The MIT krb5 KDC daemon can dereference an uninitialized pointer while processing a malformed AS-REQ, causing the daemon to abnormally terminate. This vulnerability could theoretically lead to the execution of malicious code, but that is believed to be very difficult. The KDC in releases krb5-1.10 and later is vulnerable to this flaw. Reference: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt Patch: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt Acknowledgements: Red Hat would like to thank the MIT Kerberos project for reporting this issue. Upstream acknowledges Emmanuel Bouillon (NCI Agency) as the original reporter of the flaw.
Looking at the patch in the advisory, it seems that in function process_as_req(), the affected code segment does not exists before version 1.10.x The vulnerable code segment is: state = malloc(sizeof(*state)); ... state->session_key.contents = 0; state->enc_tkt_reply.authorization_data = NULL; ... All members of struct pointed by state are set to 0, except state->inner_body, which is a pointer to a krb5_data object. An error condition in process_as_req(), results in the control being passed to the error handler, which de-references it, and hence causes a crash.
This issue does not affect the version of krb5 package as shipped with Fedora-16. This issue affects the version of krb5 package as shipped with Fedora-17.
Statement: Not Vulnerable. This issue does not affect the version of krb5 package as shipped with Red Hat Enterprise Linux 5 and 6.
External Reference: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
Created krb5 tracking bugs for this issue Affects: fedora-17 [bug 844779]