mit-krb5 lib vulnerability [Security Advisory] Advisory: [AD_LAB-0713] mit-krb5 gssapi lib vulnerability Class: Design Error DATE:11/9/2007 CVEID: CVE-2007-5971 Vulnerable: mit-krb5 All Vendor: MIT I.Synopsis A vulnerability has been discovered in gssapi lib included in mit-krb5. II.DETAILS: ---------- Background The gssapi lib is crypt lib including in mit-krb5. Description There is a double free vulnerability in function gss_krb5int_make_seal_token_v3 in k5sealv3.c. ...... 235 if (message2->length) 236 memcpy(outbuf + 16, message2->value, message2->length); 237 238 sum.contents = outbuf + 16 + message2->length; 239 sum.length = ctx->cksum_size; 240 241 err = krb5_c_make_checksum(context, ctx->cksumtype, key, 242 key_usage, &plain, &sum); 243 zap(plain.data, plain.length); 244 free(plain.data); 245 plain.data = 0; 246 if (err) { 247 zap(outbuf,bufsize); (1)Pointer outbuf freed by function free 248 free(outbuf); 249 goto error; 250 } 251 if (sum.length != ctx->cksum_size) 252 abort(); ...... 287 error: (2) Double free of pointer outbuf in free(outbuf) 288 free(outbuf); 289 token->value = NULL; 290 token->length = 0; 291 return err; 292 } 293 ...... Impact A remote attacker may cause instability and potentially crash an application or service that using the gssapi lib in mit-krb5. III.CREDIT: ---------- Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys. V.DISCLAIMS: ----------- The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use. VENUSTECH Security Lab VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) Security Trusted {Solution} Provider Service
*** This bug has been marked as a duplicate of bug 199205 ***
