Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 639702 (CVE-2017-15088)

Summary: <app-crypt/mit-krb5-1.15.2-r1: Remote Code Execution vulnerability
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: kerberos
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [noglsa cve]
Package list:
=app-crypt/mit-krb5-1.15.2-r1
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-12-04 01:58:22 UTC
CVE-2017-15088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15088):
  plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5)
  through 1.15.2 mishandles Distinguished Name (DN) fields, which allows
  remote attackers to execute arbitrary code or cause a denial of service
  (buffer overflow and application crash) in situations involving untrusted
  X.509 data, related to the get_matching_data and X509_NAME_oneline_ex
  functions. NOTE: this has security relevance only in use cases outside of
  the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC
  certauth plugin code that is specific to Red Hat.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-12-04 01:59:04 UTC
@Maintainers could you confirm if we are affected? 

Thank you
Comment 2 Eray Aslan gentoo-dev 2017-12-05 10:04:09 UTC
app-crypt/mit-krb5-1.15.2 is vulnerable.

Arches, please test and mark stable
=app-crypt/mit-krb5-1.15.2-r1

Target Keywords = alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86
Comment 3 Agostino Sarubbo gentoo-dev 2017-12-06 20:57:33 UTC
amd64 stable
Comment 4 Thomas Deutschmann gentoo-dev 2017-12-08 20:40:34 UTC
x86 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-09 14:54:18 UTC
hppa stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-10 23:01:06 UTC
ppc/ppc64 stable
Comment 7 Markus Meier gentoo-dev 2017-12-13 21:06:45 UTC
arm stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-28 22:03:09 UTC
ia64 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2018-01-20 16:52:09 UTC
Stable on alpha.
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-20 19:49:52 UTC
GLSA request filed.

@maintainer(s), please clean the vulnerable version from the tree (note that sparc is now an exp profile and has a previous stable keyword).
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-27 22:08:01 UTC
After further discussion with other team members, this vulnerability is not relevant to Gentoo.  It only impacts Redhat's MIT KRB5 implementation due to additional code/changes.  Upstream is not impacted and as such Gentoo is not.