| commit | b64e1b4a510c81628feeb68af75afd3275ea75c3 | |
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | |
| Mon, 30 May 2022 07:16:02 +0000 (30 19:16 +1200) | ||
| committer | Jule Anger <janger@samba.org> | |
| Sun, 24 Jul 2022 09:55:51 +0000 (24 11:55 +0200) | ||
| tree | 4808e4db4b2db459a0191837504a2de130234694 | treesnapshot (tar.gz zip) |
| parent | e21efbabccbf9c422347e9e94b3f217186556ee7 | commitdiff |
CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()
To ensure that, when decrypting the kpasswd ticket, we look up the
correct principal and don't trust the sname from the ticket, we should
pass the principal name of the kpasswd service into krb5_rd_req_ctx().
However, gensec_krb5_update_internal() will pass in NULL unless the
principal in our credentials is CRED_SPECIFIED.
At present, our principal will be considered obtained as CRED_SMB_CONF
(from the cli_credentials_set_conf() a few lines up), so we explicitly
set the realm again, but this time as CRED_SPECIFIED. Now the value of
server_in_keytab that we provide to smb_krb5_rd_req_decoded() will not
be NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Removed knownfail as KDC no longer panics]
To ensure that, when decrypting the kpasswd ticket, we look up the
correct principal and don't trust the sname from the ticket, we should
pass the principal name of the kpasswd service into krb5_rd_req_ctx().
However, gensec_krb5_update_internal() will pass in NULL unless the
principal in our credentials is CRED_SPECIFIED.
At present, our principal will be considered obtained as CRED_SMB_CONF
(from the cli_credentials_set_conf() a few lines up), so we explicitly
set the realm again, but this time as CRED_SPECIFIED. Now the value of
server_in_keytab that we provide to smb_krb5_rd_req_decoded() will not
be NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Removed knownfail as KDC no longer panics]
| selftest/knownfail_heimdal_kdc | diffblobblamehistory | |
| selftest/knownfail_mit_kdc | diffblobblamehistory | |
| source4/kdc/kpasswd-service.c | diffblobblamehistory |