Bug 171889 - app-crypt/mit-krb5 Multiple issues CVE-2007-{095{6|7}|1216}
Bug#: 171889 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: blocker Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL: 
Summary: app-crypt/mit-krb5 Multiple issues CVE-2007-{095{6|7}|1216}
Keywords:  
Status Whiteboard: B0? [glsa] jaervosz
Opened: 2007-03-23 07:25 0000
Description:   Opened: 2007-03-23 07:25 0000 
CVE-2007-0957:

A buffer overflow exists in the krb5_klog_syslog() function used by
kadmind and the KDC.

An authenticated user may be able to execute arbitrary code on a host
running kadmind.

An authenticated user may be able to execute arbitrary code on KDC
host.  Also, a user controlling a Kerberos realm sharing a key with
the target realm may be able to execute arbitrary code on a KDC host.

Successful exploitation can compromise the Kerberos key database and
host security on the host running these programs.  (kadmind and the
KDC typically run as root.)  Unsuccessful exploitation attempts will
likely result in the affected program crashing.

Third-party applications calling krb5_klog_syslog() may also be
vulnerable.

This affects all releases of MIT krb5 up to and including krb5-1.6.

CVE-2007-0956:

A remotely-exploitable root vulnerability is present in an application
which ships in the krb5 sources.

This affects all releases of MIT krb5 up to and including krb5-1.6.

CVE-2007-1216:

An authenticated user may be able to execute arbitrary code on a host
running kadmind.

Successful exploitation can compromise the Kerberos key database and
host security on the host running these programs.  (kadmind and the
KDC typically run as root.)  Unsuccessful exploitation attempts will
likely result in the affected program crashing.

Third-party applications calling either the RPC library or the GSS-API
library provided with MIT krb5 may be vulnerable.

This vulnerability affects MIT krb5 releases krb5-1.4 up to and
including krb5-1.6.  It can affect third-party on all MIT krb5
releases, including krb5-1.6.

------- Comment #1 From Sune Kloppenborg Jeppesen 2007-03-23 07:31:20 0000 ------- 
Seemant please attach updated ebuilds for pretesting. Do not commit anything to
Portage yet.

------- Comment #2 From Chris Gianelloni (RETIRED) 2007-03-24 15:06:24 0000 ------- 
I didn't see what the "fix" is here and am curious, as I would like to
*quietly* add a fix for this to the snapshot for the release.  We're planning
on releasing before this date, and GRP does include kerberos support, but we
likely will only be releasing 1 day before, meaning if I can slip in a patch
without a revision bump into the current stable (in my snapshot only), nobody
would be the wiser.  We would have a secure out-of-box release, yet the
"upgrade" would still be the next day.

Is that possible/doable?

------- Comment #3 From Seemant Kulleen (RETIRED) 2007-03-24 15:12:59 0000 ------- 
Chris, yes, I'll send you an ebuild

------- Comment #4 From Sune Kloppenborg Jeppesen 2007-03-24 15:58:28 0000 ------- 
Seemant could you attach the ebuilds here as well so I can call arch security
liaisons?

Chris I'm awaiting answer from upstream. I'll update this as soon as I know
more.

------- Comment #5 From Sune Kloppenborg Jeppesen 2007-03-28 05:54:32 0000 ------- 
Answer received from upstream. Forwarded to Chris.

Seement could you please attach the updated ebuilds, the deadline is getting
close?

------- Comment #6 From Seemant Kulleen (RETIRED) 2007-03-29 01:53:43 0000 ------- 
Created an attachment (id=114842) [details]
new ebuild

This is the new proposed ebuild (though I reckon for final release the version
will change).

