FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

krb5 -- Double-free in KDC TGS processing

Affected packages
krb5 < 1.21.1_1
krb5-121 < 1.21.1_1
krb5-devel < 1.22.2023.08.07


VuXML ID a6986f0f-3ac0-11ee-9a88-206a8a720317
Discovery 2023-08-07
Entry 2023-08-14

SO-AND-SO reports:

When issuing a ticket for a TGS renew or validate request, copy only the server field from the outer part of the header ticket to the new ticket. Copying the whole structure causes the enc_part pointer to be aliased to the header ticket until krb5_encrypt_tkt_part() is called, resulting in a double-free if handle_authdata() fails..


CVE Name CVE-2023-39975