Summary: | <app-crypt/mit-krb5-1.6.3-r5: SPNEGO can dereference a null pointer (CVE-2009-0845) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | kerberos |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=6402 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2009-03-16 22:20:33 UTC
ping, please apply this patch. http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=22084&view=rev Committed mit-krb5-1.6.3-r5 with new patch set release including this patch. Made arch unstable as local installed files are definitely modified. g, mueli Arches, please test and mark stable: =app-crypt/mit-krb5-1.6.3-r5 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" ppc64 done ppc done amd64/x86 stable Stable on alpha. arm/ia64/m68k/s390/sh/sparc stable Stable for HPPA. CVE-2009-0845 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0845): The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token. glsa with #263398 GLSA 200904-09 |