes for CVE-2014-5353, CVE-2014-5354
ref #3799
- Revision 0940a1ae by Natanael Copa on 2015-01-30T10:44:04Z:
main/krb5: security fixes for CVE-2014-5353, CVE-2014-5354
ref #3799
fixes #3803
(cherry picked from commit 6c0f5b1515a834e3b68f2e199ccce1148f6c8054)