Bug 576011 (CVE-2010-0629) - CVE-2010-0629 krb5: kadmind use-after-free remote crash (MITKRB5-SA-2010-003)
Summary: CVE-2010-0629 krb5: kadmind use-after-free remote crash (MITKRB5-SA-2010-003)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-0629
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.mit.edu/kerberos/www/advis...
Whiteboard:
Depends On: 578185 578186
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-23 01:21 UTC by Vincent Danen
Modified: 2019-09-29 12:35 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-09 06:16:45 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0343 0 normal SHIPPED_LIVE Important: krb5 security and bug fix update 2010-04-06 23:07:55 UTC

Description Vincent Danen 2010-03-23 01:21:18 UTC
Brian Atkisson reported that the kadmind server on a master KDC was crashing due to certain requests from kadmin clients from krb5 1.8.  This is due to check_handle() in server_stubs.c returning a failure if the clients tries to start with API version 3.  The server frees the handle, and then attempts to dereference the handle when calling krb5_get_error_message(), at which point kadmind will usually segfault and crash.

This has already been fixed upstream in changeset 20485:

http://src.mit.edu/fisheye/changelog/krb5/?cs=20485

Comment 2 Vincent Danen 2010-03-23 02:08:28 UTC
This was previously reported to Debian:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567052

and upstream:

http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=5998

By the looks of the upstream reports, this is just a denial of service, nothing more.  It was also assigned CVE-2010-0629.

Comment 10 Vincent Danen 2010-03-23 19:50:48 UTC
Looking at the commit, this would have been fixed in 1.6.4, which means Fedora 11 is vulnerable.

This issue also does not affect Red Hat Enterprise Linux 4 or earlier as the variable in question (handle) isn't referenced after it is freed.

This issue does affect Red Hat Enterprise Linux 5.

Comment 13 Jan Lieskovsky 2010-04-06 21:01:56 UTC
Public via:
  [1] http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2010-003.txt

Comment 14 errata-xmlrpc 2010-04-06 23:07:58 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0343 https://rhn.redhat.com/errata/RHSA-2010-0343.html

Comment 15 Fedora Update System 2010-04-07 06:47:45 UTC
krb5-1.6.3-29.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/krb5-1.6.3-29.fc11

Comment 16 Fedora Update System 2010-04-09 01:42:00 UTC
krb5-1.6.3-29.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.