Summary: | net-www/mod_auth_kerb Buffer overflow (CVE-2006-5989) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | normal | CC: | apache-bugs | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | B3 [glsa] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2006-11-20 09:04:37 UTC
finally adding maintiners please provide an updated ebuild RH published an advisory about a week ago http://rhn.redhat.com/errata/RHSA-2006-0746.html http://secunia.com/advisories/23023/ Created attachment 106454 [details, diff] http://modauthkerb.cvs.sourceforge.net/modauthkerb/mod_auth_kerb/spnegokrb5/der_get.c?r1=1.1&r2=1.1.2.1 Proposed patch by UPSTREAM. (In reply to comment #1) > finally adding maintiners > please provide an updated ebuild New revisions in the tree. Both =net-www/mod_auth_kerb-5.0_rc6-r1 and =net-www/mod_auth_kerb-5.0_rc7-r1 fix this bug. Hello my dear prefered arch. Please test and mark stable one of these two ebuilds: =net-www/mod_auth_kerb-5.0_rc6-r1 =net-www/mod_auth_kerb-5.0_rc7-r1 , thanks in advance >>> Emerging (2 of 2) net-www/mod_auth_kerb-5.0_rc7-r1 to / * mod_auth_kerb-5.0rc7.tar.gz MD5 ;-) ... [ ok ] * mod_auth_kerb-5.0rc7.tar.gz RMD160 ;-) ... [ ok ] * mod_auth_kerb-5.0rc7.tar.gz SHA1 ;-) ... [ ok ] * mod_auth_kerb-5.0rc7.tar.gz SHA256 ;-) ... [ ok ] * mod_auth_kerb-5.0rc7.tar.gz size ;-) ... [ ok ] * checking ebuild checksums ;-) ... [ ok ] * checking auxfile checksums ;-) ... [ ok ] * checking miscfile checksums ;-) ... [ ok ] * checking mod_auth_kerb-5.0rc7.tar.gz ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking mod_auth_kerb-5.0rc7.tar.gz to /var/tmp/portage/portage/net-www/mod_auth_kerb-5.0_rc7-r1/work * Applying mod_auth_kerb-5.0-CVE-2006-5989.patch ... [ ok ] * Applying mod_auth_kerb-5.0-gcc4.patch ... [ ok ] * Applying mod_auth_kerb-5.0-axps1.patch ... * Failed Patch: mod_auth_kerb-5.0-axps1.patch ! * ( /usr/gentoo/portage/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-axps1.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/portage/net-www/mod_auth_kerb-5.0_rc7-r1/temp/mod_auth_kerb-5.0-axps1.patch-25129.out !!! ERROR: net-www/mod_auth_kerb-5.0_rc7-r1 failed. Call stack: ebuild.sh, line 1593: Called dyn_unpack ebuild.sh, line 731: Called src_unpack mod_auth_kerb-5.0_rc7-r1.ebuild, line 43: Called epatch '/usr/gentoo/portage/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-axps1.patch' eutils.eclass, line 341: Called die !!! Failed Patch: mod_auth_kerb-5.0-axps1.patch! !!! If you need support, post the topmost build error, and the call stack if relevant. Created attachment 106817 [details]
mod_auth_kerb-5.0-axps1.patch-25129.out
Ticho, please sync again, the last commit by phreak is not OK Created attachment 106864 [details]
merge log
Synced, but compilation fails. Merge log attached.
Thx ticho. phreak, your turn :) Ticho was happy and asked me to stabilize it. Perfet, thanks. Time to vote for a GLSA. Despite of the overflow, mitre.org only mentions a DoS. I really hesitate. hard to decide here... but I tend to vote yes The thing is that if you use kerberos, chances are good that it is mission-critical. Hence a "yes" from me. Go GLSA 200601-14, thanks everybody. |