Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 352859 (CVE-2010-4022)

Summary: <app-crypt/mit-krb5-{1.8.3-r3,1.9-r1}: Multiple DoS vulnerabilities (CVE-2010-4022,CVE-2011-{0281,0282,0283,0284})
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: eras
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt
Whiteboard: C3 [glsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-01-26 19:46:28 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

CVE-2010-4022:
The MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to
a denial-of-service attack triggered by invalid network input.

An unauthenticated remote attacker can cause kpropd running in
standalone mode (the "-S" option) to terminate its listening process,
preventing database propagations to the KDC host on which it was
running.  Configurations where kpropd runs in incremental propagation
mode ("iprop") or as an inetd server are not affected.
Affected: >=mit-krb5-1.7
--

CVE-2011-0281:
An unauthenticated remote attacker can cause a KDC configured with an LDAP back end to become completely unresponsive until restarted.
Affected: >=mit-krb5-1.6
--

CVE-2011-0282:
An unauthenticated remote attacker can cause a KDC configured with an LDAP back end to crash with a null pointer dereference.
Affected: >=mit-krb5-1.6
--

CVE-2011-0283:
An unauthenticated remote attacker can cause a krb5-1.9 KDC with any back end to crash with a null pointer dereference.
Affected: >=mit-krb5-1.9 (~arch only)
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-01-26 19:52:11 UTC
Upstream notes that the disclosure of CVE-2011-0281 might already happen before Feb 08 as the trigger is already semi-public.

Eray, do you want to prepare an updated ebuild for prestabling?
These issues are 'just' DoS in special configurations, that might not warrant the effort, but with likely 12 days of time left, it might still be worth perusing.
Let me know, and I'll request the patches.
Comment 2 Eray Aslan gentoo-dev 2011-01-26 19:59:56 UTC
Aye, if you can get the patches, I am all for updating the ebuild.  Thanks.
Comment 3 Eray Aslan gentoo-dev 2011-02-08 22:46:18 UTC
+*mit-krb5-1.9-r1 (08 Feb 2011)
+*mit-krb5-1.8.3-r3 (08 Feb 2011)
+
+  08 Feb 2011; Eray Aslan <eras@gentoo.org> +mit-krb5-1.8.3-r3.ebuild,
+  +files/mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch,
+  +mit-krb5-1.9-r1.ebuild, +files/CVE-2010-4022.patch,
+  +files/CVE-2011-0281.0282.0283.patch:
+  Security bump - bug #352859
+
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-02-10 07:13:13 UTC
These issues are now public:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt

(In reply to comment #3)
> +*mit-krb5-1.9-r1 (08 Feb 2011)
> +*mit-krb5-1.8.3-r3 (08 Feb 2011)
> +

Thank you, Eray. Are we ok to stabilize =app-crypt/mit-krb5-1.8.3-r3?
Comment 5 Eray Aslan gentoo-dev 2011-02-10 07:16:25 UTC
(In reply to comment #4)
> Are we ok to stabilize =app-crypt/mit-krb5-1.8.3-r3?

Yes, =app-crypt/mit-krb5-1.8.3-r3 is OK for stabilization.  Sorry, should have mentioned it in my comment above.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-02-10 07:32:28 UTC
(In reply to comment #5)
> (In reply to comment #4)
> > Are we ok to stabilize =app-crypt/mit-krb5-1.8.3-r3?
> 
> Yes, =app-crypt/mit-krb5-1.8.3-r3 is OK for stabilization.  Sorry, should have
> mentioned it in my comment above.
> 

Thanks and no problem.

Arches, please test and mark stable:
=app-crypt/mit-krb5-1.8.3-r3
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 7 Agostino Sarubbo gentoo-dev 2011-02-10 11:20:58 UTC
amd64 ok
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2011-02-10 22:21:17 UTC
amd64 done. Thanks Agostino
Comment 9 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-11 09:34:00 UTC
ppc/ppc64 stable
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-11 12:42:21 UTC
x86 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2011-02-12 17:25:14 UTC
lpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2011-02-12 18:06:58 UTC
Stable for HPPA.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-02-12 18:09:37 UTC
Thanks, folks.

GLSA Vote: Yes.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-23 22:25:34 UTC
GLSA with #323525 .
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-06-14 07:58:50 UTC
CVE-2011-0284 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0284):
  Double free vulnerability in the prepare_error_as function in do_as_req.c in
  the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 through
  1.9, when the PKINIT feature is enabled, allows remote attackers to cause a
  denial of service (daemon crash) or possibly execute arbitrary code via an
  e_data field containing typed data.

CVE-2011-0283 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0283):
  The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  daemon crash) via a malformed request packet that does not trigger a
  response packet.

CVE-2011-0282 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0282):
  The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through
  1.9, when an LDAP backend is used, allows remote attackers to cause a denial
  of service (NULL pointer dereference or buffer over-read, and daemon crash)
  via a crafted principal name.

CVE-2011-0281 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0281):
  The unparse implementation in the Key Distribution Center (KDC) in MIT
  Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used,
  allows remote attackers to cause a denial of service (file descriptor
  exhaustion and daemon hang) via a principal name that triggers use of a
  backslash escape sequence, as demonstrated by a \n sequence.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 19:59:28 UTC
CVE-2010-4022 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4022):
  The do_standalone function in the MIT krb5 KDC database propagation daemon
  (kpropd) in Kerberos 1.7, 1.8, and 1.9, when running in standalone mode,
  does not properly handle when a worker child process "exits abnormally,"
  which allows remote attackers to cause a denial of service (listening
  process termination, no new connections, and lack of updates in slave KVC)
  via unspecified vectors.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:38:38 UTC
This issue was resolved and addressed in
 GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml
by GLSA coordinator Sean Amoss (ackle).