Bug 415321 - (CVE-2007-5901) CVE-2007-5901 krb5: use-after-free in gssapi lib
CVE-2007-5901 krb5: use-after-free in gssapi lib
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 434923 434924 438022 438023
  Show dependency treegraph
Reported: 2007-12-07 03:39 EST by Tomas Hoger
Modified: 2016-03-04 07:23 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-31 05:42:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-12-07 03:39:37 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5901 to the following vulnerability:

Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors.  NOTE: this might be the result of a typo in the source code.


Comment 1 Mark J. Cox (Product Security) 2007-12-14 04:39:22 EST
MIT Say:


This bug is consists of freeing a non-heap pointer, and is not a
practical vulnerability due to the extreme difficulty of exploitation.
In src/lib/gssapi/mechglue/g_initialize.c, the function
gss_indicate_mechs() can make the call free(mechSet), which is
erroneous because "mechSet" is a pointer to type "gss_OID_set" passed
in by the caller of gss_indicate_mechs() and the dereferenced
"*mechSet" is where the pointer to allocated memory is assigned.

   201          /* still need to copy each of the oid elements arrays */
   202          for (i = 0; i < (*mechSet)->count; i++) {
   203                  curItem = &((*mechSet)->elements[i]);
   204                  curItem->elements =
   205                          (void *) malloc(g_mechSet.elements[i].length);
   206                  if (curItem->elements == NULL) {
   207                          (void) k5_mutex_unlock(&g_mechSetLock);
   208                          /*
   209                           * must still free the allocated elements for
   210                           * each allocated gss_OID_desc
   211                           */
   212                          for (j = 0; j < i; j++) {
   213                                  free((*mechSet)->elements[j].elements);
   214                          }
   215                          free((*mechSet)->elements);
   216                          free(mechSet);
   217                          *mechSet = NULL;
   218                          return (GSS_S_FAILURE);
   219                  }
   220                  g_OID_copy(curItem, &g_mechSet.elements[i]);
   221          }

If the allocation of (*mechSet)->elements fails, the erroneous call of
free(mechSet) occurs, freeing a pointer which probably points into the
stack frame of the caller.  In order to successfully exploit this
vulnerability, an attacker would have to cause a malloc() failure to
occur at precisely the right time: almost immediately after a
different malloc() call has succeeded.
Comment 2 Tomas Hoger 2008-02-18 08:20:45 EST
Upstream bug report:


Fix seems to be tagged for inclusion in upstream version 1.6.4.
Comment 3 Tomas Hoger 2008-02-18 08:51:06 EST
Upstream SVN commit:

Comment 7 Fedora Update System 2008-03-18 14:49:43 EDT
krb5-1.6.1-9.fc7 has been submitted as an update for Fedora 7
Comment 8 Fedora Update System 2008-03-18 14:50:35 EDT
krb5-1.6.2-14.fc8 has been submitted as an update for Fedora 8
Comment 9 Fedora Update System 2008-03-21 18:17:02 EDT
krb5-1.6.1-9.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-03-21 18:20:04 EDT
krb5-1.6.2-14.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.