Some vulnerabilities have been reported in Kerberos, which can be exploited by malicious people to potentially disclose sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system.

1) A NULL-pointer dereference error exists in the "spnego_gss_accept_sec_context()" function in "src/lib/gssapi/spnego/spnego_mech.c". This can be exploited to e.g. crash the daemon by sending a "NegTokenInit" token with specially crafted ContextFlags.

2) An error in the "get_input_token()" function in the SPNEGO implementation can be exploited to trigger an out-of-bounds read and cause a crash.

Successful exploitation of this vulnerability may allow the disclosure of sensitive information.

3) An incorrect calculation performed in the "asn1buf_imbed()" function of the ASN.1 decoder can be exploited to crash kinit or KDC.

4) An error in the "asn1_decode_generaltime()" function can be exploited to free an uninitialized pointer via an invalid DER encoding.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

Please see the vendor's advisories for details on affected versions.

Solution
Apply patches.
Further details available in Customer Area

Provided and/or discovered by
1) Richard Evans
2) The vendor credits Apple Product Security.
3,4) Reported by the vendor.

Changelog
Further details available in Customer Area

Original Advisory
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2009-001.txt
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2009-002.txt

http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=6402

Deep Links
Links available in Customer Area