191301 2007-09-04 21:23 0000 app-crypt/mit-krb5 < 1.5.3-r1 multiple vulnerabilities (CVE-2007-3999, CVE-2007-4000) 2008-01-10 08:38:57 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B0 [glsa] vorlon P2 major --- 1 hncaldwell@gentoo.org security@gentoo.org gentoobugs@mnagl.de henson@acm.org kerberos@gentoo.org lkml_ccc@yahoo.it hncaldwell@gentoo.org 2007-09-04 21:23:49 0000 MITKRB5-SA-2007-006: kadmind RPC lib buffer overflow, uninitialized pointer [CVE-2007-3999] An unauthenticated remote user may be able to cause a host running kadmind to execute arbitrary code. [CVE-2007-4000] An authenticated user with "modify policy" privilege may be able to cause a host running kadmind to execute arbitrary code. See: http://www.securityfocus.com/archive/1/478544 Reproducible: Always Steps to Reproduce: py@gentoo.org 2007-09-05 11:03:12 0000 *** Bug 191356 has been marked as a duplicate of this bug. *** py@gentoo.org 2007-09-05 11:08:32 0000 kerberos, please advise. seemant@gentoo.org 2007-09-05 13:13:29 0000 I think I have some patches laying around for this fix. Will report back. hncaldwell@gentoo.org 2007-09-05 21:00:59 0000 Created an attachment (id=130116) Revised patch. See http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-006.txt "... The patch for CVE-2007-3999 has been revised; the patch originally released for svc_auth_gss.c allowed a 32-byte overflow. Depending on the compilation environment and machine architecture, this may or may not be a significant continued vulnerability. The new patch below correctly checks the buffer length. ..." py@gentoo.org 2007-09-06 07:45:44 0000 *** Bug 191444 has been marked as a duplicate of this bug. *** seemant@gentoo.org 2007-09-07 06:27:36 0000 thanks for that Heath. New ebuild is 1.5.3-r1. Arch teams can feel free to do what they need to. py@gentoo.org 2007-09-07 07:52:57 0000 Thanks Seemant. Arches, please test and mark stable. Target keywords are: "alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86" jer@gentoo.org 2007-09-07 09:47:39 0000 Stable for HPPA. armin76@gentoo.org 2007-09-07 11:39:54 0000 alpha/ia64/x86 stable dertobi123@gentoo.org 