The GSS-API library provided with MIT krb5 contains a vulnerability that may allow a remote, authenticated attacker to execute arbitrary code or cause a denial of service.
A vulnerability in the way the GSS-API library provided with MIT krb5 handles messages with an invalid direction encoding may result in a double free. According to MIT krb5 Security Advisory MITKRB5-SA-2007-003:
The kg_unseal_v1() function in src/lib/gssapi/krb5/k5unseal.c frees memory allocated for the "message_buffer" gss_buffer_t when it detects an invalid direction encoding on the message. It does not set the pointer to NULL, nor does it set the length to zero. An application subsequently calling gss_release_buffer() on this gss_buffer_t will cause memory to be freed twice.
A remote, authenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.
This issue is addressed in MIT krb5 Security Advisory MITKRB5-SA-2007-003
|Date First Published:||2007-04-03|
|Date Last Updated:||2007-04-23 19:26 UTC|