Summary: | sys-auth/pam_krb5 existing_ticket permission flaw (CVE-2008-3825) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED INVALID | ||||||
Severity: | major | CC: | cardoe, kerberos | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | B1 [preebuild] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Robert Buchholz (RETIRED)
![]() mueli, cardoe, are you guys maintaining this? If so, please prepare an updated ebuild applying the patch and attach it to this bug. Do not commit anything to CVS. We will do prestable testing on this bug. Created attachment 165862 [details, diff]
pam_krb5-2.3.1-ccacheperms.patch
I'd say I'll take it ... g, mueli This patch and the bug report are related to the Red Hat sources at http://people.redhat.com/nalin/pam_krb5/ but we are providing the implementation of Russ Allbery at http://www.eyrie.org/~eagle/software/pam-krb5/. Any instructions for further procedure? g, mueli This bug is now public: http://rhn.redhat.com/errata/RHSA-2008-0907.html (In reply to comment #4) > This patch and the bug report are related to the Red Hat sources at > http://people.redhat.com/nalin/pam_krb5/ but we are providing the > implementation of Russ Allbery at > http://www.eyrie.org/~eagle/software/pam-krb5/. > > Any instructions for further procedure? g, mueli Considering that we are using an independent product with its own codebase, it seems this issue does not affect us. We might want to verify our pam_krb does not suffer from a similar issue, but I do not have the capacity to do that now. mueli, and your new team member, how do you feel about that? Otherwise we'll just close this bug. I'd say we can close this bug. We can't even reproduce the problem with our codebase because we don't have a "existing_ticket" pam option - which IMHO is absolutely against the kerberos principle ;) You can prove by grep "existing_ticket" options.c in our codebase. This code is responsible for parsing the options. greets, mueli Good enough for me, thanks. |