Summary: | <app-crypt/mit-krb5-1.8.2 multiple vulnerabilities (CVE-2010-{1320,1321}) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Eray Aslan <eras> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | major | ||||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://web.mit.edu/Kerberos/krb5-1.8/ | ||||||||
Whiteboard: | B1 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Bug Depends on: | |||||||||
Bug Blocks: | 321935 | ||||||||
Attachments: |
|
Description
Eray Aslan
2010-06-11 09:08:14 UTC
Created attachment 234919 [details]
kpropd.xinetd
Created attachment 234923 [details] mit-krb5-1.8.2.ebuild Changelog: Version bump bug #323525. Added xinetd USE flag bug #321939. Disabled parallel make bug #321141. No need to inherit autotools anymore. + 11 Jun 2010; Jeremy Olexa <darkside@gentoo.org> +mit-krb5-1.8.2.ebuild, + +files/kpropd.xinetd: + Version bump bug #323525. Added xinetd USE flag bug #321939. Disabled + parallel make bug #321141. No need to inherit autotools anymore. Multiple vulnerabilities exists for <app-crypt/mit-krb5-1.8.2. Please see http://web.mit.edu/kerberos/advisories/ for a full list. Arches, please test and mark stable =app-crypt/mit-krb5-1.8.2 Target keywords: "alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86" reassigning to security and fixing product/component Eray, please file security related bugs in the Gentoo Security product. Also please don't close bugs assigned to security@g.o For more information about handling security bugs have a look at http://www.gentoo.org/security/en/vulnerability-policy.xml and http://www.gentoo.org/security/en/index.xml Noted. Sorry about that. x86 stable Unfortunately, stabilizing mit-krb5 1.8.2 has had the undesirable side-effect of putting a blocker on apps that uses heimdal. equery d heimdal [ Searching for packages depending on heimdal... ] net-ftp/proftpd-1.3.2d (kerberos? app-crypt/heimdal) net-nds/openldap-2.4.19-r1 (!minimal & smbkrb5passwd? app-crypt/heimdal) This really needs sorting out as I use kerberos as one of my USE flags! # equery d mit-krb5 [ Searching for packages depending on mit-krb5... ] dev-lang/php-5.2.13 (kerberos? virtual/krb5) dev-libs/cyrus-sasl-2.1.23-r1 (kerberos? virtual/krb5) dev-libs/openssl-0.9.8o (kerberos? app-crypt/mit-krb5) dev-perl/GSSAPI-0.24 (virtual/krb5) dev-util/cvs-1.12.12-r6 (kerberos? virtual/krb5) gnome-base/gnome-vfs-2.24.3-r1 (kerberos? virtual/krb5) gnome-extra/evolution-data-server-2.28.3.1-r1 (kerberos? virtual/krb5) (krb4? app-crypt/mit-krb5[krb4]) mail-client/evolution-2.28.3.1 (kerberos? virtual/krb5) (krb4? app-crypt/mit-krb5[krb4]) net-fs/nfs-utils-1.1.4-r1 (!nonfsv4 & kerberos? app-crypt/mit-krb5) net-fs/samba-3.4.6 (ads? virtual/krb5) net-ftp/proftpd-1.3.2d (kerberos? <app-crypt/mit-krb5-1.7) net-im/pidgin-2.6.6 (zephyr? >=app-crypt/mit-krb5-1.3.6-r1[krb4]) net-mail/fetchmail-6.3.17 (kerberos? virtual/krb5) net-misc/curl-7.20.0-r2 (kerberos? virtual/krb5) net-misc/neon-0.29.3 (kerberos? virtual/krb5) net-misc/openssh-5.3_p1-r1 (kerberos? virtual/krb5) net-nds/openldap-2.4.19-r1 (!minimal & kerberos? virtual/krb5) net-print/cups-1.3.11-r1 (kerberos? virtual/krb5) Please open a seperate bug for it. Thank you. (In reply to comment #8) > Unfortunately, stabilizing mit-krb5 1.8.2 has had the undesirable side-effect > of putting a blocker on apps that uses heimdal. That should be impossible as heimdal and mit-krb5 are interchangeable, and we don't impose a restriction on either use: jeroen@astrid /keeps/gentoo/cvs/gentoo-x86/net-nds/openldap $ ebuildvar DEPEND | grep k erb openldap-2.3.43-r1.ebuild: kerberos? ( virtual/krb5 ) openldap-2.4.19-r1.ebuild: kerberos? ( virtual/krb5 ) openldap-2.4.21.ebuild: kerberos? ( virtual/krb5 ) jeroen@astrid /keeps/gentoo/cvs/gentoo-x86/net-ftp/proftpd $ ebuildvar DEPEND | grep ke rb proftpd-1.3.2b.ebuild: kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heim dal ) ) proftpd-1.3.2c.ebuild: kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heim dal ) ) proftpd-1.3.2d.ebuild: kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heim dal ) ) proftpd-1.3.2e.ebuild: kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heim dal ) ) proftpd-1.3.3.ebuild: kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heimdal ) ) The proftpd DEPENDs are obviously wrong and should use virtual/krb5 instead, but that problem has nothing to do with this bug report. (In reply to comment #10) > The proftpd DEPENDs are obviously wrong and should use virtual/krb5 instead, > but that problem has nothing to do with this bug report. Agreed. Please see bug #324903 Stable for HPPA. amd64 stable ppc64 done Stable on alpha. (cleaning my bug queue, Eray can add me to CC for future requests) arm/ia64/m68k/s390/sh/sparc stable Marked ppc stable. glsa request filed. CVE-2010-1320 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1320): Double free vulnerability in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x before 1.8.2 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a request associated with (1) renewal or (2) validation. CVE-2010-1321 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1321): The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing. This issue was resolved and addressed in GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml by GLSA coordinator Sean Amoss (ackle). |