A bug was discovered [1],[2] in the password-changing capability of the MIT krb5 administration daemon (kadmind) that can cause it to attempt to free() an invalid pointer under certain error conditions. This could allow an unauthenticated remote attacker to cause the kadmind process to terminate, resulting in a denial of service. Only krb5 1.7 and higher are vulnerable to this flaw; earlier releases to do not contain the functionality that the vulnerable code implements. Upcoming krb5 releases will correct the flaw, but patches are available for 1.7.x/1.8.x [3] and 1.9.x [4]. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621726 [2] http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2011-004.txt [3] http://web.mit.edu/kerberos/advisories/2011-004-patch-r18.txt [4] http://web.mit.edu/kerberos/advisories/2011-004-patch.txt
Created krb5 tracking bugs for this issue Affects: fedora-all [bug 696343]
Glibc protections turn an invalid-free into a crash-only (no arbitrary code execution).
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0447 https://rhn.redhat.com/errata/RHSA-2011-0447.html
Statement: This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 5.