[krbdev.mit.edu #5857] double fclose() in krb5_def_store_mkey() [CVE-2007-5972]
Tom Yu via RT
rt-comment at krbdev.mit.edu
Wed Dec 12 13:40:23 EST 2007
This is one of the Venustech AD-LAB alleged vulnerabilities.
CVE-2007-5972
http://bugs.gentoo.org/show_bug.cgi?id=199211
This bug is a double-free (actually a double-fclose) bug which is not
a vulnerability due to inaccessibility to an attacker. If the
fwrite() call in krb5_def_store_mkey() (in src/lib/kdb/kdb_default.c)
fails, the file pointer "kf" may have fclose() called on it twice.
180 if ((fwrite((krb5_pointer) &enctype,
181 2, 1, kf) != 1) ||
182 (fwrite((krb5_pointer) &key->length,
183 sizeof(key->length), 1, kf) != 1) ||
184 (fwrite((krb5_pointer) key->contents,
185 sizeof(key->contents[0]), (unsigned) key->length,
186 kf) != key->length)) {
187 retval = errno;
188 (void) fclose(kf);
189 }
190 if (fclose(kf) == EOF)
191 retval = errno;
The relevant code stashes a KDC master key. It is only run by
explicit action of a KDC administrator, who already has all the
privileges that exploiting this bug would gain. A properly configured
KDC will have no unprivileged users having shell or other login
access; therefore, an unprivileged user cannot cause the fwrite()
failure necessary for triggering this bug. Also, under normal
conditions, the code is run exactly once in the lifetime of a KDC: at
database creation time.
More information about the krb5-bugs
mailing list