Bug 61412 - app-crypt/heimdal ftpd Signal Handling Vulnerabilities
|
Bug#:
61412
|
Product: Gentoo Linux
|
Version: 2004.1
|
Platform: All
|
|
OS/Version: All
|
Status: RESOLVED
|
Severity: blocker
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Security
|
|
|
URL:
http://secunia.com/advisories/12320/
|
|
Summary: app-crypt/heimdal ftpd Signal Handling Vulnerabilities
|
|
Keywords:
|
|
Status Whiteboard: B0 [glsa] jaervosz
|
|
Opened: 2004-08-23 11:37 0000
|
Description:
Przemyslaw Frasunek has reported some vulnerabilities in Heimdal ftpd, which potentially can be exploited by malicious users to gain escalated privileges or compromise a vulnerable system.
The vulnerabilities are caused due to various race condition errors within the out-of-band signal handling code.
Successful exploitation may allow execution of FTP commands or arbitrary code with the privileges of the ftpd process.
This has been reported in version 0.6.2. Other versions may also be affected.
Solution:
Use another FTP service.
*** Bug 60850 has been marked as a duplicate of this bug. ***
Only reported by Secunia placing in upstream status.
A DoS also seems to have been fixed in this version.
Sounds to me like the second vulnerability mentioned in GLSA 200409-09 for mit-krb5 (bug #62417).
The changelog contains among other things:
"2004-09-05 Love H
A DoS also seems to have been fixed in this version.
Sounds to me like the second vulnerability mentioned in GLSA 200409-09 for mit-krb5 (bug #62417).
The changelog contains among other things:
"2004-09-05 Love Hörnquist Åstrand <lha@it.su.se>
* lib/asn1/der_get.c (decode_enumerated): check that the tag
length isn't longer the the length
"
Announcement for Heimdal 0.6.3:
http://news.gmane.org/gmane.comp.encryption.kerberos.heimdal.announce
Recent reports claim that Heimdal release 0.6.3 has been spotted at:
ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.6.3.tar.gz
The main attraction is a fix for the remote ftpd vulnerability, as
found in all Berkeley derived variants.
Changes in release 0.6.3
* fix vulnerabilities in ftpd
* support for linux AFS /proc "syscalls"
* support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
kpasswdd
* fix possible KDC denial of service
* bug fixes
Love, Assar, Jacques, and Johan
Thanks to dragonheart we now have a 0.6.3 ebuild, committed as -*
Jose Gonzalez Gomez helps with basic testing so that we can hand this later to arches for more arch-specific keywords.
It seems the ebuild has some eclass missing in the inherit clause, either
flag-o-matic or ccc. When I compile it I get the following error:
/usr/sbin/ebuild.sh: line 58: append-ldflags: command not found
The compile process continues, but with limited testing, it seems that it isn't
working properly. I have manually added ccc (vorlon078 in #gentoo-security
suggested this) to the inherit clause, and recompiling it, to see if that makes
any difference.
Now I have to leave, If I have time I'll try to test it later. If I can't I'll
have a hard time to test it tomorrow, as I have a quite busy day.
Jose stated that the heimdal compiles when ignore the append-ldflags error,
"but it seems it isn't working properly".
Inheriting flag-o-matic, so that append-ldflags is known, leads to an error
during configure. Inheriting ccc seems to compile at least, but I guess it
shouldn't be needed.
I added inherit flag-o-matic to the 0.6.3 ebuild and the package configured and
installed ok.
Portage 2.0.50-r5 (default-x86-2004.0, gcc-3.3.2, glibc-2.3.2-r9, 2.6.6)
=================================================================
System uname: 2.6.6 i686 AMD Athlon(tm) XP 2100+
Gentoo Base System version 1.4.10
distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[disabled]
Autoconf: sys-devel/autoconf-2.58-r1
Automake: sys-devel/automake-1.8.3
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config
/usr/kde/3.2/share/config /usr/kde/3/share/config
/usr/lib/mozilla/defaults/pref /usr/share/config
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/
/usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/
/usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache sandbox"
GENTOO_MIRRORS="http://gentoo.oregonstate.edu
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X apm arts avi berkdb cdr crypt cups encode esd foomaticdb gdbm gif gnome
gpm gtk gtk2 imlib java jpeg kde ldap libg++ libwww mad mikmod motif mozilla
mpeg mysql ncurses nls oggvorbis opengl oss pam pdflib perl png python qt
quicktime readline ruby sdl slang spell ssl svga tcltk tcpd tetex truetype x86
xml2 xmms xv zlib"
After a bit more testing, I've ran into the same problem as Matthias.
The ebuild is incorrect.
The append-ldflags -Wl,-z is probably supposed to be append-ldflags -Wl,-z,now
ok great. Few more touchups needed for init scripts then I can commit this.
Jose is working on the initscripts patches and should be posting them here shortly.
Progress on this bug:
1. Compiled successfully with patch submitted by solar.
2. heimdal-kadmind and heimdal-kpasswdd have incorrect references to /usr/libexec instead of new location, /usr/sbin
3. The ebuild had an incorrect configure option: with-open-ldap instead of with-openldap
Once this was fixed the ebuild compiled successfuly, and the kerberos kdc works as expected.
Some comments, to be improved:
1. Files in /etc/conf.d should be created to be able to configure heimdal daemons
2. heimdal-kadmind daemon fails to start due to missing /var/heimdal/kdc.conf. The location of this file may be indicated with a command line option (look #1). Should we put this file in under /etc?
I think the ebuild is usable with the patches, but it should incorporate those improvements in later versions.
Another thing to remember about this... if kadmind doesn't find config file in
default location, it fails to start, but the init script thinks that kadmind
started correctly, so the service is left in started state. This should be also
fixed.
Commited to portage.
KEYWORDS="~x86 ~sparc ~ppc ~alpha ~ia64 ~amd64 ~hppa ~mips"
Ready for arch testing.
Arch maintainers please test and mark stable.
Thx Solar and Jose
Arches please test and mark stable ASAP. This is a possible remote root exploit.
***bump***
x86 please mark stable ASAP this is a remote root exploit
***bump***
There's another problem with heimdal: it presently conflicts with
mit-krb5.
There's another problem with heimdal: it presently conflicts with
mit-krb5. See bug #47138
It would be good for somebody to look at the Debian mit-krb5 and
heimdal packages to see how they manage the conflicting files.
Regards,
Aron
Sune: Those conflicts shouldn't be managed at all... mit-krb and heimdal are
different implementations of the same thing, so they simply shouldn't be
installed at the same time. This ebuild provides and is blocked by
virtual/krb5. The problem is that there are a lot of packages that depend on
mit-krb5 instead of virtual/krb5, and somehow they got installed at the same
time... maybe some older version of the ebuilds that didn't include the
virtual/krb5 stuff?
Yeah my bad, it was quickly noticed on -dev:
> There's another problem with heimdal: it presently conflicts with
> mit-krb5.
Yeah my bad, it was quickly noticed on -dev:
> There's another problem with heimdal: it presently conflicts with
> mit-krb5. See bug 47138
I guess this a problem of the past. Both packages provide virtual/krb5 and
block each other this way.
Carsten
GLSA 200409-19
ia64 and mips don't forget to mark stable to benifit from the GLSA.
