Description: Przemyslaw Frasunek has reported some vulnerabilities in Heimdal ftpd, which potentially can be exploited by malicious users to gain escalated privileges or compromise a vulnerable system. The vulnerabilities are caused due to various race condition errors within the out-of-band signal handling code. Successful exploitation may allow execution of FTP commands or arbitrary code with the privileges of the ftpd process. This has been reported in version 0.6.2. Other versions may also be affected. Solution: Use another FTP service.
*** Bug 60850 has been marked as a duplicate of this bug. ***
Only reported by Secunia placing in upstream status.
More vulnerabilites with OOB commands: http://www.securityfocus.com/archive/1/372963/2004-08-16/2004-08-22/0 Still nothing upstream.
Osvdb is listing this vuln as unstable. http://www.osvdb.org/displayvuln.php?osvdb_id=8994 From their site: This means this vulnerability is lacking proper or complete infomation, and is in queue for processing by either a Data Mangler or Moderator.
Here's the result of an e-mail sent to the maintainer Tom Lynema <lyz27@yahoo.com> writes: > Hello, > > Could you please tell us at gentoo about the status of the vulnerability > that is described here http://bugs.gentoo.org/show_bug.cgi?id=61412 . A patch exists and is part of the latest snapshot of heimdal-0.6 branch and the upcoming 0.6.3 release. ftp://ftp.pdc.kth.se/pub/heimdal/snapshots/heimdal-0.6.3rc2.tar.gz ftp://ftp.pdc.kth.se/pub/heimdal/snapshots/heimdal-0.6-20040906.tar.gz Love
Correct links are: ftp://ftp.pdc.kth.se/pub/heimdal/src/snapshots/heimdal-0.6.3rc2.tar.gz ftp://ftp.pdc.kth.se/pub/heimdal/src/snapshots/heimdal-0.6-20040906.tar.gz
I sent the devs a message concerning the next release of the package and got this reply. >>There's an rc3 now also, unless there's something coming up, I will >>call it 0.6.3 soon. >>/Johan ftp://ftp.pdc.kth.se/pub/heimdal/src/snapshots/heimdal-0.6.3rc3.tar.gz
Version 0.6.3 is out. ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.6.3.tar.gz This fixes the vuln.
aliz, rphillips please bump to newest version ASAP. http://www.pdc.kth.se/heimdal/advisory/2004-09-13/
A DoS also seems to have been fixed in this version. Sounds to me like the second vulnerability mentioned in GLSA 200409-09 for mit-krb5 (bug #62417). The changelog contains among other things: "2004-09-05 Love H
A DoS also seems to have been fixed in this version. Sounds to me like the second vulnerability mentioned in GLSA 200409-09 for mit-krb5 (bug #62417). The changelog contains among other things: "2004-09-05 Love Hörnquist Åstrand <lha@it.su.se> * lib/asn1/der_get.c (decode_enumerated): check that the tag length isn't longer the the length " Announcement for Heimdal 0.6.3: http://news.gmane.org/gmane.comp.encryption.kerberos.heimdal.announce Recent reports claim that Heimdal release 0.6.3 has been spotted at: ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.6.3.tar.gz The main attraction is a fix for the remote ftpd vulnerability, as found in all Berkeley derived variants. Changes in release 0.6.3 * fix vulnerabilities in ftpd * support for linux AFS /proc "syscalls" * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in kpasswdd * fix possible KDC denial of service * bug fixes Love, Assar, Jacques, and Johan
Thanks to dragonheart we now have a 0.6.3 ebuild, committed as -* Jose Gonzalez Gomez helps with basic testing so that we can hand this later to arches for more arch-specific keywords.
It seems the ebuild has some eclass missing in the inherit clause, either flag-o-matic or ccc. When I compile it I get the following error: /usr/sbin/ebuild.sh: line 58: append-ldflags: command not found The compile process continues, but with limited testing, it seems that it isn't working properly. I have manually added ccc (vorlon078 in #gentoo-security suggested this) to the inherit clause, and recompiling it, to see if that makes any difference. Now I have to leave, If I have time I'll try to test it later. If I can't I'll have a hard time to test it tomorrow, as I have a quite busy day.
