In Heimdal through 7.4, remote unauthenticated attackers are able to crash the KDC by sending a crafted UDP packet containing empty data fields for client name or realm. The parser would unconditionally dereference NULL pointers in that case, leading to a segmentation fault. This is related to the _kdc_as_rep function in kdc/kerberos5.c and the der_length_visible_string function in lib/asn1/der_length.c. See also: https://github.com/heimdal/heimdal/issues/353
Arches, please test and mark stable =app-crypt/heimdal-7.5.0 TARGET KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh ~sparc x86 ~amd64-fbsd"
x86 stable
ppc/ppc64 stable
amd64 stable
arm stable
ia64 stable
Stable on alpha.
hppa stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8d3108007a97d63ba6eebd5f279ad56cf2d314d commit b8d3108007a97d63ba6eebd5f279ad56cf2d314d Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-22 22:45:09 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-22 22:45:52 +0000 app-crypt/heimdal: drop vulnerable Bug: https://bugs.gentoo.org/640808 Package-Manager: Portage-2.3.31, Repoman-2.3.9 app-crypt/heimdal/Manifest | 1 - app-crypt/heimdal/heimdal-7.4.0.ebuild | 173 --------------------------------- 2 files changed, 174 deletions(-)}
GLSA Vote: No