Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 245547 - (CVE-2007-2442) CVE-2007-2442 krb5 RPC library unitialized pointer free
CVE-2007-2442 krb5 RPC library unitialized pointer free
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 239073 245544
  Show dependency treegraph
Reported: 2007-06-25 07:37 EDT by Mark J. Cox
Modified: 2008-02-26 10:15 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-26 10:15:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0384 normal SHIPPED_LIVE Critical: krb5 security update 2007-06-26 14:43:05 EDT
Red Hat Product Errata RHSA-2007:0562 normal SHIPPED_LIVE Important: krb5 security update 2008-01-07 17:17:36 EST

  None (edit)
Description Mark J. Cox 2007-06-25 07:37:15 EDT
The MIT Kerberos Team has made us aware of the following issue:

CVE-2007-2442: The RPC library can free an uninitialized pointer.

"CVE-2007-2442: The function gssrpc__svcauth_gssapi() in
src/lib/rpc/svc_auth_gssapi.c declares an automatic variable "creds"
of type auth_gssapi_creds.  This type includes a gss_buffer_desc
(which includes a pointer to void used as a pointer to a buffer of
bytes).  If gssrpc__svcauth_gssapi() receives an RPC credential with a
length of zero, it jumps to the label "error", which executes some
cleanup code.  At this point, the gss_buffer_desc in "creds" is not
yet initialized, and the cleanup code calls xdr_free() on "creds",
which then attempts to free the memory pointed to by the uninitialized
"value" member of the gss_buffer_desc.

Exploitation of freeing of invalid pointers is believed to be
difficult, and depends on a variety of factors specific to a given
malloc implementation."

This issue is embargoed until 20070626
Comment 1 Mark J. Cox 2007-06-25 07:39:10 EDT
For Red Hat Enterprise Linux 4 and 5, glibc contains checks that prevent this
issue from being exploitable.  Therefore this is a denial of service issue and
is impact important.

For Red Hat Enterprise Linux 2.1 and 3, this issue is potentially exploitable
and could result in arbitrary code execution.  Therefore this is is impact critical.
Comment 3 Josh Bressers 2007-06-26 14:20:33 EDT
Lifting embargo: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-004.txt
Comment 4 Red Hat Product Security 2008-02-26 10:15:04 EST
This issue was addressed in:

Red Hat Enterprise Linux:


Note You need to log in before you can comment on or make changes to this bug.