Jose stated that the heimdal compiles when ignore the append-ldflags error, "but it seems it isn't working properly". Inheriting flag-o-matic, so that append-ldflags is known, leads to an error during configure. Inheriting ccc seems to compile at least, but I guess it shouldn't be needed.
I added inherit flag-o-matic to the 0.6.3 ebuild and the package configured and installed ok. Portage 2.0.50-r5 (default-x86-2004.0, gcc-3.3.2, glibc-2.3.2-r9, 2.6.6) ================================================================= System uname: 2.6.6 i686 AMD Athlon(tm) XP 2100+ Gentoo Base System version 1.4.10 distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] Autoconf: sys-devel/autoconf-2.58-r1 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="http://gentoo.oregonstate.edu http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X apm arts avi berkdb cdr crypt cups encode esd foomaticdb gdbm gif gnome gpm gtk gtk2 imlib java jpeg kde ldap libg++ libwww mad mikmod motif mozilla mpeg mysql ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline ruby sdl slang spell ssl svga tcltk tcpd tetex truetype x86 xml2 xmms xv zlib"
After a bit more testing, I've ran into the same problem as Matthias.
The ebuild is incorrect. The append-ldflags -Wl,-z is probably supposed to be append-ldflags -Wl,-z,now
Created attachment 39529 [details, diff] heimdal-0.6.3.ebuild.diff The ebuild should probably look like this attachment.
Compiles fine with patch from comment #17
ok great. Few more touchups needed for init scripts then I can commit this. Jose is working on the initscripts patches and should be posting them here shortly.
Progress on this bug: 1. Compiled successfully with patch submitted by solar. 2. heimdal-kadmind and heimdal-kpasswdd have incorrect references to /usr/libexec instead of new location, /usr/sbin 3. The ebuild had an incorrect configure option: with-open-ldap instead of with-openldap Once this was fixed the ebuild compiled successfuly, and the kerberos kdc works as expected. Some comments, to be improved: 1. Files in /etc/conf.d should be created to be able to configure heimdal daemons 2. heimdal-kadmind daemon fails to start due to missing /var/heimdal/kdc.conf. The location of this file may be indicated with a command line option (look #1). Should we put this file in under /etc? I think the ebuild is usable with the patches, but it should incorporate those improvements in later versions.
Created attachment 39533 [details, diff] heimdal-0.6.3.ebuild.patch Inlcudes patches made by solar
Created attachment 39534 [details, diff] heimdal-kadmind.patch In files directory
Created attachment 39535 [details, diff] heimdal-kpasswdd.patch In files directory
Another thing to remember about this... if kadmind doesn't find config file in default location, it fails to start, but the init script thinks that kadmind started correctly, so the service is left in started state. This should be also fixed.
Commited to portage. KEYWORDS="~x86 ~sparc ~ppc ~alpha ~ia64 ~amd64 ~hppa ~mips" Ready for arch testing.
Arch maintainers please test and mark stable.
Thx Solar and Jose Arches please test and mark stable ASAP. This is a possible remote root exploit.
stable on amd64
ppc stable
Stable on sparc
***bump*** x86 please mark stable ASAP this is a remote root exploit ***bump***
There's another problem with heimdal: it presently conflicts with mit-krb5.
There's another problem with heimdal: it presently conflicts with mit-krb5. See bug #47138 It would be good for somebody to look at the Debian mit-krb5 and heimdal packages to see how they manage the conflicting files. Regards, Aron
Stable on hppa.
Sune: Those conflicts shouldn't be managed at all... mit-krb and heimdal are different implementations of the same thing, so they simply shouldn't be installed at the same time. This ebuild provides and is blocked by virtual/krb5. The problem is that there are a lot of packages that depend on mit-krb5 instead of virtual/krb5, and somehow they got installed at the same time... maybe some older version of the ebuilds that didn't include the virtual/krb5 stuff?
Yeah my bad, it was quickly noticed on -dev: > There's another problem with heimdal: it presently conflicts with > mit-krb5.
Yeah my bad, it was quickly noticed on -dev: > There's another problem with heimdal: it presently conflicts with > mit-krb5. See bug 47138 I guess this a problem of the past. Both packages provide virtual/krb5 and block each other this way. Carsten
stable on x86
Stable on alpha.
GLSA 200409-19 ia64 and mips don't forget to mark stable to benifit from the GLSA.
mips stable.
