Bug 415321 (CVE-2007-5901)
| Summary: | CVE-2007-5901 krb5: use-after-free in gssapi lib | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | kreilly, nalin |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5901 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-03-31 09:42:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 434923, 434924, 438022, 438023 | ||
| Bug Blocks: | |||
|
Description
Tomas Hoger
2007-12-07 08:39:37 UTC
http://marc.info/?l=full-disclosure&m=119743235325151&w=2 MIT Say: CVE-2007-5901 http://bugs.gentoo.org/show_bug.cgi?id=199214 This bug is consists of freeing a non-heap pointer, and is not a practical vulnerability due to the extreme difficulty of exploitation. In src/lib/gssapi/mechglue/g_initialize.c, the function gss_indicate_mechs() can make the call free(mechSet), which is erroneous because "mechSet" is a pointer to type "gss_OID_set" passed in by the caller of gss_indicate_mechs() and the dereferenced "*mechSet" is where the pointer to allocated memory is assigned. 201 /* still need to copy each of the oid elements arrays */ 202 for (i = 0; i < (*mechSet)->count; i++) { 203 curItem = &((*mechSet)->elements[i]); 204 curItem->elements = 205 (void *) malloc(g_mechSet.elements[i].length); 206 if (curItem->elements == NULL) { 207 (void) k5_mutex_unlock(&g_mechSetLock); 208 /* 209 * must still free the allocated elements for 210 * each allocated gss_OID_desc 211 */ 212 for (j = 0; j < i; j++) { 213 free((*mechSet)->elements[j].elements); 214 } 215 free((*mechSet)->elements); 216 free(mechSet); 217 *mechSet = NULL; 218 return (GSS_S_FAILURE); 219 } 220 g_OID_copy(curItem, &g_mechSet.elements[i]); 221 } If the allocation of (*mechSet)->elements fails, the erroneous call of free(mechSet) occurs, freeing a pointer which probably points into the stack frame of the caller. In order to successfully exploit this vulnerability, an attacker would have to cause a malloc() failure to occur at precisely the right time: almost immediately after a different malloc() call has succeeded. Upstream bug report: http://krbdev.mit.edu/rt/Ticket/Display.html?id=5854 Fix seems to be tagged for inclusion in upstream version 1.6.4. Upstream SVN commit: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?view=rev&rev=20178 krb5-1.6.1-9.fc7 has been submitted as an update for Fedora 7 krb5-1.6.2-14.fc8 has been submitted as an update for Fedora 8 krb5-1.6.1-9.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. krb5-1.6.2-14.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0164.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2637 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2647 |