The MIT Kerberos Team has made us aware of this following flaw in krb5: CVE-2007-2443: The RPC library can write past the end of a stack buffer. CVE-2007-2443: The function gssrpc__svcauth_unix() in src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from IXDR_GET_U_LONG into a signed integer variable "str_len". Subsequently, it checks that "str_len" is less than MAX_MACHINE_NAME, which will always be true of "str_len" is negative, which can happen when a large unsigned integer is converted to a signed integer. Once the length check succeeds, gssrpc__svcauth_unix() calls memmove() with a length of "str_len" with the target in a stack buffer. This vulnerability is believed to be difficult to exploit because the memmove() implementation receives a very large number (a negative integer converted to a large unsigned value), which will almost certainly cause some sort of memory access fault prior to returning. This probably avoids any usage of the corrupted return address in the overwritten stack frame. Note that some (perhaps unlikely) memmove() implementations may call other procedures and thus may be vulnerable to corrupted return addresses.
On all architectures of Red Hat Enterprise Linux the memmove with large size will just segfault and therefore this issue can lead to a denial of service. ( Note that this memmove overflow is not caught by FORTIFY_SOURCE due to the structure of the code )
Lifting embargo: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-004.txt
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0384.html http://rhn.redhat.com/errata/RHSA-2007-0562.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0740