Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5972 to the following vulnerability: Double-free vulnerability in the krb5_def_store_mkey function in lib/kdb/kdb_default.c in MIT Kerberos 5 (krb5) 1.5 has unknown impact and remote authenticated attack vectors. NOTE: the free operations occur in code that stores the krb5kdc master key, and thus the attacker must have privileges to store this key. References: http://bugs.gentoo.org/show_bug.cgi?id=199211
MIT say http://marc.info/?l=full-disclosure&m=119743235325151&w=2 CVE-2007-5972 http://bugs.gentoo.org/show_bug.cgi?id=199211 This bug is a double-free (actually a double-fclose) bug which is not a vulnerability due to inaccessibility to an attacker. If the fwrite() call in krb5_def_store_mkey() (in src/lib/kdb/kdb_default.c) fails, the file pointer "kf" may have fclose() called on it twice. 180 if ((fwrite((krb5_pointer) &enctype, 181 2, 1, kf) != 1) || 182 (fwrite((krb5_pointer) &key->length, 183 sizeof(key->length), 1, kf) != 1) || 184 (fwrite((krb5_pointer) key->contents, 185 sizeof(key->contents[0]), (unsigned) key->length, 186 kf) != key->length)) { 187 retval = errno; 188 (void) fclose(kf); 189 } 190 if (fclose(kf) == EOF) 191 retval = errno; The relevant code stashes a KDC master key. It is only run by explicit action of a KDC administrator, who already has all the privileges that exploiting this bug would gain. A properly configured KDC will have no unprivileged users having shell or other login access; therefore, an unprivileged user cannot cause the fwrite() failure necessary for triggering this bug. Also, under normal conditions, the code is run exactly once in the lifetime of a KDC: at database creation time.