Bug 159756 - CAN-2005-1689 double-free in krb5_recvauth
CAN-2005-1689 double-free in krb5_recvauth
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: krb5 (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
impact=important,embargo=20050712,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-07 16:15 EDT by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2005-567
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-12 14:16:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-06-07 16:15:10 EDT
+++ This bug was initially created as a clone of Bug #159753 +++

Severity: CRITICAL

SUMMARY
=======

The krb5_recvauth() function can free previously freed memory under
some error conditions.  This vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code.
Exploitation of this vulnerability on a Kerberos Key Distribution
Center (KDC) host can result in compromise of an entire Kerberos
realm.  No exploit code is known to exist at this time.  Exploitation
of double-free vulnerabilities is believed to be difficult.
[CAN-2005-1689]

IMPACT
======

An unauthenticated attacker may be able to execute arbitrary code in
the context of a program calling krb5_recvauth().  This includes the
kpropd program which typically runs on slave Key Distribution Center
(KDC) hosts, potentially leading to compromise of an entire Kerberos
realm.  Other vulnerable programs which call krb5_recvauth() are
usually remote login programs running with root privileges.
Unsuccessful attempts at exploitation may result in denial of service
by crashing the target program.

AFFECTED SOFTWARE
=================

* The kpropd daemon in all releases of MIT krb5, up to and including
   krb5-1.4.1, is vulnerable.

* The klogind and krshd remote-login daemons in all releases of MIT
   krb5, up to and including krb5-1.4.1, is vulnerable.

* Third-party application programs which call krb5-recvauth() are also
   vulnerable.

FIXES
=====

* Apply the following patch.  This patch was generated against the
   krb5-1.4.1 release.  It may apply, with some offset, to earlier
   releases.

   The patch may also be found at:

   http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt

   The associated detached PGP signature is at:

   http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc

Index: lib/krb5/krb/recvauth.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v
retrieving revision 5.38
diff -c -r5.38 recvauth.c
*** lib/krb5/krb/recvauth.c     3 Sep 2002 01:13:47 -0000       5.38
--- lib/krb5/krb/recvauth.c     23 May 2005 23:19:15 -0000
***************
*** 76,82 ****
            if ((retval = krb5_read_message(context, fd, &inbuf)))
                return(retval);
            if (strcmp(inbuf.data, sendauth_version)) {
-               krb5_xfree(inbuf.data);
                problem = KRB5_SENDAUTH_BADAUTHVERS;
            }
            krb5_xfree(inbuf.data);
--- 76,81 ----
***************
*** 90,96 ****
        if ((retval = krb5_read_message(context, fd, &inbuf)))
                return(retval);
        if (appl_version && strcmp(inbuf.data, appl_version)) {
-               krb5_xfree(inbuf.data);
                if (!problem)
                        problem = KRB5_SENDAUTH_BADAPPLVERS;
        }
--- 89,94 ----
Comment 1 Josh Bressers 2005-06-07 16:17:12 EDT
Double free issues are now caught on RHEL4.  This issue will not be able to
execute arbitrary code.  It will be a denial of service issue though.
Comment 2 Mark J. Cox (Product Security) 2005-07-12 14:01:57 EDT
Public at http://web.mit.edu/kerberos/www/advisories/, removing embargo
Comment 3 Red Hat Bugzilla 2005-07-12 14:16:13 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-567.html

Note You need to log in before you can comment on or make changes to this bug.