Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2014-9421

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://web.mit.edu/ker...
CONFIRM: http://web.mit.edu/ker...
CONFIRM: https://github.com/krb...
DEBIAN: DSA-3153
REDHAT: RHSA-2015:0439
SUSE: SUSE-SU-2015:0257
SUSE: SUSE-SU-2015:0290
SUSE: openSUSE-SU-2015:0255
UBUNTU: USN-2498-1
FEDORA: FEDORA-2015-2382
FEDORA: FEDORA-2015-2347
MANDRIVA: MDVSA-2015:069
REDHAT: RHSA-2015:0794
BID: 72496

Launchpad.net

CVE 2014-9421

Related bugs

References