CVE-2012-1014
Priority
Medium
Description
The process_as_req function in the Key Distribution Center (KDC) in MIT
Kerberos 5 (aka krb5) 1.10.x before 1.10.3 does not initialize a certain
structure member, which allows remote attackers to cause a denial of
service (uninitialized pointer dereference and daemon crash) or possibly
execute arbitrary code via a malformed AS-REQ request.
Kerberos 5 (aka krb5) 1.10.x before 1.10.3 does not initialize a certain
structure member, which allows remote attackers to cause a denial of
service (uninitialized pointer dereference and daemon crash) or possibly
execute arbitrary code via a malformed AS-REQ request.
References
Notes
sbeattie> krb5 1.10 and newer
sbeattie> code execution potential probably blocked by glibc
double-free detection
sbeattie> code execution potential probably blocked by glibc
double-free detection
Assigned-to
sbeattie
Package
| Upstream: | needs-triage |
| Ubuntu 8.04 LTS (Hardy Heron): | not-affected (1.6.dfsg.3~beta1-2ubuntu1.8) |
| Ubuntu 10.04 LTS (Lucid Lynx): | not-affected (1.8.1+dfsg-2ubuntu0.10) |
| Ubuntu 11.04 (Natty Narwhal): | not-affected (1.8.3+dfsg-5ubuntu2.2) |
| Ubuntu 11.10 (Oneiric Ocelot): | not-affected (1.9.1+dfsg-1ubuntu2.2) |
| Ubuntu 12.04 LTS (Precise Pangolin): | released (1.10+dfsg~beta1-2ubuntu0.3) |
| Ubuntu 12.10 (Quantal Quetzal): | not-affected (1.10.1+dfsg-2) |
Patches:
| Upstream: | http://web.mit.edu/kerberos/advisories/2012-001-patch.txt |