Bug 191301 - app-crypt/mit-krb5 < 1.5.3-r1 multiple vulnerabilities (CVE-2007-3999, CVE-2007-4000)
Bug#: 191301 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: hncaldwell@gentoo.org
Component: Vulnerabilities
URL: 
Summary: app-crypt/mit-krb5 < 1.5.3-r1 multiple vulnerabilities (CVE-2007-3999, CVE-2007-4000)
Keywords:  
Status Whiteboard: B0 [glsa] vorlon
Opened: 2007-09-04 21:23 0000
Description:   Opened: 2007-09-04 21:23 0000 
MITKRB5-SA-2007-006: kadmind RPC lib buffer overflow, uninitialized pointer

[CVE-2007-3999] An unauthenticated remote user may be able to cause a
host running kadmind to execute arbitrary code.

[CVE-2007-4000] An authenticated user with "modify policy" privilege
may be able to cause a host running kadmind to execute arbitrary code.

See:  http://www.securityfocus.com/archive/1/478544

Reproducible: Always

Steps to Reproduce:

------- Comment #1 From Pierre-Yves Rofes 2007-09-05 11:03:12 0000 ------- 
*** Bug 191356 has been marked as a duplicate of this bug. ***

------- Comment #2 From Pierre-Yves Rofes 2007-09-05 11:08:32 0000 ------- 
kerberos, please advise.

------- Comment #3 From Seemant Kulleen (RETIRED) 2007-09-05 13:13:29 0000 ------- 
I think I have some patches laying around for this fix.  Will report back.

------- Comment #4 From Heath Caldwell 2007-09-05 21:00:59 0000 ------- 
Created an attachment (id=130116) [details]
Revised patch.

See http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-006.txt

"...
The patch for CVE-2007-3999 has been revised; the patch originally
released for svc_auth_gss.c allowed a 32-byte overflow.  Depending
on the compilation environment and machine architecture, this may or
may not be a significant continued vulnerability.  The new patch
below correctly checks the buffer length.
..."

------- Comment #5 From Pierre-Yves Rofes 2007-09-06 07:45:44 0000 ------- 
*** Bug 191444 has been marked as a duplicate of this bug. ***

------- Comment #6 From Seemant Kulleen (RETIRED) 2007-09-07 06:27:36 0000 ------- 
thanks for that Heath.  New ebuild is 1.5.3-r1.

Arch teams can feel free to do what they need to.

------- Comment #7 From Pierre-Yves Rofes 2007-09-07 07:52:57 0000 ------- 
Thanks Seemant. Arches, please test and mark stable. Target keywords are:
"alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"

------- Comment #8 From Jeroen Roovers 2007-09-07 09:47:39 0000 ------- 
Stable for HPPA.

------- Comment #9 From Raúl Porcel 2007-09-07 11:39:54 0000 ------- 
alpha/ia64/x86 stable

------- Comment #10 From Tobias Scherbaum 2007-09-07 14:52:50 0000 ------- 
ppc stable

------- Comment #11 From Chris Gianelloni (RETIRED) 2007-09-07 18:18:39 0000 ------- 
amd64 done

------- Comment #12 From Markus Rothe 2007-09-08 08:05:48 0000 ------- 
ppc64 stable

------- Comment #13 From Jorge Manuel B. S. Vicetto 2007-09-09 03:57:12 0000 ------- 
mit-krb5-1.5.3-r1 emerged fine here on sparc64 with both:
app-crypt/mit-krb5-1.5.3-r1 (ipv6 tcl)
app-crypt/mit-krb5-1.5.3-r1

------- Comment #14 From Jorge Manuel B. S. Vicetto 2007-09-09 03:59:26 0000 ------- 
Created an attachment (id=130389) [details]
sparc64 emerge --info

------- Comment #15 From Matthias Geerdsen 2007-09-10 18:48:08 0000 ------- 
security:
GLSA drafted and ready for review

sparc team, please test and mark stable

------- Comment #16 From Jeroen Roovers 2007-09-11 03:17:47 0000 ------- 
Stable for SPARC.

------- Comment #17 From Matthias Geerdsen 2007-09-11 20:04:56 0000 ------- 
GLSA 200709-01

thanks everyone