Ticket History #5856: double-free in gss_krb5int_make_seal_token

# Wed Dec 12 13:40:14 2007 tlyu (Taylor Yu) - Ticket created

To:	krb5-bugs@MIT.EDU
Subject:	double-free in gss_krb5int_make_seal_token_v3() [CVE-2007-5971]
From:	Tom Yu <tlyu@MIT.EDU>
Date:	Wed, 12 Dec 2007 13:39:39 -0500

Download (untitled) / with headers
text/plain 1.1KiB

This is one of the Venustech AD-LAB alleged vulnerabilities.

CVE-2007-5971
http://bugs.gentoo.org/show_bug.cgi?id=199212

This bug is a double-free condition which is not a practical
vulnerability due to the extreme difficulty of exploitation. If
krb5_c_make_checksum() (in src/lib/gssapi/krb5/k5sealv3.c) fails,
"outbuf" may be freed twice.

244 err = krb5_c_make_checksum(context, ctx->cksumtype, key,
245 key_usage, &plain, &sum);
246 zap(plain.data, plain.length);
247 free(plain.data);
248 plain.data = 0;
249 if (err) {
250 zap(outbuf,bufsize);
251 free(outbuf);
252 goto error;
253 }
...
290 error:
291 free(outbuf);
292 token->value = NULL;
293 token->length = 0;
294 return err;
295 }

krb5_c_make_checksum() only fails if malloc() fails to allocate a very
small amount of memory. To exploit this vulnerability, an attacker
would need to force a malloc() failure at exactly the point where
krb5_c_make_checksum is called.

# Thu Dec 13 23:38:33 2007 tlyu (Taylor Yu) - Given to tlyu (Taylor Yu)

# Thu Dec 13 23:38:34 2007 tlyu (Taylor Yu) - Target_Version 1.6.4 added

# Thu Dec 13 23:38:34 2007 tlyu (Taylor Yu) - Status changed from 'new' to 'resolved'

# Thu Dec 13 23:38:35 2007 tlyu (Taylor Yu) - Tags pullup added

# Thu Dec 13 23:38:35 2007 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 180B

fix CVE-2007-5971: free of non-heap pointer in gss_indicate_mechs()

Commit By: tlyu

Revision: 20178
Changed Files:
_U trunk/
U trunk/src/lib/gssapi/mechglue/g_initialize.c

# Thu Dec 13 23:42:52 2007 tlyu (Taylor Yu) - Correspondence added

Download (untitled) / with headers
text/plain 324B

actually belongs to #5854: freeing non-heap in gss_indicate_mechs() [CVE-2007-5901]

[tlyu - Thu Dec 13 23:38:35 2007]:

Show quoted text

>
> fix CVE-2007-5971: free of non-heap pointer in gss_indicate_mechs()
>
> Commit By: tlyu
>
>
>
> Revision: 20178
> Changed Files:
> _U trunk/
> U trunk/src/lib/gssapi/mechglue/g_initialize.c

# Fri Dec 14 00:01:13 2007 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 171B

fix CVE-2007-5971: double-free in gss_krb5int_make_seal_token_v3()

Commit By: tlyu

Revision: 20180
Changed Files:
_U trunk/
U trunk/src/lib/gssapi/krb5/k5sealv3.c

# Fri Dec 14 00:19:43 2007 tlyu (Taylor Yu) - Component krb5-libs added

# Fri Dec 14 20:23:02 2007 tlyu (Taylor Yu) - Version_Fixed 1.6.4 added

# Fri Dec 14 20:23:02 2007 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 341B

pull up r20180 from trunk

r20180@cathode-dark-space: tlyu | 2007-12-14 00:01:07 -0500
ticket: 5856
target_version: 1.6.4
tags: pullup

fix CVE-2007-5971: double-free in gss_krb5int_make_seal_token_v3()

Commit By: tlyu

Revision: 20186
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/gssapi/krb5/k5sealv3.c

# Wed Dec 16 18:02:51 2015 tlyu (Taylor Yu) - CustomField pullup deleted

Ticket History #5856: double-free in gss_krb5int_make_seal_token_v3() [CVE-2007-5971]