From the upstream commit [1]: An authenticated remote client can cause a KDC to crash by making a valid TGS-REQ to a KDC serving a realm with a single-component name. The process_tgs_req() function dereferences a null pointer because an unusual failure condition causes a helper function to return success. While attempting to provide cross-realm referrals for host-based service principals, the find_referral_tgs() function could return a TGS principal for a zero-length realm name (indicating that the hostname in the service principal has no known realm associated with it). Subsequently, the find_alternate_tgs() function would attempt to construct a path to this empty-string realm, and return success along with a null pointer in its output parameter. This happens because krb5_walk_realm_tree() returns a list of length one when it attempts to construct a transit path between a single-component realm and the empty-string realm. This list causes a loop in find_alternate_tgs() to iterate over zero elements, resulting in the unexpected output of a null pointer, which process_tgs_req() proceeds to dereference because there is no error condition. Add an error condition to find_referral_tgs() when krb5_get_host_realm() returns an empty realm name. Also add an error condition to find_alternate_tgs() to handle the length-one output from krb5_walk_realm_tree(). The vulnerable configuration is not likely to arise in practice. (Realm names that have a single component are likely to be test realms.) Releases prior to krb5-1.11 are not vulnerable. [1] https://github.com/krb5/krb5/commit/4c023ba43c16396f0d199e2df1cfa59b88b62acc
This only affects Fedora 19 as Fedora 18 ships with an older version (pre 1.11.x). Statement: Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 5 and 6.
Created krb5 tracking bugs for this issue: Affects: fedora-19 [bug 1030744]
krb5-1.11.3-32.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.11.3-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.