------- Comment #7 From Seemant Kulleen (RETIRED) 2007-03-29 01:54:07 0000 ------- 
Created an attachment (id=114843) [details]
The first patch to fix telnetd

------- Comment #8 From Seemant Kulleen (RETIRED) 2007-03-29 01:54:30 0000 ------- 
Created an attachment (id=114844) [details]
The second patch to fix syslogging

------- Comment #9 From Seemant Kulleen (RETIRED) 2007-03-29 01:54:48 0000 ------- 
Created an attachment (id=114845) [details]
The third and final patch

------- Comment #10 From Seemant Kulleen (RETIRED) 2007-03-29 01:55:09 0000 ------- 
OK, here's the ebuild with 3 patches.  Please put the patches into FILESDIR.

------- Comment #11 From Chris Gianelloni (RETIRED) 2007-03-29 13:44:13 0000 ------- 
Still 1.5.2, correct?

------- Comment #12 From Sune Kloppenborg Jeppesen 2007-03-29 14:16:16 0000 ------- 
Thx Seemant.

Arch Security Liaisons please test and report back on this bug. Do NOT commit
anything at this time.

------- Comment #13 From Chris Gianelloni (RETIRED) 2007-03-29 15:50:00 0000 ------- 
OK.  I've added this as 1.5.2 (not -r1) into the snapshot.  While this will go
public before the release date, this just makes it simpler on me since anything
official that goes into the tree will definitely supersede the snapshot's
version.

Thanks everyone!

------- Comment #14 From Markus Rothe 2007-03-29 19:09:52 0000 ------- 
compiles and works on ppc64.

------- Comment #15 From Tobias Scherbaum 2007-03-29 20:02:54 0000 ------- 
looks good on ppc

------- Comment #16 From Gustavo Zacarias (RETIRED) 2007-03-30 13:56:24 0000 ------- 
Looks ok on sparc.

------- Comment #17 From René Nussbaumer 2007-03-30 21:05:55 0000 ------- 
Looks good on hppa.

------- Comment #18 From Sune Kloppenborg Jeppesen 2007-04-01 17:59:15 0000 ------- 
Coordinated release in about 48 hours. Status so far is that we are ready for
the following arches:

hppa ppc ppc64 sparc

We still need OK from the following arches:

x86 amd64 alpha

Security please review the drafted GLSA.

------- Comment #19 From Joshua Jackson 2007-04-02 19:05:36 0000 ------- 
looks good on x86

------- Comment #20 From Matthias Geerdsen 2007-04-02 19:57:09 0000 ------- 
adding kingtaco for amd64

------- Comment #21 From Bryan Østergaard (RETIRED) 2007-04-02 20:16:13 0000 ------- 
alpha and ia64 looks good.

------- Comment #22 From Sune Kloppenborg Jeppesen 2007-04-02 20:18:39 0000 ------- 
Removing tcort since he's retired.

------- Comment #23 From Mike Doty 2007-04-02 21:03:07 0000 ------- 
patches and compiles on amd64.

------- Comment #24 From Raphael Marichez 2007-04-02 21:31:35 0000 ------- 
nice

------- Comment #25 From Matthias Geerdsen 2007-04-03 19:34:08 0000 ------- 
public now, advisories availably on MIT site and bugtraq

seemant, please commit the updated ebuild (directly to stable for the tested
arches)

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt

arm (and mips?) should be added as soon as the ebuild has been commited

------- Comment #26 From Matthias Geerdsen 2007-04-03 19:51:52 0000 ------- 
updating status, since we should of course wait for the ebuild ;-)

------- Comment #27 From Matthias Geerdsen 2007-04-03 20:29:17 0000 ------- 
thanks for the fast commit seemant

removing arch team members, adding missing arches

ready for GLSA publication

------- Comment #28 From Sune Kloppenborg Jeppesen 2007-04-03 21:26:30 0000 ------- 
Thx everyone!

GLSA 200704-02

------- Comment #29 From Sune Kloppenborg Jeppesen 2007-04-04 06:27:45 0000 ------- 
*** Bug 173299 has been marked as a duplicate of this bug. ***