sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-06 13:18:07 +03:00
Code

CVE-2020-25719 heimdal:kdc: Require PAC to be present

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2021-10-29 14:35:52 +13:00 committed by Jule Anger
parent 355c4509e5
commit 50e11804fa
2 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
selftest/knownfail_heimdal_kdc
View File

@ -252,12 +252,8 @@
#
# KDC TGT tests
#
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_not_revealed
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_not_revealed
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_not_revealed
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed

5
source4/heimdal/kdc/krb5tgs.c
View File

@ -74,9 +74,12 @@ check_PAC(krb5_context context,
*ppac = NULL;
ret = _krb5_kdc_pac_ticket_parse(context, tkt, &signedticket, &pac);
if (ret || pac == NULL)
if (ret)
return ret;
if (pac == NULL)
return KRB5KDC_ERR_BADOPTION;
/* Verify the server signature. */
ret = krb5_pac_verify(context, pac, tkt->authtime, client_principal,
server_check_key, NULL);