Vulnerability Description
The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mit | Kerberos 5 | < 1.6.4 |
| Fedoraproject | Fedora | 9 |
| Canonical | Ubuntu Linux | 6.06 |
| Apple | Mac Os X | < 10.5.7 |
| Redhat | Enterprise Linux | 4.0 |
| Redhat | Enterprise Linux Desktop | 3.0 |
| Redhat | Enterprise Linux Eus | 4.7 |
| Redhat | Enterprise Linux Server | 2.0 |
| Redhat | Enterprise Linux Workstation | 2.0 |
Related Weaknesses (CWE)
References
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.htmlMailing List
- http://lists.vmware.com/pipermail/security-announce/2009/000059.htmlBroken Link
- http://marc.info/?l=bugtraq&m=124896429301168&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=130497213107107&w=2Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2009-0409.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2009-0410.htmlThird Party Advisory
- http://secunia.com/advisories/34594Broken Link
- http://secunia.com/advisories/34598Broken Link
- http://secunia.com/advisories/34617Broken Link
- http://secunia.com/advisories/34622Broken Link
- http://secunia.com/advisories/34628Broken Link
- http://secunia.com/advisories/34630Broken Link
- http://secunia.com/advisories/34637Broken Link
- http://secunia.com/advisories/34640Broken Link
- http://secunia.com/advisories/34734Broken Link
FAQ
What is CVE-2009-0846?
CVE-2009-0846 is a vulnerability with a CVSS score of 10.0 (HIGH). The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service...
How severe is CVE-2009-0846?
CVE-2009-0846 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-0846?
Check the references section above for vendor advisories and patch information. Affected products include: Mit Kerberos 5, Fedoraproject Fedora, Canonical Ubuntu Linux, Apple Mac Os X, Redhat Enterprise Linux.