|Summary:||CVE-2010-1320 krb5: double-free vulnerability in 1.7+|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||jrusnack, nalin, rcvalle|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-06-25 09:53:29 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||584092, 584093, 584094|
Description Vincent Danen 2010-04-13 15:45:14 UTC
A double-free vulnerability was found in the KDC in MIT krb5 versions 1.7 and later. This flaw could allow an authenticated remote attacker to crash the KDC by inducing the KDC to perform a double-free, or to possibly allow for the execution of arbitrary code (although the latter is believed to be difficult). This issue does not affect previous versions of MIT krb5. From the upstream advisory (MITKRB5-SA-2010-004): When process_tgs_req() handles renewal or validation of existing tickets, it copies header_ticket->enc_part2 (from the ticket that is being validated or renewed) to enc_tkt_reply (the new ticket being generated for the reply). This causes enc_tkt_reply.authorization_data to be an alias for memory that belongs to the request. As process_tgs_req() exits, it frees both header_ticket and enc_tkt_reply, which causes the aliased memory to be freed twice. In the krb5-1.8 releases, unlike prior MIT krb5 releases, the TGS request processing normally adds a "signedpath" authorization data element, which causes merge_authdata() to run. Inside merge_authdata() is a call to realloc() that can potentially cause the authorization data from header_ticket to be freed (if realloc() needs to relocate the memory) an additional time before the cleanup code at the end of process_tgs_req(). The krb5-1.7 releases can still encounter this condition under less common circumstances, such as when a client provides authorization data that it wants the KDC include in the new ticket.
Comment 6 Vincent Danen 2010-04-20 18:42:46 UTC
This is now public: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt
Comment 8 Vincent Danen 2010-04-20 18:43:30 UTC
Created krb5 tracking bugs for this issue Affects: fedora-12 [bug 584093] Affects: fedora-13 [bug 584094]
Comment 9 Fedora Update System 2010-04-20 19:02:49 UTC
krb5-1.7.1-7.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/krb5-1.7.1-7.fc12
Comment 10 Fedora Update System 2010-04-20 19:02:51 UTC
krb5-1.7.1-8.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/krb5-1.7.1-8.fc13
Comment 11 Fedora Update System 2010-04-21 21:53:56 UTC
krb5-1.7.1-8.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-04-21 21:58:02 UTC
krb5-1.7.1-7.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.