Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 52744

Summary: app-crypt/mit-krb5 buffer overflows in krb5_aname_to_localname
Product: Gentoo Security Reporter: Dan Margolis (RETIRED) <krispykringle>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: netmon
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt
Whiteboard: C0 [glsa]
Package list:
Runtime testing required: ---

Description Dan Margolis (RETIRED) gentoo-dev 2004-06-01 18:59:48 UTC
It seems there's a buffer overflow in MIT's kerberos 5. 

``The krb5_aname_to_localname() library function contains multiple
buffer overflows which could be exploited to gain unauthorized root
access.  Exploitation of these flaws requires an unusual combination
of factors, including successful authentication to a vulnerable
service and a non-default configuration on the target service.  (See
MITIGATING FACTORS below.)  No exploits are known to exist yet.''

It seems that most servers will not be configured in a way that  makes them vulnerable, but if vulnerable, an authenticated user could execute code remotely. See the advisory for more information. 

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-06-02 02:14:02 UTC
Patch for 1.3.3 available at :
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt

netmon : please apply patch and bump to 1.3.3-r1
Comment 2 solar (RETIRED) gentoo-dev 2004-06-02 05:20:40 UTC
kerberos vuln.. who would of ever guessed
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-06-05 01:37:36 UTC
Patch has been recently updated at given URL.

netmon does not have much time for the moment, so security can apply patch with their blessing. If anyone with commit feels like it...
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-06-15 12:51:07 UTC
netmon herd : if you have more disponibilities now to patch this, as noone in the security team stepped up yet... We are getting quite late.
Comment 5 Jon Hood (RETIRED) gentoo-dev 2004-06-15 14:38:28 UTC
Sorry this took so long; I haven't done any security-related bugs before, but seeing as no one else has worked on this, could everyone please test 1.3.3-r1 which I just put into portage with the suggested patch?
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-06-16 01:01:13 UTC
Thank you Jon.
Adding all arches for testing : please test and mark app-crypt/mit-krb5-1.3.3-r1 stable.
Comment 7 Bryan Østergaard (RETIRED) gentoo-dev 2004-06-17 02:15:19 UTC
Stable on alpha.
Comment 8 Jason Wever (RETIRED) gentoo-dev 2004-06-17 05:43:40 UTC
Stable on sparc.
Comment 9 Guy Martin (RETIRED) gentoo-dev 2004-06-18 04:55:08 UTC
Stable on hppa.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-21 08:23:24 UTC
GLSA drafted: security please review.

x86 ppc amd64 please mark stable asap.
Comment 11 SpanKY gentoo-dev 2004-06-24 18:00:02 UTC
sorry for delay, marked arm stable

btw, wtf is this for:
    CFLAGS=`echo ${CFLAGS} | xargs`
    CXXFLAGS=`echo ${CXXFLAGS} | xargs`
    LDFLAGS=`echo ${LDFLAGS} | xargs`
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-06-25 13:54:37 UTC
We're getting very late on that one. Other distributions have advisories out since June 2...

x86, ppc, amd64 : please mark stable so that the GLSA can go out... or report why you can't mark stable.
Comment 13 Jon Hood (RETIRED) gentoo-dev 2004-06-27 20:06:14 UTC
I have tested this on stable x86 servers and other systems- it works fine. I marked it stable on x86 since I got tired of waiting.
Comment 14 Jeremy Huddleston (RETIRED) gentoo-dev 2004-06-27 23:26:16 UTC
stable on amd64.
Comment 15 Joshua Kinard gentoo-dev 2004-06-28 00:13:45 UTC
Stable on mips yesterday, removing CC.
Comment 16 Luca Barbato gentoo-dev 2004-06-28 13:59:29 UTC
Eventually marked ppc, sorry but I was busy
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-06-29 00:34:57 UTC
This is ready for GLSA publication.
ia64,ppc64,s390 : don't forget to mark stable to benefit from the GLSA.
Comment 18 Kurt Lieber (RETIRED) gentoo-dev 2004-06-29 09:22:14 UTC
glsa 200406-21
Comment 19 Tom Gall (RETIRED) gentoo-dev 2004-07-13 19:55:58 UTC
1.3.1-r1 marked stable on ppc64