From e11e73abc101361c0b66b3b958a64c9c8f6c608b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Nov 26 2019 13:08:31 +0000
Subject: CVE-2019-14867: Make sure to have storage space for tag


ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.

It's also possible for unprivileged end users to trigger parsing of the
krbPrincipalKey.

Fixes #8071: CVE-2019-14867

Reported by Todd Lipcon from Cloudera

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
(cherry picked from commit d2e0d94521893bc5f002a335a8c0b99601e1afd6)

---

diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index a27cd4a..c09c3da 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -554,7 +554,7 @@ int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno,
         retag = ber_peek_tag(be, &setlen);
         if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) {
             /* not supported yet, skip */
-            retag = ber_scanf(be, "t[x]}");
+            retag = ber_scanf(be, "t[x]}", &tag);
         } else {
             retag = ber_scanf(be, "}");
         }