MIT krb5: Multiple vulnerabilities
Gentoo Linux Security Advisory
||GLSA 200409-09 / mit-krb5
||September 06, 2004
||September 06, 2004: 01
All supported architectures
MIT krb5 contains several double-free vulnerabilities, potentially allowing
the execution of arbitrary code, as well as a denial of service
MIT krb5 is the free implementation of the Kerberos network authentication
protocol by the Massachusetts Institute of Technology.
The implementation of the Key Distribution Center (KDC) and the MIT krb5
library contain double-free vulnerabilities, making client programs as well
as application servers vulnerable.
The ASN.1 decoder library is vulnerable to a denial of service attack,
including the KDC.
The double-free vulnerabilities could allow an attacker to execute
arbitrary code on a KDC host and hosts running krb524d or vulnerable
services. In the case of a KDC host, this can lead to a compromise of the
entire Kerberos realm. Furthermore, an attacker impersonating a legitimate
KDC or application server can potentially execute arbitrary code on
An attacker can cause a denial of service for a KDC or application server
and clients, the latter if impersonating a legitimate KDC or application
There is no known workaround at this time.
All mit-krb5 users should upgrade to the latest stable version:
Code Listing 3.1: Resolution
# emerge sync
# emerge -pv ">=app-crypt/mit-krb5-1.3.4"
# emerge ">=app-crypt/mit-krb5-1.3.4"