Bug 183338 - app-crypt/mit-krb5 uninitialized pointer free, integer conversion, stack buffer overflow (CVE-2007-{2442|2443|2798})
Bug#: 183338 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: critical Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: hncaldwell@gentoo.org
Component: Vulnerabilities
URL:  http://www.us-cert.gov/cas/techalerts/TA07-177A.html
Summary: app-crypt/mit-krb5 uninitialized pointer free, integer conversion, stack buffer overflow (CVE-2007-{2442|2443|2798})
Keywords:  
Status Whiteboard: B0? [glsa] jaervosz
Opened: 2007-06-26 23:11 0000
Description:   Opened: 2007-06-26 23:11 0000 
* VU#356961 - MIT Kerberos RPC library gssrpc__svcauth_gssapi() uninitialized
pointer free vulnerability
      A vulnerability in the MIT Kerberos administration daemon (kadmind) may
allow an uninitialized pointer to be freed, which may allow a remote,
unauthenticated user to execute arbitrary code. This vulnerability can be
triggered by sending a specially crafted Kerberos message to a vulnerable
system.

    * VU#365313 - MIT Kerberos kadmind RPC library gssrpc__svcauth_unix()
integer conversion error
      An integer conversion error vulnerability exists in the MIT Kerberos
kadmind that may allow a remote, unauthenticated user to execute arbitrary
code.

    * VU#554257 - MIT Kerberos kadmind principal renaming stack buffer overflow
      A stack buffer overflow exists in the way the MIT Kerberos kadmind
handles the principle renaming operation, which may allow a remote,
authenticated user to execute arbitrary code.


Reproducible: Didn't try

Steps to Reproduce:




May also be related to:
CVE-2007-2442 krb5 RPC library unitialized pointer free,                        
CVE-2007-2443 krb5 RPC library stack overflow, and  
CVE-2007-2798 krb5 kadmind buffer overflow,
which are still under review.

------- Comment #1 From Sune Kloppenborg Jeppesen 2007-06-28 04:50:12 0000 ------- 
Kerberos please provide the updated ebuild.

------- Comment #2 From Seemant Kulleen (RETIRED) 2007-07-03 14:48:03 0000 ------- 
mit-krb5-1.5.2-r3 and mit-krb5-1.5.3 both solve this bug.

Please stable both, if possible.

------- Comment #3 From Sune Kloppenborg Jeppesen 2007-07-15 07:43:49 0000 ------- 
Sorry for calling arches SO late, I've been out of the loop for a few weeks.

Arches please test and mark stable mit-krb5-1.5.2-r3 or mit-krb5-1.5.3. Target
keywords are:

"alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"

------- Comment #4 From Raúl Porcel 2007-07-15 13:09:26 0000 ------- 
alpha/ia64/x86 stable

------- Comment #5 From Steve Dibb 2007-07-15 16:28:36 0000 ------- 
amd64 stable

------- Comment #6 From Tobias Scherbaum 2007-07-15 21:02:06 0000 ------- 
ppc stable

------- Comment #7 From Jeroen Roovers 2007-07-16 07:18:55 0000 ------- 
Both stable for HPPA.

------- Comment #8 From Gustavo Zacarias (RETIRED) 2007-07-16 12:08:17 0000 ------- 
sparc stable.

------- Comment #9 From Markus Rothe 2007-07-16 18:58:12 0000 ------- 
=app-crypt/mit-krb5-1.5.3 stable on ppc64

------- Comment #10 From Raphael Marichez 2007-07-25 22:32:00 0000 ------- 
GLSA 200707-11, thanks to everybody !