A stack based buffer overflow was found in the get_matching_data() function, when reading the principal's certificate during pkinit preauthentication. If the Certifcate Authority's subject line is sufficiently long, an attacker able to have a specially crafted certificate signed could crash the authentication process, such as kinit, or, possibly, run arbitrary code.
A buffer overflow vulnerability was found in get_matching_data() function when both the CA cert and the user cert have a long subject affecting krb5 that includes certauth plugin. Attack requires a validated certificate with a long subject and issuer, and a "pkinit_cert_match" string attribute on some principal in the database. A remote code execution exploit might also require that the attacker gets to choose the contents of the issuer in the validated cert.
Created krb5 tracking bugs for this issue:
Affects: fedora-all [bug 1506622]
This issue affects the versions of krb5 as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.