Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 339866 (CVE-2010-1322)

Summary: <app-crypt/mit-krb5-1.8.3-r1: Uninitialized pointer in authorization data handling DoS (CVE-2010-1322)
Product: Gentoo Security Reporter: Paul B. Henson <henson>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: DuPol, kerberos
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-006.txt
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 328467    
Bug Blocks:    
Attachments:
Description Flags
CVE-2010-1322.patch
none
mit-krb5-1.8.3-r1.ebuild none

Description Paul B. Henson 2010-10-05 19:53:46 UTC
MIT krb5 Security Advisory 2010-006

Topic: KDC uninitialized pointer crash in authorization data handling
[...]
AFFECTED SOFTWARE
=================

* KDC in MIT krb5-1.8 through krb5-1.8.3

* Earlier releases of MIT krb5 did not contain the vulnerable code.


Patch available at

  http://web.mit.edu/kerberos/advisories/2010-006-patch.txt

Please add to ebuild, thanks...
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-10-05 21:39:31 UTC
adding maintainers
Comment 2 Eray Aslan gentoo-dev 2010-10-06 11:45:34 UTC
Created attachment 249737 [details, diff]
CVE-2010-1322.patch
Comment 3 Eray Aslan gentoo-dev 2010-10-06 11:50:19 UTC
Created attachment 249739 [details]
mit-krb5-1.8.3-r1.ebuild

Changelog:

Security bump bug #339866.  Add double blocker to heimdal bug #339143.


On a side note, we can remove all patches in ${FILESDIR} except CVE-2010-1322.
Comment 4 Paul B. Henson 2010-10-21 22:36:51 UTC
Is someone going to add this to portage and get it stabilized? The current stable version is still vulnerable to this security issue.

Thanks...
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2010-10-23 14:04:52 UTC
CVE-2010-1322 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1322):
  The merge_authdata function in kdc_authdata.c in the Key Distribution Center
  (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly
  manage an index into an authorization-data list, which allows remote
  attackers to cause a denial of service (daemon crash), or possibly obtain
  sensitive information, spoof authorization, or execute arbitrary code, via a
  TGS request, as demonstrated by a request from a Windows Active Directory
  client.

Comment 6 Eray Aslan gentoo-dev 2010-11-05 21:15:46 UTC
+*mit-krb5-1.8.3-r1 (05 Nov 2010)
+
+  05 Nov 2010; Eray Aslan <eras@gentoo.org> +mit-krb5-1.8.3-r1.ebuild,
+  +files/CVE-2010-1322.patch:
+  Security bump - bug #339866
+
Comment 7 Paul B. Henson 2010-11-22 22:24:43 UTC
Any thoughts on getting this security fix marked stable?

Thanks...
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2010-11-22 23:11:15 UTC
Arches, please test and mark stable:
=app-crypt/mit-krb5-1.8.3-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2010-11-23 09:00:42 UTC
x86 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-23 18:02:34 UTC
Stable for HPPA PPC.
Comment 11 Agostino Sarubbo gentoo-dev 2010-11-24 18:17:57 UTC
amd64 ok
Comment 12 Brent Baude (RETIRED) gentoo-dev 2010-11-25 16:02:08 UTC
ppc64 done
Comment 13 Alex Buell 2010-11-25 20:32:00 UTC
Seems to build just fine on SPARC, but no tests to run though. 
Comment 14 Eray Aslan gentoo-dev 2010-11-26 07:25:23 UTC
(In reply to comment #13)
> Seems to build just fine on SPARC, but no tests to run though.

https://bugs.gentoo.org/show_bug.cgi?id=346549#c2
Comment 15 Markos Chandras (RETIRED) gentoo-dev 2010-11-26 08:37:14 UTC
amd64 done. Thanks Agostino
Comment 16 Alex Buell 2010-11-26 17:07:18 UTC
Retested 1.8.3-r1 as someone said they'd added tests to it. No sign of the tests. Perhaps another time but I didn't seen any problems.
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2010-11-27 12:17:40 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2010-11-27 15:41:56 UTC
Thanks, folks.

GLSA Vote: yes.
Comment 19 Dustin Polke 2010-11-27 18:21:51 UTC
Make this bug depend on #328467 as keyutils fails to merge on sparc right now.
Comment 20 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-23 22:59:53 UTC
Added to pending glsa request.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:38:26 UTC
This issue was resolved and addressed in
 GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml
by GLSA coordinator Sean Amoss (ackle).