Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 149639 Details for
Bug 231537
CVE-2007-1216 krb5 double free flaw
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Proposed upstream patch
CVE-2007-1216.patch (text/plain), 2.52 KB, created by
Josh Bressers
on 2007-03-08 21:24:22 UTC
(
hide
)
Description:
Proposed upstream patch
Filename:
MIME Type:
Creator:
Josh Bressers
Created:
2007-03-08 21:24:22 UTC
Size:
2.52 KB
patch
obsolete
>*** src/lib/gssapi/krb5/k5unseal.c (revision 19510) >--- src/lib/gssapi/krb5/k5unseal.c (revision 19511) >*************** >*** 457,464 **** > > if ((ctx->initiate && direction != 0xff) || > (!ctx->initiate && direction != 0)) { >! if (toktype == KG_TOK_SEAL_MSG) > xfree(token.value); > *minor_status = G_BAD_DIRECTION; > return(GSS_S_BAD_SIG); > } >--- 457,467 ---- > > if ((ctx->initiate && direction != 0xff) || > (!ctx->initiate && direction != 0)) { >! if (toktype == KG_TOK_SEAL_MSG) { > xfree(token.value); >+ message_buffer->value = NULL; >+ message_buffer->length = 0; >+ } > *minor_status = G_BAD_DIRECTION; > return(GSS_S_BAD_SIG); > } > >REFERENCES >========== > >This announcement is posted at: > > http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt > >This announcement and related security advisories may be found on the >MIT Kerberos security advisory page at: > > http://web.mit.edu/kerberos/advisories/index.html > >The main MIT Kerberos web page is at: > > http://web.mit.edu/kerberos/index.html > >CVE: CVE-2007-1216 >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1216 > >ACKNOWLEDGMENTS >=============== > >This bug was found while exercising the GSS-API library using the >GSSTEST test program provided by SAP AG. > >DETAILS >======= > >The kg_unseal_v1() function in src/lib/gssapi/krb5/k5unseal.c frees >memory allocated for the "message_buffer" gss_buffer_t when it detects >an invalid direction encoding on the message. It does not set the >pointer to NULL, nor does it set the length to zero. An application >subsequently calling gss_release_buffer() on this gss_buffer_t will >cause memory to be freed twice. > >Much code provided with MIT krb5 does not attempt to call >gss_release_buffer() when gss_unseal() or gss_unwrap() fails, even >though the GSS-API C-bindings specification permits it to do so. The >RPCSEC_GSS authentication flavor for the RPC library, introduced in >krb5-1.4, does call gss_release_buffer() when gss_unwrap() fails. >This allows an authenticated attacker to trigger a double-free >situation. > >Third-party applications calling the RPC library provided with MIT >krb5 and using the RPCSEC_GSS authentication flavor are vulnerable. >Third-party applications calling the MIT GSS-API library are >vulnerable if they call gss_release_buffer() when they experience >errors from gss_unseal() or gss_unwrap(). > >REVISION HISTORY >================ > >2007-mm-dd original release > >Copyright (C) 2007 Massachusetts Institute of Technology
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=149639">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 231537
: 149639