Bug 415321 (CVE-2007-5901) - CVE-2007-5901 krb5: use-after-free in gssapi lib
Summary: CVE-2007-5901 krb5: use-after-free in gssapi lib
Alias: CVE-2007-5901
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Depends On: 434923 434924 438022 438023
TreeView+ depends on / blocked
Reported: 2007-12-07 08:39 UTC by Tomas Hoger
Modified: 2021-11-12 19:46 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-03-31 09:42:57 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0164 0 normal SHIPPED_LIVE Critical: krb5 security and bugfix update 2008-03-18 19:26:13 UTC

Description Tomas Hoger 2007-12-07 08:39:37 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5901 to the following vulnerability:

Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors.  NOTE: this might be the result of a typo in the source code.



Comment 1 Mark J. Cox 2007-12-14 09:39:22 UTC
MIT Say:


This bug is consists of freeing a non-heap pointer, and is not a
practical vulnerability due to the extreme difficulty of exploitation.
In src/lib/gssapi/mechglue/g_initialize.c, the function
gss_indicate_mechs() can make the call free(mechSet), which is
erroneous because "mechSet" is a pointer to type "gss_OID_set" passed
in by the caller of gss_indicate_mechs() and the dereferenced
"*mechSet" is where the pointer to allocated memory is assigned.

   201          /* still need to copy each of the oid elements arrays */
   202          for (i = 0; i < (*mechSet)->count; i++) {
   203                  curItem = &((*mechSet)->elements[i]);
   204                  curItem->elements =
   205                          (void *) malloc(g_mechSet.elements[i].length);
   206                  if (curItem->elements == NULL) {
   207                          (void) k5_mutex_unlock(&g_mechSetLock);
   208                          /*
   209                           * must still free the allocated elements for
   210                           * each allocated gss_OID_desc
   211                           */
   212                          for (j = 0; j < i; j++) {
   213                                  free((*mechSet)->elements[j].elements);
   214                          }
   215                          free((*mechSet)->elements);
   216                          free(mechSet);
   217                          *mechSet = NULL;
   218                          return (GSS_S_FAILURE);
   219                  }
   220                  g_OID_copy(curItem, &g_mechSet.elements[i]);
   221          }

If the allocation of (*mechSet)->elements fails, the erroneous call of
free(mechSet) occurs, freeing a pointer which probably points into the
stack frame of the caller.  In order to successfully exploit this
vulnerability, an attacker would have to cause a malloc() failure to
occur at precisely the right time: almost immediately after a
different malloc() call has succeeded.

Comment 2 Tomas Hoger 2008-02-18 13:20:45 UTC
Upstream bug report:


Fix seems to be tagged for inclusion in upstream version 1.6.4.

Comment 3 Tomas Hoger 2008-02-18 13:51:06 UTC
Upstream SVN commit:


Comment 7 Fedora Update System 2008-03-18 18:49:43 UTC
krb5-1.6.1-9.fc7 has been submitted as an update for Fedora 7

Comment 8 Fedora Update System 2008-03-18 18:50:35 UTC
krb5-1.6.2-14.fc8 has been submitted as an update for Fedora 8

Comment 9 Fedora Update System 2008-03-21 22:17:02 UTC
krb5-1.6.1-9.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2008-03-21 22:20:04 UTC
krb5-1.6.2-14.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.