Software Engineering Institute

The MIT krb5 Security Advisory 2011-003 states:

"The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult)."

An unauthenticated remote attacker can induce a double-free event, causing the KDC daemon to crash (denial of service), or to execute arbitrary code.

Apply a Patch
Upcoming releases in the krb5-1.7, krb5-1.8, and krb5-1.9 series will contain fixes. In the meantime, apply the following patch:

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 46b5fa1..464cb6e 100644
- --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -741,6 +741,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
                    pad->contents = td[size]->data;
                    pad->length = td[size]->length;
                    pa[size] = pad;
+                    td[size]->data = NULL;
+                    td[size]->length = 0;
                }
            krb5_free_typed_data(kdc_context, td);
        }