This is one of the Venustech AD-LAB alleged vulnerabilities. CVE-2007-5972 http://bugs.gentoo.org/show_bug.cgi?id=199211 This bug is a double-free (actually a double-fclose) bug which is not a vulnerability due to inaccessibility to an attacker. If the fwrite() call in krb5_def_store_mkey() (in src/lib/kdb/kdb_default.c) fails, the file pointer "kf" may have fclose() called on it twice. 180 if ((fwrite((krb5_pointer) &enctype, 181 2, 1, kf) != 1) || 182 (fwrite((krb5_pointer) &key->length, 183 sizeof(key->length), 1, kf) != 1) || 184 (fwrite((krb5_pointer) key->contents, 185 sizeof(key->contents[0]), (unsigned) key->length, 186 kf) != key->length)) { 187 retval = errno; 188 (void) fclose(kf); 189 } 190 if (fclose(kf) == EOF) 191 retval = errno; The relevant code stashes a KDC master key. It is only run by explicit action of a KDC administrator, who already has all the privileges that exploiting this bug would gain. A properly configured KDC will have no unprivileged users having shell or other login access; therefore, an unprivileged user cannot cause the fwrite() failure necessary for triggering this bug. Also, under normal conditions, the code is run exactly once in the lifetime of a KDC: at database creation time.