There is a bug in the FILE ccache implementation of MIT Kerberos 5 1.4.1 that
frees the wrong ccache every now and then. Especially in ksu, this behavior is
reproducable every time.

The bug is in the dereference() function in src/lib/krb5/ccache/cc_file.c, where
there is a line like this:
    for (fccsp = &fccs; *fccsp == NULL; fccsp = &(*fccsp)->next)

Obviously, the loop condition is not supposed to be "*fccsp == NULL", but rather
"*fccsp != NULL". This bug causes a lot of trouble:
 1. When using ksu, the target cc is freed when the source cc is supposed to be
freed, which causes two subissues:
  a. No target cc's are unlinked when ksu exits, which means that cc's will keep
piling up in /tmp.
  b. The source cc will remain open in ksu and its child processes, quite
possibly read locked, which means that any process trying to write lock the cc
(for example when requesting a new ticket) will sleep until ksu exits. This is
also an information leak, since ksu's child processes will have access to the
source cc.
 2. It obviously causes a high probability of programs using more than one fcc
at a time crashing. For example, when patching screen for Kerberos cc
duplication (<http://www.dolda2000.com/~fredrik/patches/>), screen will crash
periodically.
 3. It might be a security risk, since ksu is suid root (and maybe certain
network servers will be affected as well), and its memory is being corrupted. I
don't know if it's exploitable, but there's nothing that says it isn't, either.

FC should either patch this bug or update to a later version of Kerberos (the
bug is fixed in 1.4.3, I don't know about 1.4.2).