Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5971 to the following vulnerability: Double-free vulnerability in the gss_krb5int_make_seal_token_v3 function in lib/gssapi/krb5/k5sealv3.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. References: http://bugs.gentoo.org/show_bug.cgi?id=199212
MIT say http://marc.info/?l=full-disclosure&m=119743235325151&w=2 CVE-2007-5971 http://bugs.gentoo.org/show_bug.cgi?id=199212 This bug is a double-free condition which is not a practical vulnerability due to the extreme difficulty of exploitation. If krb5_c_make_checksum() (in src/lib/gssapi/krb5/k5sealv3.c) fails, "outbuf" may be freed twice. 244 err = krb5_c_make_checksum(context, ctx->cksumtype, key, 245 key_usage, &plain, &sum); 246 zap(plain.data, plain.length); 247 free(plain.data); 248 plain.data = 0; 249 if (err) { 250 zap(outbuf,bufsize); 251 free(outbuf); 252 goto error; 253 } ... 290 error: 291 free(outbuf); 292 token->value = NULL; 293 token->length = 0; 294 return err; 295 } krb5_c_make_checksum() only fails if malloc() fails to allocate a very small amount of memory. To exploit this vulnerability, an attacker would need to force a malloc() failure at exactly the point where krb5_c_make_checksum is called.
Upstream bug report: http://krbdev.mit.edu/rt/Ticket/Display.html?id=5856 Fix seems to be tagged for inclusion in upstream version 1.6.4.
Upstream SVN commit: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?view=rev&rev=20180
krb5-1.6.1-9.fc7 has been submitted as an update for Fedora 7
krb5-1.6.2-14.fc8 has been submitted as an update for Fedora 8
krb5-1.6.1-9.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.6.2-14.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0180.html http://rhn.redhat.com/errata/RHSA-2008-0164.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2637 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2647