CVE-2012-1014
Published: 31 July 2012
The process_as_req function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.10.x before 1.10.3 does not initialize a certain structure member, which allows remote attackers to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a malformed AS-REQ request.
Notes
Author | Note |
---|---|
sbeattie | krb5 1.10 and newer code execution potential probably blocked by glibc double-free detection |
Priority
Status
Package | Release | Status |
---|---|---|
krb5 Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
(1.6.dfsg.3~beta1-2ubuntu1.8)
|
lucid |
Not vulnerable
(1.8.1+dfsg-2ubuntu0.10)
|
|
natty |
Not vulnerable
(1.8.3+dfsg-5ubuntu2.2)
|
|
oneiric |
Not vulnerable
(1.9.1+dfsg-1ubuntu2.2)
|
|
precise |
Released
(1.10+dfsg~beta1-2ubuntu0.3)
|
|
upstream |
Needs triage
|
|
Patches: upstream: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt |