Bug 159755 - CAN-2005-1689 double-free in krb5_recvauth
Summary: CAN-2005-1689 double-free in krb5_recvauth
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5   
(Show other bugs)
Version: 3
Hardware: All Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
Whiteboard: impact=critical,embargo=20050712,sour...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-07 20:07 UTC by Josh Bressers
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 1.3.6-7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-06-30 02:30:43 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Josh Bressers 2005-06-07 20:07:33 UTC
+++ This bug was initially created as a clone of Bug #159753 +++

Severity: CRITICAL


The krb5_recvauth() function can free previously freed memory under
some error conditions.  This vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code.
Exploitation of this vulnerability on a Kerberos Key Distribution
Center (KDC) host can result in compromise of an entire Kerberos
realm.  No exploit code is known to exist at this time.  Exploitation
of double-free vulnerabilities is believed to be difficult.


An unauthenticated attacker may be able to execute arbitrary code in
the context of a program calling krb5_recvauth().  This includes the
kpropd program which typically runs on slave Key Distribution Center
(KDC) hosts, potentially leading to compromise of an entire Kerberos
realm.  Other vulnerable programs which call krb5_recvauth() are
usually remote login programs running with root privileges.
Unsuccessful attempts at exploitation may result in denial of service
by crashing the target program.


* The kpropd daemon in all releases of MIT krb5, up to and including
   krb5-1.4.1, is vulnerable.

* The klogind and krshd remote-login daemons in all releases of MIT
   krb5, up to and including krb5-1.4.1, is vulnerable.

* Third-party application programs which call krb5-recvauth() are also


* Apply the following patch.  This patch was generated against the
   krb5-1.4.1 release.  It may apply, with some offset, to earlier

   The patch may also be found at:


   The associated detached PGP signature is at:


Index: lib/krb5/krb/recvauth.c
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v
retrieving revision 5.38
diff -c -r5.38 recvauth.c
*** lib/krb5/krb/recvauth.c     3 Sep 2002 01:13:47 -0000       5.38
--- lib/krb5/krb/recvauth.c     23 May 2005 23:19:15 -0000
*** 76,82 ****
            if ((retval = krb5_read_message(context, fd, &inbuf)))
            if (strcmp(inbuf.data, sendauth_version)) {
-               krb5_xfree(inbuf.data);
                problem = KRB5_SENDAUTH_BADAUTHVERS;
--- 76,81 ----
*** 90,96 ****
        if ((retval = krb5_read_message(context, fd, &inbuf)))
        if (appl_version && strcmp(inbuf.data, appl_version)) {
-               krb5_xfree(inbuf.data);
                if (!problem)
                        problem = KRB5_SENDAUTH_BADAPPLVERS;
--- 89,94 ----

Comment 1 Josh Bressers 2005-06-07 20:10:07 UTC
The embargo on this issue will be lifted after FC4 comes out, we shall want to
fix it there as well.

Comment 2 Mark J. Cox 2005-06-07 20:15:53 UTC
Note that on RHEL4 and FC3 and FC4 a double free will be caught by glibc and
cause a crash.  Whilst this allows a remote DoS it won't allow arbitrary code. 
Therefore Important on those distributions with these checks, Critial elsewhere.

Comment 3 Mark J. Cox 2005-07-12 18:02:35 UTC
public at http://web.mit.edu/kerberos/www/advisories/, removing embargo

Comment 4 Matthew Miller 2006-06-30 02:30:43 UTC
This was fixed in 1.3.6-7 and an update released. It just was never marked as

Note You need to log in before you can comment on or make changes to this bug.