Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 61412 - app-crypt/heimdal ftpd Signal Handling Vulnerabilities
Summary: app-crypt/heimdal ftpd Signal Handling Vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High blocker (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/12320/
Whiteboard: B0 [glsa] jaervosz
Keywords:
: 60850 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-08-23 11:37 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2011-10-30 22:40 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
heimdal-0.6.3.ebuild.diff (heimdal-0.6.3.ebuild.diff,931 bytes, patch)
2004-09-13 14:05 UTC, solar (RETIRED)
no flags Details | Diff
heimdal-0.6.3.ebuild.patch (patch.txt,964 bytes, patch)
2004-09-13 15:18 UTC, Jose Gonzalez Gomez
no flags Details | Diff
heimdal-kadmind.patch (patch.txt,362 bytes, patch)
2004-09-13 15:19 UTC, Jose Gonzalez Gomez
no flags Details | Diff
heimdal-kpasswdd.patch (patch.txt,365 bytes, patch)
2004-09-13 15:20 UTC, Jose Gonzalez Gomez
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-23 11:37:21 UTC
Description:
Przemyslaw Frasunek has reported some vulnerabilities in Heimdal ftpd, which potentially can be exploited by malicious users to gain escalated privileges or compromise a vulnerable system.
 
 The vulnerabilities are caused due to various race condition errors within the out-of-band signal handling code.
 
 Successful exploitation may allow execution of FTP commands or arbitrary code with the privileges of the ftpd process.
 
 This has been reported in version 0.6.2. Other versions may also be affected.

Solution:
Use another FTP service.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-23 11:41:37 UTC
*** Bug 60850 has been marked as a duplicate of this bug. ***
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-23 11:43:04 UTC
Only reported by Secunia placing in upstream status.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-27 12:29:33 UTC
More vulnerabilites with OOB commands:

http://www.securityfocus.com/archive/1/372963/2004-08-16/2004-08-22/0

Still nothing upstream.
Comment 4 Tom Lynema 2004-09-03 13:09:15 UTC
Osvdb is listing this vuln as unstable.  

http://www.osvdb.org/displayvuln.php?osvdb_id=8994

From their site:

This means this vulnerability is lacking proper or complete infomation, and is in queue for processing by either a Data Mangler or Moderator.
Comment 5 Tom Lynema 2004-09-09 12:38:52 UTC
Here's the result of an e-mail sent to the maintainer


Tom Lynema <lyz27@yahoo.com> writes:

> Hello,
>
> Could you please tell us at gentoo about the status of the vulnerability
> that is described here http://bugs.gentoo.org/show_bug.cgi?id=61412 .

A patch exists and is part of the latest snapshot of heimdal-0.6 branch and
the upcoming 0.6.3 release.

ftp://ftp.pdc.kth.se/pub/heimdal/snapshots/heimdal-0.6.3rc2.tar.gz
ftp://ftp.pdc.kth.se/pub/heimdal/snapshots/heimdal-0.6-20040906.tar.gz

Love
Comment 7 Tom Lynema 2004-09-10 07:31:23 UTC
I sent the devs a message concerning the next release of the package and got this reply.


>>There's an rc3 now also, unless there's something coming up, I will
>>call it 0.6.3 soon.

>>/Johan

ftp://ftp.pdc.kth.se/pub/heimdal/src/snapshots/heimdal-0.6.3rc3.tar.gz
Comment 8 Tom Lynema 2004-09-13 05:56:02 UTC
Version 0.6.3 is out.

ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.6.3.tar.gz

This fixes the vuln.

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-13 06:34:55 UTC
aliz, rphillips please bump to newest version ASAP.

http://www.pdc.kth.se/heimdal/advisory/2004-09-13/
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-13 08:26:28 UTC
A DoS also seems to have been fixed in this version.
Sounds to me like the second vulnerability mentioned in GLSA 200409-09 for mit-krb5 (bug #62417). 
The changelog contains among other things:

"2004-09-05  Love H
Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-13 08:26:28 UTC
A DoS also seems to have been fixed in this version.
Sounds to me like the second vulnerability mentioned in GLSA 200409-09 for mit-krb5 (bug #62417). 
The changelog contains among other things:

"2004-09-05  Love Hörnquist Åstrand  <lha@it.su.se>

        * lib/asn1/der_get.c (decode_enumerated): check that the tag
        length isn't longer the the length
" 


Announcement for Heimdal 0.6.3:

http://news.gmane.org/gmane.comp.encryption.kerberos.heimdal.announce

Recent reports claim that Heimdal release 0.6.3 has been spotted at:

        ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.6.3.tar.gz

The main attraction is a fix for the remote ftpd vulnerability, as
found in all Berkeley derived variants.

