[prev in list] [next in list] [prev in thread] [next in thread] 

List:       krb5-bugs
Subject:    [krbdev.mit.edu #5857] double fclose() in krb5_def_store_mkey()
From:       "Tom Yu via RT" <rt-comment () krbdev ! mit ! edu>
Date:       2007-12-12 18:40:23
Message-ID: rt-5857-25716.17.0931797108094 () krbdev ! mit ! edu
[Download RAW message or body]

This is one of the Venustech AD-LAB alleged vulnerabilities.

CVE-2007-5972
http://bugs.gentoo.org/show_bug.cgi?id=199211

This bug is a double-free (actually a double-fclose) bug which is not
a vulnerability due to inaccessibility to an attacker.  If the
fwrite() call in krb5_def_store_mkey() (in src/lib/kdb/kdb_default.c)
fails, the file pointer "kf" may have fclose() called on it twice.

   180      if ((fwrite((krb5_pointer) &enctype,
   181                  2, 1, kf) != 1) ||
   182          (fwrite((krb5_pointer) &key->length,
   183                  sizeof(key->length), 1, kf) != 1) ||
   184          (fwrite((krb5_pointer) key->contents,
   185                  sizeof(key->contents[0]), (unsigned) key->length, 
   186                  kf) != key->length)) {
   187          retval = errno;
   188          (void) fclose(kf);
   189      }
   190      if (fclose(kf) == EOF)
   191          retval = errno;

The relevant code stashes a KDC master key.  It is only run by
explicit action of a KDC administrator, who already has all the
privileges that exploiting this bug would gain.  A properly configured
KDC will have no unprivileged users having shell or other login
access; therefore, an unprivileged user cannot cause the fwrite()
failure necessary for triggering this bug.  Also, under normal
conditions, the code is run exactly once in the lifetime of a KDC: at
database creation time.

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic