DescriptionThe process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs622681

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
krb5 (PTS)buster1.17-3+deb10u3fixed
buster (security)1.17-3+deb10u2fixed
bookworm, sid1.20-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
krb5sourcelenny(not affected)


[lenny] - krb5 <not-affected> (see below)
1.6 is not affected: While the error case in the process_chpw_request()
in kadmind in 1.6 can leave the data pointer uninitialized, the error
path in its caller will not free() that pointer (the invalid pointer
goes out of scope without being freed), unlike in krb5-1.7 and later.
Those later releases add support for password changing over TCP, and
the error path in the TCP handling code is what frees the
uninitialized pointer. (Clarification by Tom Yu)

Search for package or bug name: Reporting problems