Some vulnerabilities have been reported in Kerberos, which can be exploited by malicious users and malicious people to compromise a vulnerable system.

1) An error exists within the "gssrpc__svcauth_gssapi" function in the RPC library, which can cause kadmind and possibly other third-party products to free an uninitialised pointer when receiving an RPC credential with a length of zero.

2) A signedness error exists within the "gssrpc__svcauth_unix()" function in the RPC library, which is used by kadmind and possibly other third-party products. This can be exploited to cause a stack-based buffer overflow.

Successful exploitation of vulnerability #1 and #2 potentially allows execution of arbitrary code.

3) A boundary error exists in kadmind within the "rename_principal_2_svc()" function and can be exploited to cause a stack-based buffer overflow.

Successful exploitation allows execution of arbitrary code but requires valid user credentials.

The vulnerabilities are reported in krb5-1.6.1. Other versions may also be affected.

Solution
Apply patches (see vendor advisories for details).
Further details available to Secunia VIM customers

Provided and/or discovered by
1, 2) The vendor credits Wei Wang, McAfee Avert Labs.
3) An anonymous person, reported via iDefense Labs.

Original Advisory
Kerberos:
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=548

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers