|Description||The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|buster, buster (security)||1.17-3+deb10u1||fixed|
The information below is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
[lenny] - krb5 <not-affected> (see below)
1.6 is not affected: While the error case in the process_chpw_request()
in kadmind in 1.6 can leave the data pointer uninitialized, the error
path in its caller will not free() that pointer (the invalid pointer
goes out of scope without being freed), unlike in krb5-1.7 and later.
Those later releases add support for password changing over TCP, and
the error path in the TCP handling code is what frees the
uninitialized pointer. (Clarification by Tom Yu)