mit-krb5 library double-free vulnerability
[Security Advisory]

Advisory: [AD_LAB-0716] mit-krb5 kdb library double-free vulnerability
Class: Design Error
DATE:11/14/2007
CVEID: CVE-2007-5972
Vulnerable:
	mit-krb5 1.5 All
	Other version may also be affected.
Vendor:
	MIT
I.Synopsis

A double-free vulnerability has been discovered in kdb lib included in mit-krb5.

II.DETAILS:
----------
Background

The kdb library is a library including in mit-krb5.

Description

	There is a double-free vulnerability in function krb5_def_store_mkey in lib/kdb/kdb_default.c.
......
175  	    enctype = key->enctype;
176  	    if ((fwrite((krb5_pointer) &enctype,
177  			2, 1, kf) != 1) ||
178  		(fwrite((krb5_pointer) &key->length,
179  			sizeof(key->length), 1, kf) != 1) ||
180  		(fwrite((krb5_pointer) key->contents,
181  			sizeof(key->contents[0]), (unsigned) key->length, 
182  			kf) != key->length)) {
183  		retval = errno;
(1)Pointer "kf" first freed by fclose.
184 (void) fclose(kf);
185  	    }
(2)Double free of pointer "kf" when fclose it again!
186 if (fclose(kf) == EOF)
187  		retval = errno;
188  	#if HAVE_UMASK
189  	    (void) umask(oumask);
190  	#endif
191  	    return retval;
192  	}
......
Impact
    
    A remote attacker may cause instability and potentially crash krb5kdc in
    mit krb5 or thrid-party applications that using this function from the kdb library in mit-krb5.
    Exploitation of double-free bugs is believed to be difficult.


III.CREDIT: 
----------
    Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys.

V.DISCLAIMS:
-----------

The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. 

Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab 
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)

Security
Trusted {Solution} Provider
Service