During prompting initiated by the Kerberos library, an attacker who enters a response exactly as long as the length of the buffer provided by the underlying Kerberos library will cause pam-krb5 to write a single nul byte past theend of that buffer. This could result in heap corruption or a single-byte overwrite of another stack variable, with unknown consequences.
Analysis: As per the reporter this flaw is really difficult to exploit and may not be easy to trigger also. 1. This is just one byte overflow, so depending on how memory management is done by MIT kerberos library, with which pam_krb5 versions shipped in Red Hat Enterprise Linux and Fedora are compiled with, this overflow may very well land into the padding area and the adjacent variable may not be overwritten. 2. This flaw is triggered when prompting for password is initiated by the kerberos library. Under normal usage of this PAM module, it never does prompting initiated by the Kerberos library, and thus most configurations will not be readily vulnerable to this bug. Kerberos-library-initiated prompting generally only happens with the no_prompt PAM configuration option, PKINIT, or other non-password preauth mechanisms. However this issue does not affect the versions of pam_krb5 package shipping with Red Hat Products, since the software has been highly refactored from the old sources at https://www.eyrie.org/~eagle/software/pam-krb5/
Acknowledgments: Name: Russ Allbery
Statement: This issue does not affect the versions of pam_krb5 package shipped with Red Hat Products (https://pagure.io/pam_krb5)
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10595
External References: https://www.eyrie.org/~eagle/software/pam-krb5/security/2020-03-30.html