Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 155782

Summary: net-www/mod_auth_kerb Buffer overflow (CVE-2006-5989)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: apache-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
http://modauthkerb.cvs.sourceforge.net/modauthkerb/mod_auth_kerb/spnegokrb5/der_get.c?r1=1.1&r2=1.1.2.1
none
mod_auth_kerb-5.0-axps1.patch-25129.out
none
merge log none

Description Sune Kloppenborg Jeppesen gentoo-dev 2006-11-20 09:04:37 UTC
Bah, upstream bugs are restricted. Details should be here:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206736
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215443

Please don't open this bug before the upstream bugs are opened.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-13 04:33:35 UTC
finally adding maintiners
please provide an updated ebuild

RH published an advisory about a week ago

http://rhn.redhat.com/errata/RHSA-2006-0746.html
http://secunia.com/advisories/23023/
Comment 2 Christian Heim (RETIRED) gentoo-dev 2007-01-10 21:32:25 UTC
Created attachment 106454 [details, diff]
http://modauthkerb.cvs.sourceforge.net/modauthkerb/mod_auth_kerb/spnegokrb5/der_get.c?r1=1.1&r2=1.1.2.1

Proposed patch by UPSTREAM.
Comment 3 Christian Heim (RETIRED) gentoo-dev 2007-01-10 22:02:03 UTC
(In reply to comment #1)
> finally adding maintiners
> please provide an updated ebuild

New revisions in the tree. Both =net-www/mod_auth_kerb-5.0_rc6-r1 and =net-www/mod_auth_kerb-5.0_rc7-r1 fix this bug.
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-12 22:12:52 UTC
Hello my dear prefered arch. Please test and mark stable one of these two ebuilds:
=net-www/mod_auth_kerb-5.0_rc6-r1
=net-www/mod_auth_kerb-5.0_rc7-r1 ,
thanks in advance
Comment 5 Andrej Kacian (RETIRED) gentoo-dev 2007-01-13 16:06:43 UTC
>>> Emerging (2 of 2) net-www/mod_auth_kerb-5.0_rc7-r1 to /
 * mod_auth_kerb-5.0rc7.tar.gz MD5 ;-) ...                                        [ ok ]
 * mod_auth_kerb-5.0rc7.tar.gz RMD160 ;-) ...                                     [ ok ]
 * mod_auth_kerb-5.0rc7.tar.gz SHA1 ;-) ...                                       [ ok ]
 * mod_auth_kerb-5.0rc7.tar.gz SHA256 ;-) ...                                     [ ok ]
 * mod_auth_kerb-5.0rc7.tar.gz size ;-) ...                                       [ ok ]
 * checking ebuild checksums ;-) ...                                              [ ok ]
 * checking auxfile checksums ;-) ...                                             [ ok ]
 * checking miscfile checksums ;-) ...                                            [ ok ]
 * checking mod_auth_kerb-5.0rc7.tar.gz ;-) ...                                   [ ok ]
>>> Unpacking source...
>>> Unpacking mod_auth_kerb-5.0rc7.tar.gz to /var/tmp/portage/portage/net-www/mod_auth_kerb-5.0_rc7-r1/work
 * Applying mod_auth_kerb-5.0-CVE-2006-5989.patch ...                             [ ok ]
 * Applying mod_auth_kerb-5.0-gcc4.patch ...                                      [ ok ]
 * Applying mod_auth_kerb-5.0-axps1.patch ...
 
 * Failed Patch: mod_auth_kerb-5.0-axps1.patch !
 *  ( /usr/gentoo/portage/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-axps1.patch )
 *
 * Include in your bugreport the contents of:
 *
 *   /var/tmp/portage/portage/net-www/mod_auth_kerb-5.0_rc7-r1/temp/mod_auth_kerb-5.0-axps1.patch-25129.out


!!! ERROR: net-www/mod_auth_kerb-5.0_rc7-r1 failed.
Call stack:
  ebuild.sh, line 1593:   Called dyn_unpack
  ebuild.sh, line 731:   Called src_unpack
  mod_auth_kerb-5.0_rc7-r1.ebuild, line 43:   Called epatch '/usr/gentoo/portage/net-www/mod_auth_kerb/files/mod_auth_kerb-5.0-axps1.patch'
  eutils.eclass, line 341:   Called die

!!! Failed Patch: mod_auth_kerb-5.0-axps1.patch!
!!! If you need support, post the topmost build error, and the call stack if relevant.

Comment 6 Andrej Kacian (RETIRED) gentoo-dev 2007-01-13 16:08:57 UTC
Created attachment 106817 [details]
mod_auth_kerb-5.0-axps1.patch-25129.out
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-13 20:22:21 UTC
Ticho, please sync again, the last commit by phreak is not OK 
Comment 8 Andrej Kacian (RETIRED) gentoo-dev 2007-01-13 22:48:26 UTC
Created attachment 106864 [details]
merge log

Synced, but compilation fails. Merge log attached.
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-14 00:47:58 UTC
Thx ticho.

phreak, your turn :)
Comment 10 Torsten Veller (RETIRED) gentoo-dev 2007-01-15 07:08:33 UTC
Ticho was happy and asked me to stabilize it.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-15 23:38:53 UTC
Perfet, thanks.

Time to vote for a GLSA.

Despite of the overflow, mitre.org only mentions a DoS. I really hesitate.
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-17 13:48:30 UTC
hard to decide here...
but I tend to vote yes
Comment 13 Wolf Giesen (RETIRED) gentoo-dev 2007-01-17 13:55:04 UTC
The thing is that if you use kerberos, chances are good that it is mission-critical. Hence a "yes" from me.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-17 22:33:31 UTC
Go
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-23 00:22:48 UTC
GLSA 200601-14, thanks everybody.