A double-free vulnerability was found in the KDC in MIT krb5 versions 1.7 and later. This flaw could allow an authenticated remote attacker to crash the KDC by inducing the KDC to perform a double-free, or to possibly allow for the execution of arbitrary code (although the latter is believed to be difficult).
This issue does not affect previous versions of MIT krb5.
From the upstream advisory (MITKRB5-SA-2010-004):
When process_tgs_req() handles renewal or validation of existing
tickets, it copies header_ticket->enc_part2 (from the ticket that is
being validated or renewed) to enc_tkt_reply (the new ticket being
generated for the reply). This causes
enc_tkt_reply.authorization_data to be an alias for memory that
belongs to the request. As process_tgs_req() exits, it frees both
header_ticket and enc_tkt_reply, which causes the aliased memory to be
In the krb5-1.8 releases, unlike prior MIT krb5 releases, the TGS
request processing normally adds a "signedpath" authorization data
element, which causes merge_authdata() to run. Inside
merge_authdata() is a call to realloc() that can potentially cause the
authorization data from header_ticket to be freed (if realloc() needs
to relocate the memory) an additional time before the cleanup code at
the end of process_tgs_req(). The krb5-1.7 releases can still
encounter this condition under less common circumstances, such as when
a client provides authorization data that it wants the KDC include in
the new ticket.
This is now public:
Created krb5 tracking bugs for this issue
Affects: fedora-12 [bug 584093]
Affects: fedora-13 [bug 584094]
krb5-1.7.1-7.fc12 has been submitted as an update for Fedora 12.
krb5-1.7.1-8.fc13 has been submitted as an update for Fedora 13.
krb5-1.7.1-8.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.7.1-7.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.