The MIT Kerberos Team has made us aware of the following issue: CVE-2007-2442: The RPC library can free an uninitialized pointer. "CVE-2007-2442: The function gssrpc__svcauth_gssapi() in src/lib/rpc/svc_auth_gssapi.c declares an automatic variable "creds" of type auth_gssapi_creds. This type includes a gss_buffer_desc (which includes a pointer to void used as a pointer to a buffer of bytes). If gssrpc__svcauth_gssapi() receives an RPC credential with a length of zero, it jumps to the label "error", which executes some cleanup code. At this point, the gss_buffer_desc in "creds" is not yet initialized, and the cleanup code calls xdr_free() on "creds", which then attempts to free the memory pointed to by the uninitialized "value" member of the gss_buffer_desc. Exploitation of freeing of invalid pointers is believed to be difficult, and depends on a variety of factors specific to a given malloc implementation." This issue is embargoed until 20070626
For Red Hat Enterprise Linux 4 and 5, glibc contains checks that prevent this issue from being exploitable. Therefore this is a denial of service issue and is impact important. For Red Hat Enterprise Linux 2.1 and 3, this issue is potentially exploitable and could result in arbitrary code execution. Therefore this is is impact critical.
Lifting embargo: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-004.txt
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0384.html http://rhn.redhat.com/errata/RHSA-2007-0562.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0740