CVE-2007-0957: A buffer overflow exists in the krb5_klog_syslog() function used by kadmind and the KDC. An authenticated user may be able to execute arbitrary code on a host running kadmind. An authenticated user may be able to execute arbitrary code on KDC host. Also, a user controlling a Kerberos realm sharing a key with the target realm may be able to execute arbitrary code on a KDC host. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind and the KDC typically run as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling krb5_klog_syslog() may also be vulnerable. This affects all releases of MIT krb5 up to and including krb5-1.6. CVE-2007-0956: A remotely-exploitable root vulnerability is present in an application which ships in the krb5 sources. This affects all releases of MIT krb5 up to and including krb5-1.6. CVE-2007-1216: An authenticated user may be able to execute arbitrary code on a host running kadmind. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind and the KDC typically run as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling either the RPC library or the GSS-API library provided with MIT krb5 may be vulnerable. This vulnerability affects MIT krb5 releases krb5-1.4 up to and including krb5-1.6. It can affect third-party on all MIT krb5 releases, including krb5-1.6.
Seemant please attach updated ebuilds for pretesting. Do not commit anything to Portage yet.
I didn't see what the "fix" is here and am curious, as I would like to *quietly* add a fix for this to the snapshot for the release. We're planning on releasing before this date, and GRP does include kerberos support, but we likely will only be releasing 1 day before, meaning if I can slip in a patch without a revision bump into the current stable (in my snapshot only), nobody would be the wiser. We would have a secure out-of-box release, yet the "upgrade" would still be the next day. Is that possible/doable?
Chris, yes, I'll send you an ebuild
Seemant could you attach the ebuilds here as well so I can call arch security liaisons? Chris I'm awaiting answer from upstream. I'll update this as soon as I know more.
Answer received from upstream. Forwarded to Chris. Seement could you please attach the updated ebuilds, the deadline is getting close?
Created attachment 114842 [details] new ebuild This is the new proposed ebuild (though I reckon for final release the version will change).
Created attachment 114843 [details, diff] The first patch to fix telnetd
Created attachment 114844 [details, diff] The second patch to fix syslogging
Created attachment 114845 [details, diff] The third and final patch
OK, here's the ebuild with 3 patches. Please put the patches into FILESDIR.
Still 1.5.2, correct?
Thx Seemant. Arch Security Liaisons please test and report back on this bug. Do NOT commit anything at this time.
OK. I've added this as 1.5.2 (not -r1) into the snapshot. While this will go public before the release date, this just makes it simpler on me since anything official that goes into the tree will definitely supersede the snapshot's version. Thanks everyone!
compiles and works on ppc64.
looks good on ppc
Looks ok on sparc.
Looks good on hppa.
Coordinated release in about 48 hours. Status so far is that we are ready for the following arches: hppa ppc ppc64 sparc We still need OK from the following arches: x86 amd64 alpha Security please review the drafted GLSA.
looks good on x86
adding kingtaco for amd64
alpha and ia64 looks good.
Removing tcort since he's retired.
patches and compiles on amd64.
nice
public now, advisories availably on MIT site and bugtraq seemant, please commit the updated ebuild (directly to stable for the tested arches) http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt arm (and mips?) should be added as soon as the ebuild has been commited
updating status, since we should of course wait for the ebuild ;-)
thanks for the fast commit seemant removing arch team members, adding missing arches ready for GLSA publication
Thx everyone! GLSA 200704-02
*** Bug 173299 has been marked as a duplicate of this bug. ***