Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 359129 - <app-crypt/mit-krb5-{1.8.3-r4,1.9-r2}: KDC double-free when PKINIT enabled (CVE-2011-0284)
Summary: <app-crypt/mit-krb5-{1.8.3-r4,1.9-r2}: KDC double-free when PKINIT enabled (...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2011-03-16 09:20 UTC by Eray Aslan
Modified: 2012-01-23 20:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Eray Aslan gentoo-dev 2011-03-16 09:20:43 UTC

MIT krb5 Security Advisory 2011-003
Original release: 2011-03-15
Last update: 2011-03-15

Topic: KDC vulnerable to double-free when PKINIT enabled



CVSSv2 Base Score:      9.3

Access Vector:          Network
Access Complexity:      Medium
Authentication:         None
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  7.3

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed


The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable
to a double-free condition if the Public Key Cryptography for Initial
Authentication (PKINIT) capability is enabled, resulting in daemon
crash or arbitrary code execution (which is believed to be difficult).


An unauthenticated remote attacker can induce a double-free event,
causing the KDC daemon to crash (denial of service), or to execute
arbitrary code.  Exploiting a double-free event to execute arbitrary
code is believed to be difficult.


The KDC in releases krb5-1.7 and later are vulnerable, if they are
configured to respond to PKINIT requests.  Earlier releases did not
contain the vulnerable code.  Additionally, third-party
preauthentication plugins that generate TYPED-DATA in the e-data field
of a KRB-ERROR message may be vulnerable.


* Upcoming releases in the krb5-1.7, krb5-1.8, and krb5-1.9 series
  will contain fixes.

* Apply the following patch:

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 46b5fa1..464cb6e 100644
- --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
                     pad->contents = td[size]->data;
                     pad->length = td[size]->length;
                     pa[size] = pad;
+                    td[size]->data = NULL;
+                    td[size]->length = 0;
             krb5_free_typed_data(kdc_context, td);

  This patch is also available at

  A PGP-signed patch is available at


This announcement is posted at:

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

The main MIT Kerberos web page is at:


CVE: CVE-2011-0284


This issue was discovered by Cameron Meadors of Red Hat.


The MIT Kerberos Team security contact address is
<>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <>


In do_as_req.c, the function perpare_error_as() attempts to decode the
e_data field both as preauth data and as typed data.  If the e_data
contents are typed data, they are converted to preauth data.  This
conversion can free pointers to the typed data items, and free them
again when cleaning up the preauth data during function exit.


2011-03-15      original release

Copyright (C) 2011 Massachusetts Institute of Technology

Reproducible: Always
Comment 1 Eray Aslan gentoo-dev 2011-03-16 09:39:43 UTC
+*mit-krb5-1.9-r2 (16 Mar 2011)
+*mit-krb5-1.8.3-r4 (16 Mar 2011)
+  16 Mar 2011; Eray Aslan <> +mit-krb5-1.8.3-r4.ebuild,
+  +mit-krb5-1.9-r2.ebuild, +files/CVE-2011-0284.patch:
+  version bump - security bug #359129

=app-crypt/mit-krb5-1.8.3-r4 should be stabilized.  Thanks.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-03-16 13:45:24 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-03-16 15:09:38 UTC
amd64 ok
Comment 4 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-03-16 17:47:55 UTC
ppc/ppc64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2011-03-17 20:23:29 UTC
Stable for HPPA.
Comment 6 Thomas Kahle (RETIRED) gentoo-dev 2011-03-17 23:24:37 UTC
x86 stable.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2011-03-18 17:27:02 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2011-03-21 11:49:19 UTC
amd64 done. Thanks Agostino
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-03-21 14:27:17 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:38:44 UTC
This issue was resolved and addressed in
 GLSA 201201-13 at
by GLSA coordinator Sean Amoss (ackle).