2007-09-07 14:52:50 0000 ppc stable wolf31o2@gentoo.org 2007-09-07 18:18:39 0000 amd64 done corsair@gentoo.org 2007-09-08 08:05:48 0000 ppc64 stable jmbsvicetto@gentoo.org 2007-09-09 03:57:12 0000 mit-krb5-1.5.3-r1 emerged fine here on sparc64 with both: app-crypt/mit-krb5-1.5.3-r1 (ipv6 tcl) app-crypt/mit-krb5-1.5.3-r1 jmbsvicetto@gentoo.org 2007-09-09 03:59:26 0000 Created an attachment (id=130389) sparc64 emerge --info vorlon@gentoo.org 2007-09-10 18:48:08 0000 security: GLSA drafted and ready for review sparc team, please test and mark stable jer@gentoo.org 2007-09-11 03:17:47 0000 Stable for SPARC. vorlon@gentoo.org 2007-09-11 20:04:56 0000 GLSA 200709-01 thanks everyone 130116 2007-09-05 21:00 0000 Revised patch. 2007-006-patch.txt text/plain KioqIHNyYy9saWIva2FkbTUvc3J2L3N2cl9wb2xpY3kuYwkocmV2aXNpb24gMjAyNTQpCi0tLSBz cmMvbGliL2thZG01L3Nydi9zdnJfcG9saWN5LmMJKGxvY2FsKQoqKioqKioqKioqKioqKioKKioq IDIxMSwyMTggKioqKgogICAgICBpZigobWFzayAmIEtBRE01X1BPTElDWSkpCiAgCXJldHVybiBL QURNNV9CQURfTUFTSzsKICAJCQohICAgICByZXQgPSBrcmI1X2RiX2dldF9wb2xpY3koaGFuZGxl LT5jb250ZXh0LCBlbnRyeS0+cG9saWN5LCAmcCwgJmNudCk7CiEgICAgIGlmKCByZXQgJiYgKGNu dD09MCkgKQogIAlyZXR1cm4gS0FETTVfVU5LX1BPTElDWTsKICAKICAgICAgaWYgKChtYXNrICYg S0FETTVfUFdfTUFYX0xJRkUpKQotLS0gMjExLDIxOSAtLS0tCiAgICAgIGlmKChtYXNrICYgS0FE TTVfUE9MSUNZKSkKICAJcmV0dXJuIEtBRE01X0JBRF9NQVNLOwogIAkJCiEgICAgIGlmICgocmV0 ID0ga3JiNV9kYl9nZXRfcG9saWN5KGhhbmRsZS0+Y29udGV4dCwgZW50cnktPnBvbGljeSwgJnAs ICZjbnQpKSkKISAJcmV0dXJuIHJldDsKISAgICAgaWYgKGNudCAhPSAxKQogIAlyZXR1cm4gS0FE TTVfVU5LX1BPTElDWTsKICAKICAgICAgaWYgKChtYXNrICYgS0FETTVfUFdfTUFYX0xJRkUpKQoq Kiogc3JjL2xpYi9ycGMvc3ZjX2F1dGhfZ3NzLmMJKHJldmlzaW9uIDIwNDc0KQotLS0gc3JjL2xp Yi9ycGMvc3ZjX2F1dGhfZ3NzLmMJKGxvY2FsKQoqKioqKioqKioqKioqKioKKioqIDM1NSwzNjAg KioqKgotLS0gMzU1LDM2OSAtLS0tCiAgCW1lbXNldChycGNoZHIsIDAsIHNpemVvZihycGNoZHIp KTsKICAKICAJLyogWFhYIC0gUmVjb25zdHJ1Y3QgUlBDIGhlYWRlciBmb3Igc2lnbmluZyAoZnJv bSB4ZHJfY2FsbG1zZykuICovCisgCW9hID0gJm1zZy0+cm1fY2FsbC5jYl9jcmVkOworIAlpZiAo b2EtPm9hX2xlbmd0aCA+IE1BWF9BVVRIX0JZVEVTKQorIAkJcmV0dXJuIChGQUxTRSk7CisgCisg CS8qIDggWERSIHVuaXRzIGZyb20gdGhlIElYRFIgbWFjcm8gY2FsbHMuICovCisgCWlmIChzaXpl