A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. It is reported that this issue affects version 1.10 and later. Upstream commit and further details: https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f
Created krb5 tracking bugs for this issue: Affects: fedora-all [bug 1121879]
spnego_gss_init_sec_context -> init_ctx_cont -> init_ctx_nego -> init_ctx_reselect It is possible for unauthenticated attacker to crash the clients, as in the process according to RFC SPNEGO uses pseudo-mechanism which checks which gssapi mechanisms can be used. SPNEGO is not used by default. It requires high complexity to execute such attack as it also involves spoofing Web Server SSL certificate also.
Statement: This issue did not affect the version of krb5 as shipped with Red Hat Enterprise Linux 5.
krb5-1.11.3-24.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.11.5-10.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
IssueDescription: A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1389 https://rhn.redhat.com/errata/RHSA-2014-1389.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0439 https://rhn.redhat.com/errata/RHSA-2015-0439.html