934994 – (CVE-2024-37370, CVE-2024-37371) <app-crypt/mit-krb5-1.21.3 vulnerabilities in GSS message token handling

Bug 934994 (CVE-2024-37370, CVE-2024-37371) - <app-crypt/mit-krb5-1.21.3 vulnerabilities in GSS message token handling

Summary: <app-crypt/mit-krb5-1.21.3 vulnerabilities in GSS message token handling

Status:	CONFIRMED

Alias:	CVE-2024-37370, CVE-2024-37371

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://web.mit.edu/kerberos/www/krb5...
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:	934995
Blocks:
	Show dependency tree

Reported:	2024-06-27 07:19 UTC by Eray Aslan
Modified:	2024-09-01 12:37 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Eray Aslan gentoo-dev

2024-06-27 07:19:55 UTC

From the release notes:

Major changes in 1.21.3 (2024-06-26)
====================================

This is a bug fix release.

* Fix vulnerabilities in GSS message token handling [CVE-2024-37370,
  CVE-2024-37371].

* Fix a potential bad pointer free in krb5_cccol_have_contents().

* Fix a memory leak in the macOS ccache type.

Comment 1 Larry the Git Cow gentoo-dev

2024-06-27 07:29:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b0b1dcf64f222410abcf1cb8cc953ffe497a205

commit 0b0b1dcf64f222410abcf1cb8cc953ffe497a205
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2024-06-27 07:27:20 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2024-06-27 07:29:23 +0000

    app-crypt/mit-krb5: add 1.21.3 security bump
    
    also
    - install ldif files when openldap USE flag is in use
    - make +threads USE flag mandatory
    
    Bug: https://bugs.gentoo.org/934994
    Closes: https://bugs.gentoo.org/890038
    Closes: https://bugs.gentoo.org/868462
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 app-crypt/mit-krb5/Manifest               |   1 +
 app-crypt/mit-krb5/mit-krb5-1.21.3.ebuild | 154 ++++++++++++++++++++++++++++++
 2 files changed, 155 insertions(+)

Comment 2 Hans de Graaff gentoo-dev

2024-06-28 04:57:21 UTC

CVE-2024-37370:

In MIT krb5 release 1.3 and later, an attacker can modify the
plaintext Extra Count field of a confidential GSS krb5 wrap token,
causing the unwrapped token to appear truncated to the application.

CVE-2024-37371:

In MIT krb5 release 1.3 and later, an attacker can cause invalid
memory reads by sending message tokens with invalid length fields.


These sound like Denial of Service issues to me, but I'm not familiar enough with Kerberos to be sure and the description here is a bit sparse.

Comment 3 Larry the Git Cow gentoo-dev

2024-09-01 12:37:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=705f34d940f47cffff7f2ab8083b068b4c909c66

commit 705f34d940f47cffff7f2ab8083b068b4c909c66
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2024-09-01 12:36:55 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2024-09-01 12:36:55 +0000

    app-crypt/mit-krb5: drop 1.21.2
    
    Bug: https://bugs.gentoo.org/934994
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 app-crypt/mit-krb5/Manifest               |   1 -
 app-crypt/mit-krb5/mit-krb5-1.21.2.ebuild | 152 ------------------------------
 2 files changed, 153 deletions(-)