b2YocnBjaGRyKSA8ICg4ICogQllURVNfUEVSX1hEUl9VTklUICsKKyAJCQkgICAgICBSTkRVUChv YS0+b2FfbGVuZ3RoKSkpCisgCQlyZXR1cm4gKEZBTFNFKTsKKyAKICAJYnVmID0gKGludDMyX3Qg Kikodm9pZCAqKXJwY2hkcjsKICAJSVhEUl9QVVRfTE9ORyhidWYsIG1zZy0+cm1feGlkKTsKICAJ SVhEUl9QVVRfRU5VTShidWYsIG1zZy0+cm1fZGlyZWN0aW9uKTsKKioqKioqKioqKioqKioqCioq KiAzNjIsMzY4ICoqKioKICAJSVhEUl9QVVRfTE9ORyhidWYsIG1zZy0+cm1fY2FsbC5jYl9wcm9n KTsKICAJSVhEUl9QVVRfTE9ORyhidWYsIG1zZy0+cm1fY2FsbC5jYl92ZXJzKTsKICAJSVhEUl9Q VVRfTE9ORyhidWYsIG1zZy0+cm1fY2FsbC5jYl9wcm9jKTsKLSAJb2EgPSAmbXNnLT5ybV9jYWxs LmNiX2NyZWQ7CiAgCUlYRFJfUFVUX0VOVU0oYnVmLCBvYS0+b2FfZmxhdm9yKTsKICAJSVhEUl9Q VVRfTE9ORyhidWYsIG9hLT5vYV9sZW5ndGgpOwogIAlpZiAob2EtPm9hX2xlbmd0aCkgewotLS0g MzcxLDM3NiAtLS0tCg== 130389 2007-09-09 03:59 0000 sparc64 emerge --info sparc64-emerge-info text/plain UG9ydGFnZSAyLjEuMi4xMiAoZGVmYXVsdC1saW51eC9zcGFyYy9zcGFyYzY0LzIwMDcuMCwgZ2Nj LTMuNC42LCBnbGliYy0yLjUtcjQsIDIuNi4xNy1nZW50b28tcjggc3BhcmM2NCkKPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0K U3lzdGVtIHVuYW1lOiAyLjYuMTctZ2VudG9vLXI4IHNwYXJjNjQgc3VuNHUKR2VudG9vIEJhc2Ug U3lzdGVtIHJlbGVhc2UgMS4xMi45ClRpbWVzdGFtcCBvZiB0cmVlOiBTYXQsIDA4IFNlcCAyMDA3 IDIxOjUwOjAxICswMDAwCmFwcC1zaGVsbHMvYmFzaDogICAgIDMuMl9wMTcKZGV2LWxhbmcvcHl0 aG9uOiAgICAgMi40LjQtcjQKZGV2LXB5dGhvbi9weWNyeXB0bzogMi4wLjEtcjYKc3lzLWFwcHMv YmFzZWxheW91dDogMS4xMi45LXIyCnN5cy1hcHBzL3NhbmRib3g6ICAgIDEuMi4xNwpzeXMtZGV2 ZWwvYXV0b2NvbmY6ICAyLjEzLCAyLjYxLXIxCnN5cy1kZXZlbC9hdXRvbWFrZTogIDEuNF9wNiwg MS41LCAxLjYuMywgMS43LjktcjEsIDEuOC41LXIzLCAxLjkuNi1yMiwgMS4xMApzeXMtZGV2ZWwv YmludXRpbHM6ICAyLjE3CnN5cy1kZXZlbC9nY2MtY29uZmlnOiAxLjMuMTYKc3lzLWRldmVsL2xp YnRvb2w6ICAgMS41LjI0CnZpcnR1YWwvb3MtaGVhZGVyczogIDIuNi4yMQpBQ0NFUFRfS0VZV09S RFM9InNwYXJjIgpDQlVJTEQ9InNwYXJjLXVua25vd24tbGludXgtZ251IgpDRkxBR1M9Ii1PMiAt bWNwdT11bHRyYXNwYXJjMyAtcGlwZSIKQ0hPU1Q9InNwYXJjLXVua25vd24tbGludXgtZ251IgpD T05GSUdfUFJPVEVDVD0iL2V0YyAvdmFyL2JpbmQiCkNPTkZJR19QUk9URUNUX01BU0s9Ii9ldGMv ZW52LmQgL2V0Yy9nY29uZiAvZXRjL3BocC9hcGFjaGUyLXBocDUvZXh0LWFjdGl2ZS8gL2V0Yy9w aHAvY2dpLXBocDUvZXh0LWFjdGl2ZS8gL2V0Yy9waHAvY2xpLXBocDUvZXh0LWFjdGl2ZS8gL2V0 