Created attachment 395552 [details, diff] updated ebuild http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt: The MIT krb5 team has discovered four vulnerabilities affecting kadmind. Some of these vulnerabilities may also affect server applications which use the gssrpc library or the gss_process_context_token() function. These are implementation vulnerabilities, not vulnerabilities in the Kerberos protocol. CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after gss_process_context_token() is used to process a valid context deletion token, the caller is left with a security context handle containing a dangling pointer. Further uses of this handle will result in use-after-free and double-free memory access violations. libgssrpc server applications such as kadmind are vulnerable as they can be instructed to call gss_process_context_token(). CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR data from an authenticated user, it may perform use-after-free and double-free memory access violations while cleaning up the partial deserialization results. Other libgssrpc server applications may also be vulnerable if they contain insufficiently defensive XDR functions. CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepts authentications to two-component server principals whose first component is a left substring of "kadmin" or whose realm is a left prefix of the default realm. CVE-2014-9423: libgssrpc applications including kadmind output four or eight bytes of uninitialized memory to the network as part of an unused "handle" field in replies to clients. I've attached a patch to update the ebuild to 1.13-r1, which fixes these vulnerabilities and also those from bug #533734.
+*mit-krb5-1.13-r1 (05 Feb 2015) + + 05 Feb 2015; Eray Aslan <eras@gentoo.org> +files/2015-001-patch-r113.patch, + +files/mit-krb5-CVE-2014-5353.patch, +files/mit-krb5-CVE-2014-5354.patch, + +mit-krb5-1.13-r1.ebuild: + Security bump - bugs #533734 #538842 + Arches, please test and mark stable =app-crypt/mit-krb5-1.13-r1. Thank you. Target Stable Keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
arm stable
sparc stable
ppc64 stable
ppc stable
ia64 stable
alpha stable. Maintainer(s), please cleanup. Security, please vote.
CVE-2014-9423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9423): The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field. CVE-2014-9422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9422): The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal. CVE-2014-9421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9421): The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind. CVE-2014-5352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5352): The krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly maintain security-context handles, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via crafted GSSAPI traffic, as demonstrated by traffic to kadmind.
Arches, Thank you for your work. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s).
Maintainer(s), Thank you for you for cleanup.
GLSA vote: no. Closing as [noglsa].