CVE-2012-1014

Priority
Medium
Description
The process_as_req function in the Key Distribution Center (KDC) in MIT
Kerberos 5 (aka krb5) 1.10.x before 1.10.3 does not initialize a certain
structure member, which allows remote attackers to cause a denial of
service (uninitialized pointer dereference and daemon crash) or possibly
execute arbitrary code via a malformed AS-REQ request.
References
Notes
 sbeattie> krb5 1.10 and newer
 sbeattie> code execution potential probably blocked by glibc
  double-free detection
Assigned-to
sbeattie
Package
Source: krb5 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (1.10.1+dfsg-2)
Patches:
Upstream:http://web.mit.edu/kerberos/advisories/2012-001-patch.txt
More Information

Updated: 2017-12-15 20:29:45 UTC (commit 13913)