Bug 581922 - (CVE-2010-1320) CVE-2010-1320 krb5: double-free vulnerability in 1.7+
CVE-2010-1320 krb5: double-free vulnerability in 1.7+
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20100420,reported=20100412,sou...
: Security
Depends On: 584092 584093 584094
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-13 11:45 EDT by Vincent Danen
Modified: 2015-10-15 17:11 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-25 05:53:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-04-13 11:45:14 EDT
A double-free vulnerability was found in the KDC in MIT krb5 versions 1.7 and later.  This flaw could allow an authenticated remote attacker to crash the KDC by inducing the KDC to perform a double-free, or to possibly allow for the execution of arbitrary code (although the latter is believed to be difficult).

This issue does not affect previous versions of MIT krb5.

From the upstream advisory (MITKRB5-SA-2010-004):

When process_tgs_req() handles renewal or validation of existing
tickets, it copies header_ticket->enc_part2 (from the ticket that is
being validated or renewed) to enc_tkt_reply (the new ticket being
generated for the reply). This causes
enc_tkt_reply.authorization_data to be an alias for memory that
belongs to the request. As process_tgs_req() exits, it frees both
header_ticket and enc_tkt_reply, which causes the aliased memory to be
freed twice.

In the krb5-1.8 releases, unlike prior MIT krb5 releases, the TGS
request processing normally adds a "signedpath" authorization data
element, which causes merge_authdata() to run. Inside
merge_authdata() is a call to realloc() that can potentially cause the
authorization data from header_ticket to be freed (if realloc() needs
to relocate the memory) an additional time before the cleanup code at
the end of process_tgs_req(). The krb5-1.7 releases can still
encounter this condition under less common circumstances, such as when
a client provides authorization data that it wants the KDC include in
the new ticket.
Comment 6 Vincent Danen 2010-04-20 14:42:46 EDT
This is now public:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt
Comment 8 Vincent Danen 2010-04-20 14:43:30 EDT
Created krb5 tracking bugs for this issue

Affects: fedora-12 [bug 584093]
Affects: fedora-13 [bug 584094]
Comment 9 Fedora Update System 2010-04-20 15:02:49 EDT
krb5-1.7.1-7.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/krb5-1.7.1-7.fc12
Comment 10 Fedora Update System 2010-04-20 15:02:51 EDT
krb5-1.7.1-8.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/krb5-1.7.1-8.fc13
Comment 11 Fedora Update System 2010-04-21 17:53:56 EDT
krb5-1.7.1-8.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-04-21 17:58:02 EDT
krb5-1.7.1-7.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.