CVE-2023-36054 (https://web.mit.edu/kerberos/www/advisories/): lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count. Patch seems to be: https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd Also noted in 1.20.2 and 1.21.1 release notes: "* Fix read overruns in SPNEGO parsing (already included in 1.21)." Looks like we never had any vulnerable 1.21. Need to stabilize fixed 1.20.2.
CVE-2023-39975 (https://mailman.mit.edu/pipermail/kerberos-announce/2023q3/000206.html): kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another. https://github.com/krb5/krb5/commit/88a1701b423c13991a8064feeb26952d3641d840
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=804b1075226d5093c6541db7837efd767ab08bb2 commit 804b1075226d5093c6541db7837efd767ab08bb2 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2024-04-05 07:11:53 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2024-04-05 07:11:53 +0000 app-crypt/mit-krb5: security cleanup Bug: https://bugs.gentoo.org/917464 Signed-off-by: Eray Aslan <eras@gentoo.org> app-crypt/mit-krb5/Manifest | 3 - .../files/mit-krb5-1.20-missing-time-include.patch | 20 --- .../files/mit-krb5-1.20.1-autoconf-2.72.patch | 31 ----- .../files/mit-krb5-config_LDFLAGS-r1.patch | 12 -- app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild | 149 --------------------- app-crypt/mit-krb5/mit-krb5-1.20.2.ebuild | 148 -------------------- app-crypt/mit-krb5/mit-krb5-1.21.1.ebuild | 146 -------------------- 7 files changed, 509 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=573380a79676407a84c4bd5cfca7805936336c8a commit 573380a79676407a84c4bd5cfca7805936336c8a Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-05 07:13:18 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-05 07:13:49 +0000 [ GLSA 202405-11 ] MIT krb5: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/803434 Bug: https://bugs.gentoo.org/809845 Bug: https://bugs.gentoo.org/879875 Bug: https://bugs.gentoo.org/917464 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-11.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+)