Changes in release 0.6.3

 * fix vulnerabilities in ftpd

 * support for linux AFS /proc "syscalls"

 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
   kpasswdd

 * fix possible KDC denial of service

 * bug fixes

Love, Assar, Jacques, and Johan
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-09-13 08:59:41 UTC
Thanks to dragonheart we now have a 0.6.3 ebuild, committed as -*

Jose Gonzalez Gomez helps with basic testing so that we can hand this later to arches for more arch-specific keywords.
Comment 13 Jose Gonzalez Gomez 2004-09-13 10:06:22 UTC
It seems the ebuild has some eclass missing in the inherit clause, either flag-o-matic or ccc. When I compile it I get the following error:

/usr/sbin/ebuild.sh: line 58: append-ldflags: command not found

The compile process continues, but with limited testing, it seems that it isn't working properly. I have manually added ccc (vorlon078 in #gentoo-security suggested this) to the inherit clause, and recompiling it, to see if that makes any difference. 

Now I have to leave, If I have time I'll try to test it later. If I can't I'll have a hard time to test it tomorrow, as I have a quite busy day.
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-13 10:17:06 UTC
Jose stated that the heimdal compiles when ignore the append-ldflags error, "but it seems it isn't working properly".

Inheriting flag-o-matic, so that append-ldflags is known, leads to an error during configure. Inheriting ccc seems to compile at least, but I guess it shouldn't be needed.
Comment 15 Ryan Phillips (RETIRED) gentoo-dev 2004-09-13 11:02:22 UTC
I added inherit flag-o-matic to the 0.6.3 ebuild and the package configured and installed ok.

Portage 2.0.50-r5 (default-x86-2004.0, gcc-3.3.2, glibc-2.3.2-r9, 2.6.6)
=================================================================
System uname: 2.6.6 i686 AMD Athlon(tm) XP 2100+
Gentoo Base System version 1.4.10
distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
Autoconf: sys-devel/autoconf-2.58-r1
Automake: sys-devel/automake-1.8.3
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache sandbox"
GENTOO_MIRRORS="http://gentoo.oregonstate.edu http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X apm arts avi berkdb cdr crypt cups encode esd foomaticdb gdbm gif gnome gpm gtk gtk2 imlib java jpeg kde ldap libg++ libwww mad mikmod motif mozilla mpeg mysql ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline ruby sdl slang spell ssl svga tcltk tcpd tetex truetype x86 xml2 xmms xv zlib"
Comment 16 Ryan Phillips (RETIRED) gentoo-dev 2004-09-13 12:02:56 UTC
After a bit more testing, I've ran into the same problem as Matthias.
Comment 17 solar (RETIRED) gentoo-dev 2004-09-13 14:02:44 UTC
The ebuild is incorrect.

The append-ldflags -Wl,-z is probably supposed to be append-ldflags -Wl,-z,now
Comment 18 solar (RETIRED) gentoo-dev 2004-09-13 14:05:01 UTC
Created attachment 39529 [details, diff]
heimdal-0.6.3.ebuild.diff

The ebuild should probably look like this attachment.
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-13 14:28:25 UTC
Compiles fine with patch from comment #17
Comment 20 solar (RETIRED) gentoo-dev 2004-09-13 15:00:11 UTC
ok great. Few more touchups needed for init scripts then I can commit this. 
Jose is working on the initscripts patches and should be posting them here shortly.
Comment 21 Jose Gonzalez Gomez 2004-09-13 15:16:17 UTC
Progress on this bug:
1. Compiled successfully with patch submitted by solar.
2. heimdal-kadmind and heimdal-kpasswdd have incorrect references to /usr/libexec instead of new location, /usr/sbin
3. The ebuild had an incorrect configure option: with-open-ldap instead of with-openldap

Once this was fixed the ebuild compiled successfuly, and the kerberos kdc works as expected.

