Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 50208

Summary: app-crypt/heimdal : Kerberos 4 buffer overrun in kadmin
Product: Gentoo Security Reporter: Carsten Lohrke (RETIRED) <carlo>
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: tobias
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.pdc.kth.se/heimdal/advisory/2004-05-06/
Whiteboard:
Package list:
Runtime testing required: ---

Description Carsten Lohrke (RETIRED) gentoo-dev 2004-05-06 05:18:40 UTC
All releases prior to 0.6.2 have a possible buffer overrun problem in the Kerberos 4 kadmin compatibility module. It would probably be possible to implement a remote exploit for this, depending on architechture.

http://www.pdc.kth.se/heimdal/advisory/2004-05-06/
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:09.kadmind.asc
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-05-06 13:19:03 UTC
CAN-2004-0434
C1 type -> major, target delay 5 days
upstream fix available : version 0.6.2
no maintainer

solar : you did the last bump, can you do it again ?
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-05-10 05:07:45 UTC
v0.6.2 in portage, thanks to aliz
arches: please test app-crypt/heimdal-0.6.2 and mark stable
Comment 3 Jason Wever (RETIRED) gentoo-dev 2004-05-10 19:47:08 UTC
Testing here looks good, though fetchmail's configure script cannot find what it needs for kerberos5 support with heimdal-0.6.2.  Not sure if this worked previously or not.
Comment 4 Bryan Ƙstergaard (RETIRED) gentoo-dev 2004-05-11 17:30:23 UTC
Marked stable on alpha.
Comment 5 Guy Martin (RETIRED) gentoo-dev 2004-05-12 15:54:35 UTC
Marked stable on hppa.
Comment 6 Jason Wever (RETIRED) gentoo-dev 2004-05-13 20:02:18 UTC
So do we really care about the fact that fetchmail doesn't work here or not?
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-05-19 12:46:57 UTC
*** Bug 51493 has been marked as a duplicate of this bug. ***
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-05-19 12:49:20 UTC
Noone is sure it was working before. I would say "mark stable" so that the GLSA can go out. Then someone can enter the bug in case it's a regression...

arches : please mark stable or refute :)
Comment 9 Jason Wever (RETIRED) gentoo-dev 2004-05-19 15:20:38 UTC
Okey dokey.  This might be a situation to add into the security policy.  Marked stable on sparc.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-05-21 01:00:06 UTC
x86,ppc,mips,amd64,ia64 : please mark stable
Comment 11 Jason Huebel (RETIRED) gentoo-dev 2004-05-25 11:30:12 UTC
stable on amd64
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-05-26 10:56:35 UTC
Still missing app-crypt/heimdal-0.6.2 stable on x86, mips and ia64...
x86 : we are waiting for you to issue the GLSA.
Comment 13 Ryan Phillips (RETIRED) gentoo-dev 2004-05-26 16:41:24 UTC
marked stable on x86.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-05-27 02:03:30 UTC
Heimdal is ready to go
Comment 15 Joshua Kinard gentoo-dev 2004-05-27 02:25:38 UTC
Stable on mips.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-05-27 05:29:02 UTC
GLSA 200405-23