Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5901 to the following vulnerability: Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code. References: http://bugs.gentoo.org/show_bug.cgi?id=199214
http://marc.info/?l=full-disclosure&m=119743235325151&w=2 MIT Say: CVE-2007-5901 http://bugs.gentoo.org/show_bug.cgi?id=199214 This bug is consists of freeing a non-heap pointer, and is not a practical vulnerability due to the extreme difficulty of exploitation. In src/lib/gssapi/mechglue/g_initialize.c, the function gss_indicate_mechs() can make the call free(mechSet), which is erroneous because "mechSet" is a pointer to type "gss_OID_set" passed in by the caller of gss_indicate_mechs() and the dereferenced "*mechSet" is where the pointer to allocated memory is assigned. 201 /* still need to copy each of the oid elements arrays */ 202 for (i = 0; i < (*mechSet)->count; i++) { 203 curItem = &((*mechSet)->elements[i]); 204 curItem->elements = 205 (void *) malloc(g_mechSet.elements[i].length); 206 if (curItem->elements == NULL) { 207 (void) k5_mutex_unlock(&g_mechSetLock); 208 /* 209 * must still free the allocated elements for 210 * each allocated gss_OID_desc 211 */ 212 for (j = 0; j < i; j++) { 213 free((*mechSet)->elements[j].elements); 214 } 215 free((*mechSet)->elements); 216 free(mechSet); 217 *mechSet = NULL; 218 return (GSS_S_FAILURE); 219 } 220 g_OID_copy(curItem, &g_mechSet.elements[i]); 221 } If the allocation of (*mechSet)->elements fails, the erroneous call of free(mechSet) occurs, freeing a pointer which probably points into the stack frame of the caller. In order to successfully exploit this vulnerability, an attacker would have to cause a malloc() failure to occur at precisely the right time: almost immediately after a different malloc() call has succeeded.
Upstream bug report: http://krbdev.mit.edu/rt/Ticket/Display.html?id=5854 Fix seems to be tagged for inclusion in upstream version 1.6.4.
Upstream SVN commit: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?view=rev&rev=20178
krb5-1.6.1-9.fc7 has been submitted as an update for Fedora 7
krb5-1.6.2-14.fc8 has been submitted as an update for Fedora 8
krb5-1.6.1-9.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.6.2-14.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0164.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2637 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2647