Bug 829681 - krb5: krb5_verify_init_creds frees caller provided Krb5 principal
krb5: krb5_verify_init_creds frees caller provided Krb5 principal
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120606,repor...
: Security
Depends On:
Blocks: 829683
  Show dependency treegraph
 
Reported: 2012-06-07 05:55 EDT by Jan Lieskovsky
Modified: 2012-06-08 10:00 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-08 10:00:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-06-07 05:55:12 EDT
A double free flaw was found in the way Kerberos 5 libraries performed credentials verification for provided Kerberos 5 principal by using externally accessible services. A remote attacker could provide a specially-crafted Kerberos principal to an application linked against Kerberos 5 libraries that, when validated by the external application for correctness would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running the application.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512410
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512410#50
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512410#60
Comment 1 Jan Lieskovsky 2012-06-08 09:29:38 EDT
Upstream patch which introduced the issue:
[4] https://github.com/krb5/krb5/commit/caf1fdd98690019d9ac9f56125f4916cfbdfd2d4

Relevant ticket:
[5] http://krbdev.mit.edu/rt/Ticket/Display.html?id=7125

Clarification of the problem from Russ Albery:
[6] http://mailman.mit.edu/pipermail/krb5-bugs/2012-June/009166.html

Reply from Krb5 upstream due this:
[7] http://mailman.mit.edu/pipermail/krb5-bugs/2012-June/009167.html

And patch correcting the issue:
[8] https://github.com/krb5/krb5/commit/dd64191e02df0a13b29345e4c50fe03e039dc207

Relevant ticket:
[9] http://krbdev.mit.edu/rt/Ticket/Display.html?id=7162
Comment 2 Jan Lieskovsky 2012-06-08 10:00:29 EDT
This issue did NOT affect the versions of the krb5 package, as shipped
with Red Hat Enterprise Linux 5 and 6, as they did not include the upstream commit caf1fdd98690019d9ac9f56125f4916cfbdfd2d4 that introduced this issue.

--

This issue did NOT affect the versions of the krb5 package, as shipped
with Fedora release of 15, 16, and 17, as they did not include the upstream
commit caf1fdd98690019d9ac9f56125f4916cfbdfd2d4 that introduced this issue.

Note You need to log in before you can comment on or make changes to this bug.