Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 321935

Summary: <app-crypt/mit-krb5-1.8.2: kadmind 1.6.3 crashes when a newer mit kadmin client connects to it (CVE-2010-0629)
Product: Gentoo Security Reporter: Richard F. Ostrow Jr. <kshots>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: kerberos, xmw
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 323525    
Bug Blocks:    
Attachments:
Description Flags
patch to the 1.6.3-r6 ebuild to apply the mit-kerberos SA patch to fix this issue none

Description Richard F. Ostrow Jr. 2010-05-29 04:08:59 UTC
kadmind 1.6.3 crashes when a newer mit kadmin client (like 1.8.1) connects to it. mit-krb5-1.8.1 has been marked stable in freebsd systems, and now kadmind servers that freebsd clients connect to crash when the 1.8.1 kadmin client connects to them. The referenced URL describes a patch put out by the kerberos team via a security advisory to address this problem in version 1.6.3 of mit-krb5. versions 1.7 and beyond are unaffected by this issue.

Reproducible: Sometimes

Steps to Reproduce:
1. Run mit kadmind on a 1.6.3 server
2. Connect to mit kadmind via mit kadmin 1.8.1
3. usually watch it (kadmind) crash with no log message explaining why... occasionally see it connect properly




A patch is available to address this issue. Either apply the patch and stay with 1.6.3 (currently marked stable) or update to 1.8.1 (gentoo marks as unstable atm).
Comment 1 Richard F. Ostrow Jr. 2010-05-29 04:11:14 UTC
Created attachment 233357 [details, diff]
patch to the 1.6.3-r6 ebuild to apply the mit-kerberos SA patch to fix this issue

This ebuild patch (against app-crypt/mit-krb5-1.6.3-r6.ebuild) applies the SA patch in the referenced URL. The ebuild patch expects to find this SA patch in the ${FILESDIR}. Appears to work properly on my system.
Comment 2 Michael Weber (RETIRED) gentoo-dev 2010-06-07 11:02:19 UTC
Hello Richard, 

thanks for the report, but i had to guess category/package out of the URL (knowing something about the different kerberos implementations), please add this next time.

Michael
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-13 19:13:23 UTC
Kerberos herd, please provide an updated ebuild (see URL for patch)

Please file security bugs in the "Gentoo Security" product of Bugzilla (usually with component "Vulnerabilities"
Comment 4 Eray Aslan gentoo-dev 2010-06-13 19:32:07 UTC
(In reply to comment #3)
> Kerberos herd, please provide an updated ebuild (see URL for patch)

NACK.  mit-krb5-1.6.3 should not be used anymore.  It is too old and has too many security problems.  Correct fix is to stabilize mit-krb5-1.8.2.

I can open a stabilization bug for =app-crypt/mit-krb5-1.8.2 but would prefer if you do (as a real dev).
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-14 20:40:16 UTC
CVE-2010-0629 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0629):
  Use-after-free vulnerability in kadmin/server/server_stubs.c in
  kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote
  authenticated users to cause a denial of service (daemon crash) via a
  request from a kadmin client that sends an invalid API version number.

Comment 6 Eray Aslan gentoo-dev 2010-06-15 09:22:59 UTC
Stabilization request for app-crypt/mit-krb5-1.8.2 at bug #323525
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-10 12:53:44 UTC
CVE-2010-0629 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0629):
  Use-after-free vulnerability in kadmin/server/server_stubs.c in
  kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote
  authenticated users to cause a denial of service (daemon crash) via a
  request from a kadmin client that sends an invalid API version number.

Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 03:28:58 UTC
We stabilized a fixed package via bug 323525.

GLSA Vote: Yes.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-23 23:03:23 UTC
Added to pending glsa.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:38:13 UTC
This issue was resolved and addressed in
 GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml
by GLSA coordinator Sean Amoss (ackle).