CVE-2011-0285

NameCVE-2011-0285
DescriptionThe process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs622681

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
krb5 (PTS)jessie, jessie (lts)1.12.1+dfsg-19+deb8u9fixed
stretch (security)1.15-1+deb9u3fixed
stretch (lts), stretch1.15-1+deb9u6fixed
buster, buster (lts)1.17-3+deb10u7fixed
buster (security)1.17-3+deb10u6fixed
bullseye (security), bullseye1.18.3-6+deb11u5fixed
bookworm (security), bookworm1.20.1-2+deb12u2fixed
sid, trixie1.21.3-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
krb5sourcelenny(not affected)
krb5sourcesqueeze1.8.3+dfsg-4squeeze1
krb5source(unstable)1.9.1+dfsg-1622681

Notes

[lenny] - krb5 <not-affected> (see below)
1.6 is not affected: While the error case in the process_chpw_request()
in kadmind in 1.6 can leave the data pointer uninitialized, the error
path in its caller will not free() that pointer (the invalid pointer
goes out of scope without being freed), unlike in krb5-1.7 and later.
Those later releases add support for password changing over TCP, and
the error path in the TCP handling code is what frees the
uninitialized pointer. (Clarification by Tom Yu)

Search for package or bug name: Reporting problems