First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 199211
Alias:
Product:
Component:
Status: RESOLVED
Resolution: DUPLICATE of bug 199205
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: airsupply <airsupply@venustech.com.cn>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 199211 depends on: Show dependency tree
Bug 199211 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-11-15 08:35 0000 
mit-krb5 library double-free vulnerability
[Security Advisory]

Advisory: [AD_LAB-0716] mit-krb5 kdb library double-free vulnerability
Class: Design Error
DATE:11/14/2007
CVEID: CVE-2007-5972
Vulnerable:
        mit-krb5 1.5 All
        Other version may also be affected.
Vendor:
        MIT
I.Synopsis

A double-free vulnerability has been discovered in kdb lib included in
mit-krb5.

II.DETAILS:
----------
Background

The kdb library is a library including in mit-krb5.

Description

        There is a double-free vulnerability in function krb5_def_store_mkey in
lib/kdb/kdb_default.c.
......
175         enctype = key->enctype;
176         if ((fwrite((krb5_pointer) &enctype,
177                     2, 1, kf) != 1) ||
178             (fwrite((krb5_pointer) &key->length,
179                     sizeof(key->length), 1, kf) != 1) ||
180             (fwrite((krb5_pointer) key->contents,
181                     sizeof(key->contents[0]), (unsigned) key->length, 
182                     kf) != key->length)) {
183             retval = errno;
(1)Pointer "kf" first freed by fclose.
184 (void) fclose(kf);
185         }
(2)Double free of pointer "kf" when fclose it again!
186 if (fclose(kf) == EOF)
187             retval = errno;
188     #if HAVE_UMASK
189         (void) umask(oumask);
190     #endif
191         return retval;
192     }
......
Impact

    A remote attacker may cause instability and potentially crash krb5kdc in
    mit krb5 or thrid-party applications that using this function from the kdb
library in mit-krb5.
    Exploitation of double-free bugs is believed to be difficult.


III.CREDIT: 
----------
    Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys.

V.DISCLAIMS:
-----------

The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including
direct,
indirect, incidental, consequential, loss of business profits or special
damages. 

Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab 
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)

Security
Trusted {Solution} Provider
Service

------- Comment #1 From Pierre-Yves Rofes 2007-11-16 22:11:22 0000 ------- 
Thanks for the report, but no need to open 4 bugs for 4 issues affecting the
same ebuild. I'll close the 3 others as dupes of the first one.

*** This bug has been marked as a duplicate of bug 199205 ***
First Last Prev Next    No search results available      Search page      Enter new bug