Some comments, to be improved:
1. Files in /etc/conf.d should be created to be able to configure heimdal daemons
2. heimdal-kadmind daemon fails to start due to missing /var/heimdal/kdc.conf. The location of this file may be indicated with a command line option (look #1). Should we put this file in under /etc?

I think the ebuild is usable with the patches, but it should incorporate those improvements in later versions.
Comment 22 Jose Gonzalez Gomez 2004-09-13 15:18:08 UTC
Created attachment 39533 [details, diff]
heimdal-0.6.3.ebuild.patch

Inlcudes patches made by solar
Comment 23 Jose Gonzalez Gomez 2004-09-13 15:19:15 UTC
Created attachment 39534 [details, diff]
heimdal-kadmind.patch

In files directory
Comment 24 Jose Gonzalez Gomez 2004-09-13 15:20:02 UTC
Created attachment 39535 [details, diff]
heimdal-kpasswdd.patch

In files directory
Comment 25 Jose Gonzalez Gomez 2004-09-13 15:21:17 UTC
Another thing to remember about this... if kadmind doesn't find config file in default location, it fails to start, but the init script thinks that kadmind started correctly, so the service is left in started state. This should be also fixed.
Comment 26 solar (RETIRED) gentoo-dev 2004-09-13 15:46:15 UTC
Commited to portage.
KEYWORDS="~x86 ~sparc ~ppc ~alpha ~ia64 ~amd64 ~hppa ~mips"

Ready for arch testing.
Comment 27 solar (RETIRED) gentoo-dev 2004-09-13 19:54:43 UTC
Arch maintainers please test and mark stable.
Comment 28 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-13 23:10:27 UTC
Thx Solar and Jose

Arches please test and mark stable ASAP. This is a possible remote root exploit.
Comment 29 Jason Huebel (RETIRED) gentoo-dev 2004-09-14 09:36:41 UTC
stable on amd64
Comment 30 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-09-14 17:27:28 UTC
ppc stable
Comment 31 Jason Wever (RETIRED) gentoo-dev 2004-09-14 17:32:42 UTC
Stable on sparc
Comment 32 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-14 21:45:07 UTC
***bump***
x86 please mark stable ASAP this is a remote root exploit
***bump***
Comment 33 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-15 10:01:50 UTC
There's another problem with heimdal: it presently conflicts with
mit-krb5. 
Comment 34 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-15 10:01:50 UTC
There's another problem with heimdal: it presently conflicts with
mit-krb5.  See bug #47138

It would be good for somebody to look at the Debian mit-krb5 and
heimdal packages to see how they manage the conflicting files.

Regards,
Aron
Comment 35 Guy Martin (RETIRED) gentoo-dev 2004-09-15 12:08:25 UTC
Stable on hppa.
Comment 36 Jose Gonzalez Gomez 2004-09-15 13:18:27 UTC
Sune: Those conflicts shouldn't be managed at all... mit-krb and heimdal are different implementations of the same thing, so they simply shouldn't be installed at the same time. This ebuild provides and is blocked by virtual/krb5. The problem is that there are a lot of packages that depend on mit-krb5 instead of virtual/krb5, and somehow they got installed at the same time... maybe some older version of the ebuilds that didn't include the virtual/krb5 stuff?
Comment 37 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-15 13:33:51 UTC
Yeah my bad, it was quickly noticed on -dev:

> There's another problem with heimdal: it presently conflicts with
> mit-krb5. 
Comment 38 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-15 13:33:51 UTC
Yeah my bad, it was quickly noticed on -dev:

> There's another problem with heimdal: it presently conflicts with
> mit-krb5.  See bug 47138

I guess this a problem of the past. Both packages provide virtual/krb5 and 
block each other this way.


Carsten
Comment 39 Olivier Crete (RETIRED) gentoo-dev 2004-09-15 14:57:55 UTC
stable on x86
Comment 40 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-15 15:44:48 UTC
Stable on alpha.
Comment 41 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-16 02:48:11 UTC
GLSA 200409-19

ia64 and mips don't forget to mark stable to benifit from the GLSA.
Comment 42 Joshua Kinard gentoo-dev 2004-09-20 12:31:52 UTC
mips stable.