First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 199212
Alias:
Product:
Component:
Status: RESOLVED
Resolution: DUPLICATE of bug 199205
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: airsupply <airsupply@venustech.com.cn>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 199212 depends on: Show dependency tree
Bug 199212 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-11-15 08:37 0000 
mit-krb5 lib vulnerability
[Security Advisory]

Advisory: [AD_LAB-0713] mit-krb5 gssapi lib vulnerability
Class: Design Error
DATE:11/9/2007
CVEID: CVE-2007-5971
Vulnerable:
        mit-krb5 All
Vendor:
        MIT
I.Synopsis

A vulnerability has been discovered in gssapi lib included in mit-krb5.

II.DETAILS:
----------
Background

The gssapi lib is crypt lib including in mit-krb5.

Description

        There is a double free vulnerability in function
gss_krb5int_make_seal_token_v3 in k5sealv3.c.
......
235             if (message2->length)
236                 memcpy(outbuf + 16, message2->value, message2->length);
237     
238             sum.contents = outbuf + 16 + message2->length;
239             sum.length = ctx->cksum_size;
240     
241             err = krb5_c_make_checksum(context, ctx->cksumtype, key,
242                                        key_usage, &plain, &sum);
243             zap(plain.data, plain.length);
244             free(plain.data);
245             plain.data = 0;
246             if (err) {
247                 zap(outbuf,bufsize);
(1)Pointer outbuf freed by function free
248             free(outbuf);
249                 goto error;
250             }
251             if (sum.length != ctx->cksum_size)
252                 abort();
......
287     error:
(2) Double free of pointer outbuf in free(outbuf)
288 free(outbuf);
289         token->value = NULL;
290         token->length = 0;
291         return err;
292     }
293 
......
Impact
    A remote attacker may cause instability and potentially crash an
application or service that using the gssapi lib in mit-krb5.


III.CREDIT: 
----------
    Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys.

V.DISCLAIMS:
-----------

The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including
direct,
indirect, incidental, consequential, loss of business profits or special
damages. 

Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab 
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)

Security
Trusted {Solution} Provider
Service

------- Comment #1 From Pierre-Yves Rofes 2007-11-16 22:12:05 0000 ------- 

*** This bug has been marked as a duplicate of bug 199205 ***
First Last Prev Next    No search results available      Search page      Enter new bug