581922 – (CVE-2010-1320) CVE-2010-1320 krb5: double-free vulnerability in 1.7+

Bug 581922 (CVE-2010-1320) - CVE-2010-1320 krb5: double-free vulnerability in 1.7+

Summary: CVE-2010-1320 krb5: double-free vulnerability in 1.7+

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-1320
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	584092 584093 584094
Blocks:
TreeView+	depends on / blocked

Reported:	2010-04-13 15:45 UTC by Vincent Danen
Modified:	2021-11-12 20:05 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-06-25 09:53:29 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vincent Danen 2010-04-13 15:45:14 UTC

A double-free vulnerability was found in the KDC in MIT krb5 versions 1.7 and later.  This flaw could allow an authenticated remote attacker to crash the KDC by inducing the KDC to perform a double-free, or to possibly allow for the execution of arbitrary code (although the latter is believed to be difficult).

This issue does not affect previous versions of MIT krb5.

From the upstream advisory (MITKRB5-SA-2010-004):

When process_tgs_req() handles renewal or validation of existing
tickets, it copies header_ticket->enc_part2 (from the ticket that is
being validated or renewed) to enc_tkt_reply (the new ticket being
generated for the reply). This causes
enc_tkt_reply.authorization_data to be an alias for memory that
belongs to the request. As process_tgs_req() exits, it frees both
header_ticket and enc_tkt_reply, which causes the aliased memory to be
freed twice.

In the krb5-1.8 releases, unlike prior MIT krb5 releases, the TGS
request processing normally adds a "signedpath" authorization data
element, which causes merge_authdata() to run. Inside
merge_authdata() is a call to realloc() that can potentially cause the
authorization data from header_ticket to be freed (if realloc() needs
to relocate the memory) an additional time before the cleanup code at
the end of process_tgs_req(). The krb5-1.7 releases can still
encounter this condition under less common circumstances, such as when
a client provides authorization data that it wants the KDC include in
the new ticket.

Comment 6 Vincent Danen 2010-04-20 18:42:46 UTC

This is now public:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt

Comment 8 Vincent Danen 2010-04-20 18:43:30 UTC

Created krb5 tracking bugs for this issue

Affects: fedora-12 [bug 584093]
Affects: fedora-13 [bug 584094]

Comment 9 Fedora Update System 2010-04-20 19:02:49 UTC

krb5-1.7.1-7.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/krb5-1.7.1-7.fc12

Comment 10 Fedora Update System 2010-04-20 19:02:51 UTC

krb5-1.7.1-8.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/krb5-1.7.1-8.fc13

Comment 11 Fedora Update System 2010-04-21 21:53:56 UTC

krb5-1.7.1-8.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2010-04-21 21:58:02 UTC

krb5-1.7.1-7.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.