Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159753 - CAN-2005-1689 double-free in krb5_recvauth
Summary: CAN-2005-1689 double-free in krb5_recvauth
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: krb5
Version: 3.0
Hardware: All
OS: Linux
medium
urgent
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard: impact=critical,embargo=20050712,sour...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-07 20:00 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHSA-2005-562
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-12 18:18:53 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:562 normal SHIPPED_LIVE Critical: krb5 security update 2005-07-12 04:00:00 UTC

Description Josh Bressers 2005-06-07 20:00:44 UTC
Severity: CRITICAL

SUMMARY
=======

The krb5_recvauth() function can free previously freed memory under
some error conditions.  This vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code.
Exploitation of this vulnerability on a Kerberos Key Distribution
Center (KDC) host can result in compromise of an entire Kerberos
realm.  No exploit code is known to exist at this time.  Exploitation
of double-free vulnerabilities is believed to be difficult.
[CAN-2005-1689]

IMPACT
======

An unauthenticated attacker may be able to execute arbitrary code in
the context of a program calling krb5_recvauth().  This includes the
kpropd program which typically runs on slave Key Distribution Center
(KDC) hosts, potentially leading to compromise of an entire Kerberos
realm.  Other vulnerable programs which call krb5_recvauth() are
usually remote login programs running with root privileges.
Unsuccessful attempts at exploitation may result in denial of service
by crashing the target program.

AFFECTED SOFTWARE
=================

* The kpropd daemon in all releases of MIT krb5, up to and including
   krb5-1.4.1, is vulnerable.

* The klogind and krshd remote-login daemons in all releases of MIT
   krb5, up to and including krb5-1.4.1, is vulnerable.

* Third-party application programs which call krb5-recvauth() are also
   vulnerable.

FIXES
=====

* Apply the following patch.  This patch was generated against the
   krb5-1.4.1 release.  It may apply, with some offset, to earlier
   releases.

   The patch may also be found at:

   http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt

   The associated detached PGP signature is at:

   http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc

Index: lib/krb5/krb/recvauth.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v
retrieving revision 5.38
diff -c -r5.38 recvauth.c
*** lib/krb5/krb/recvauth.c     3 Sep 2002 01:13:47 -0000       5.38
--- lib/krb5/krb/recvauth.c     23 May 2005 23:19:15 -0000
***************
*** 76,82 ****
            if ((retval = krb5_read_message(context, fd, &inbuf)))
                return(retval);
            if (strcmp(inbuf.data, sendauth_version)) {
-               krb5_xfree(inbuf.data);
                problem = KRB5_SENDAUTH_BADAUTHVERS;
            }
            krb5_xfree(inbuf.data);
--- 76,81 ----
***************
*** 90,96 ****
        if ((retval = krb5_read_message(context, fd, &inbuf)))
                return(retval);
        if (appl_version && strcmp(inbuf.data, appl_version)) {
-               krb5_xfree(inbuf.data);
                if (!problem)
                        problem = KRB5_SENDAUTH_BADAPPLVERS;
        }
--- 89,94 ----

Comment 1 Josh Bressers 2005-06-07 20:02:10 UTC
This issue probably also affects RHEL2.1 and RHEL3

Comment 2 Josh Bressers 2005-06-07 20:03:27 UTC
Nalin,

If you feel this issue isn't worthy of a critical severity rating, let me know.
 My limited knowledge of krb5 leads me to believe this is a very serious issue.

Comment 4 Mark J. Cox 2005-07-12 18:03:19 UTC
Public at http://web.mit.edu/kerberos/www/advisories/ - removing embargo

Comment 5 Red Hat Bugzilla 2005-07-12 18:18:53 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-562.html



Note You need to log in before you can comment on or make changes to this bug.