Summary: | <app-crypt/mit-krb5-1.8.3-r1: Uninitialized pointer in authorization data handling DoS (CVE-2010-1322) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Paul B. Henson <henson> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | minor | CC: | DuPol, kerberos | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-006.txt | ||||||||
Whiteboard: | B3 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Bug Depends on: | 328467 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Paul B. Henson
2010-10-05 19:53:46 UTC
adding maintainers Created attachment 249737 [details, diff]
CVE-2010-1322.patch
Created attachment 249739 [details] mit-krb5-1.8.3-r1.ebuild Changelog: Security bump bug #339866. Add double blocker to heimdal bug #339143. On a side note, we can remove all patches in ${FILESDIR} except CVE-2010-1322. Is someone going to add this to portage and get it stabilized? The current stable version is still vulnerable to this security issue. Thanks... CVE-2010-1322 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1322): The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which allows remote attackers to cause a denial of service (daemon crash), or possibly obtain sensitive information, spoof authorization, or execute arbitrary code, via a TGS request, as demonstrated by a request from a Windows Active Directory client. +*mit-krb5-1.8.3-r1 (05 Nov 2010) + + 05 Nov 2010; Eray Aslan <eras@gentoo.org> +mit-krb5-1.8.3-r1.ebuild, + +files/CVE-2010-1322.patch: + Security bump - bug #339866 + Any thoughts on getting this security fix marked stable? Thanks... Arches, please test and mark stable: =app-crypt/mit-krb5-1.8.3-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" x86 stable Stable for HPPA PPC. amd64 ok ppc64 done Seems to build just fine on SPARC, but no tests to run though. (In reply to comment #13) > Seems to build just fine on SPARC, but no tests to run though. https://bugs.gentoo.org/show_bug.cgi?id=346549#c2 amd64 done. Thanks Agostino Retested 1.8.3-r1 as someone said they'd added tests to it. No sign of the tests. Perhaps another time but I didn't seen any problems. alpha/arm/ia64/m68k/s390/sh/sparc stable Thanks, folks. GLSA Vote: yes. Make this bug depend on #328467 as keyutils fails to merge on sparc right now. Added to pending glsa request. This issue was resolved and addressed in GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml by GLSA coordinator Sean Amoss (ackle). |