Yy9yZXZkZXAtcmVidWlsZCAvZXRjL3Rlcm1pbmZvIgpDWFhGTEFHUz0iLU8yIC1tY3B1PXVsdHJh c3BhcmMzIC1waXBlIgpESVNURElSPSIvdXNyL3BvcnRhZ2UvZGlzdGZpbGVzIgpGRUFUVVJFUz0i ZGlzdGxvY2tzIG1ldGFkYXRhLXRyYW5zZmVyIHBhcmFsbGVsLWZldGNoIHNhbmRib3ggc2ZwZXJt cyBzdHJpY3QiCkdFTlRPT19NSVJST1JTPSJodHRwOi8vZnRwLmJlbG5ldC5iZS9taXJyb3IvcnN5 bmMuZ2VudG9vLm9yZy9nZW50b28vIGZ0cDovL2Z0cC5nZW50b28tcHQub3JnL3B1Yi9nZW50b28g ZnRwOi8vbWlycm9yczEubmV0dmlzYW8ucHQvZ2VudG9vLyBodHRwOi8vdHJ1bXBldHRpLnR1dC5h dG0uZmkvZ2VudG9vIgpNQUtFT1BUUz0iLWoyIgpQS0dESVI9Ii91c3IvcG9ydGFnZS9wYWNrYWdl cyIKUE9SVEFHRV9SU1lOQ19PUFRTPSItLXJlY3Vyc2l2ZSAtLWxpbmtzIC0tc2FmZS1saW5rcyAt LXBlcm1zIC0tdGltZXMgLS1jb21wcmVzcyAtLWZvcmNlIC0td2hvbGUtZmlsZSAtLWRlbGV0ZSAt LWRlbGV0ZS1hZnRlciAtLXN0YXRzIC0tdGltZW91dD0xODAgLS1leGNsdWRlPS9kaXN0ZmlsZXMg LS1leGNsdWRlPS9sb2NhbCAtLWV4Y2x1ZGU9L3BhY2thZ2VzIC0tZmlsdGVyPUhfKiovZmlsZXMv ZGlnZXN0LSoiClBPUlRBR0VfVE1QRElSPSIvdmFyL3RtcCIKUE9SVERJUj0iL3Vzci9wb3J0YWdl IgpQT1JURElSX09WRVJMQVk9Ii91c3IvbG9jYWwvcG9ydGFnZSIKU1lOQz0icnN5bmM6Ly9hdGw2 NC5hY29yZXMucHQvZ2VudG9vLXBvcnRhZ2UiClVTRT0iYml0bWFwLWZvbnRzIGNsaSBjcmFja2xp YiBjcnlwdCBjdXBzIGRyaSBmb3J0cmFuIGdkYm0gZ3BtIGljb252IGlzZG5sb2cgbWlkaSBtdWRm bGFwIG5scyBucHRsIG5wdGxvbmx5IG9wZW5tcCBwYW0gcGNyZSBwcGRzIHBwcGQgcmVmbGVjdGlv biBzZXNzaW9uIHNwYXJjIHNwbCB0Y3BkIHRydWV0eXBlLWZvbnRzIHR5cGUxLWZvbnRzIHVuaWNv ZGUgdmhvc3RzIHhvcmciIEFMU0FfUENNX1BMVUdJTlM9ImFkcGNtIGFsYXcgYXN5bSBjb3B5IGRt aXggZHNoYXJlIGRzbm9vcCBlbXB0eSBleHRwbHVnIGZpbGUgaG9va3MgaWVjOTU4IGlvcGx1ZyBs YWRzcGEgbGZsb2F0IGxpbmVhciBtZXRlciBtdWxhdyBtdWx0aSBudWxsIHBsdWcgcmF0ZSByb3V0 ZSBzaGFyZSBzaG0gc29mdHZvbCIgRUxJQkM9ImdsaWJjIiBJTlBVVF9ERVZJQ0VTPSJrZXlib2Fy ZCBtb3VzZSBldmRldiIgS0VSTkVMPSJsaW51eCIgTENEX0RFVklDRVM9ImJheXJhZCBjZm9udHog Y2ZvbnR6NjMzIGdsayBoZDQ0NzgwIGxiMjE2IGxjZG0wMDEgbXR4b3JiIG5jdXJzZXMgdGV4dCIg VVNFUkxBTkQ9IkdOVSIgVklERU9fQ0FSRFM9ImR1bW15IGZiZGV2IGdsaW50IG1hY2g2NCBtZ2Eg cjEyOCByYWRlb24gc3VuYncyIHN1bmNnMTQgc3VuY2czIHN1bmNnNiBzdW5mZmIgc3VubGVvIHRk ZnggdjRsIHZvb2RvbyIKVW5zZXQ6ICBDVEFSR0VULCBFTUVSR0VfREVGQVVMVF9PUFRTLCBJTlNU QUxMX01BU0ssIExBTkcsIExDX0FMTCwgTERGTEFHUywgTElOR1VBUywgUE9SVEFHRV9DT01QUkVT UywgUE9SVEFHRV9DT01QUkVTU19GTEFHUywgUE9SVEFHRV9SU1lOQ19FWFRSQV9PUFRTCgo=