Bug 581922 (CVE-2010-1320)

Summary: CVE-2010-1320 krb5: double-free vulnerability in 1.7+
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jrusnack, nalin, rcvalle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-25 09:53:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 584092, 584093, 584094    
Bug Blocks:    

Description Vincent Danen 2010-04-13 15:45:14 UTC 
A double-free vulnerability was found in the KDC in MIT krb5 versions 1.7 and later.  This flaw could allow an authenticated remote attacker to crash the KDC by inducing the KDC to perform a double-free, or to possibly allow for the execution of arbitrary code (although the latter is believed to be difficult).

This issue does not affect previous versions of MIT krb5.

From the upstream advisory (MITKRB5-SA-2010-004):

When process_tgs_req() handles renewal or validation of existing
tickets, it copies header_ticket->enc_part2 (from the ticket that is
being validated or renewed) to enc_tkt_reply (the new ticket being
generated for the reply). This causes
enc_tkt_reply.authorization_data to be an alias for memory that
belongs to the request. As process_tgs_req() exits, it frees both
header_ticket and enc_tkt_reply, which causes the aliased memory to be
freed twice.

In the krb5-1.8 releases, unlike prior MIT krb5 releases, the TGS
request processing normally adds a "signedpath" authorization data
element, which causes merge_authdata() to run. Inside
merge_authdata() is a call to realloc() that can potentially cause the
authorization data from header_ticket to be freed (if realloc() needs
to relocate the memory) an additional time before the cleanup code at
the end of process_tgs_req(). The krb5-1.7 releases can still
encounter this condition under less common circumstances, such as when
a client provides authorization data that it wants the KDC include in
the new ticket.
Comment 6 Vincent Danen 2010-04-20 18:42:46 UTC 
This is now public:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt
Comment 8 Vincent Danen 2010-04-20 18:43:30 UTC 
Created krb5 tracking bugs for this issue

Affects: fedora-12 [bug 584093]
Affects: fedora-13 [bug 584094]
Comment 9 Fedora Update System 2010-04-20 19:02:49 UTC 
krb5-1.7.1-7.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/krb5-1.7.1-7.fc12
Comment 10 Fedora Update System 2010-04-20 19:02:51 UTC 
krb5-1.7.1-8.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/krb5-1.7.1-8.fc13
Comment 11 Fedora Update System 2010-04-21 21:53:56 UTC 
krb5-1.7.1-8.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-04-21 21:58:02 UTC 
krb5-1.7.1-7.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.