mit-krb5 library double-free vulnerability [Security Advisory] Advisory: [AD_LAB-0716] mit-krb5 kdb library double-free vulnerability Class: Design Error DATE:11/14/2007 CVEID: CVE-2007-5972 Vulnerable: mit-krb5 1.5 All Other version may also be affected. Vendor: MIT I.Synopsis A double-free vulnerability has been discovered in kdb lib included in mit-krb5. II.DETAILS: ---------- Background The kdb library is a library including in mit-krb5. Description There is a double-free vulnerability in function krb5_def_store_mkey in lib/kdb/kdb_default.c. ...... 175 enctype = key->enctype; 176 if ((fwrite((krb5_pointer) &enctype, 177 2, 1, kf) != 1) || 178 (fwrite((krb5_pointer) &key->length, 179 sizeof(key->length), 1, kf) != 1) || 180 (fwrite((krb5_pointer) key->contents, 181 sizeof(key->contents[0]), (unsigned) key->length, 182 kf) != key->length)) { 183 retval = errno; (1)Pointer "kf" first freed by fclose. 184 (void) fclose(kf); 185 } (2)Double free of pointer "kf" when fclose it again! 186 if (fclose(kf) == EOF) 187 retval = errno; 188 #if HAVE_UMASK 189 (void) umask(oumask); 190 #endif 191 return retval; 192 } ...... Impact A remote attacker may cause instability and potentially crash krb5kdc in mit krb5 or thrid-party applications that using this function from the kdb library in mit-krb5. Exploitation of double-free bugs is believed to be difficult. III.CREDIT: ---------- Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys. V.DISCLAIMS: ----------- The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use. VENUSTECH Security Lab VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) Security Trusted {Solution} Provider Service
Thanks for the report, but no need to open 4 bugs for 4 issues affecting the same ebuild. I'll close the 3 others as dupes of the first one. *** This bug has been marked as a duplicate of bug 199205 ***