639702 – (CVE-2017-15088) <app-crypt/mit-krb5-1.15.2-r1: Remote Code Execution vulnerability

Bug 639702 (CVE-2017-15088) - <app-crypt/mit-krb5-1.15.2-r1: Remote Code Execution vulnerability

Summary: <app-crypt/mit-krb5-1.15.2-r1: Remote Code Execution vulnerability

Status:	RESOLVED INVALID

Alias:	CVE-2017-15088

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B1 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-12-04 01:58 UTC by GLSAMaker/CVETool Bot
Modified:	2018-01-27 22:08 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	=app-crypt/mit-krb5-1.15.2-r1
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2017-12-04 01:58:22 UTC

CVE-2017-15088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15088):
  plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5)
  through 1.15.2 mishandles Distinguished Name (DN) fields, which allows
  remote attackers to execute arbitrary code or cause a denial of service
  (buffer overflow and application crash) in situations involving untrusted
  X.509 data, related to the get_matching_data and X509_NAME_oneline_ex
  functions. NOTE: this has security relevance only in use cases outside of
  the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC
  certauth plugin code that is specific to Red Hat.

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-12-04 01:59:04 UTC

@Maintainers could you confirm if we are affected? 

Thank you

Comment 2 Eray Aslan gentoo-dev

2017-12-05 10:04:09 UTC

app-crypt/mit-krb5-1.15.2 is vulnerable.

Arches, please test and mark stable
=app-crypt/mit-krb5-1.15.2-r1

Target Keywords = alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86

Comment 3 Agostino Sarubbo gentoo-dev

2017-12-06 20:57:33 UTC

amd64 stable

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2017-12-08 20:40:34 UTC

x86 stable

Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev

2017-12-09 14:54:18 UTC

hppa stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2017-12-10 23:01:06 UTC

ppc/ppc64 stable

Comment 7 Markus Meier gentoo-dev

2017-12-13 21:06:45 UTC

arm stable

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2017-12-28 22:03:09 UTC

ia64 stable

Comment 9 Tobias Klausmann (RETIRED) gentoo-dev

2018-01-20 16:52:09 UTC

Stable on alpha.

Comment 10 Aaron Bauman (RETIRED) gentoo-dev

2018-01-20 19:49:52 UTC

GLSA request filed.

@maintainer(s), please clean the vulnerable version from the tree (note that sparc is now an exp profile and has a previous stable keyword).

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2018-01-27 22:08:01 UTC

After further discussion with other team members, this vulnerability is not relevant to Gentoo.  It only impacts Redhat's MIT KRB5 implementation due to additional code/changes.  Upstream is not impacted and as such Gentoo is not.