Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 715606 (CVE-2020-10595)

Summary: <sys-auth/pam_krb5-4.9: Buffer overflow (CVE-2020-10595)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: eras, kerberos, whissi
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2020/03/31/1
Whiteboard: B3 [noglsa cve]
Package list:
=sys-auth/pam_krb5-4.9
Runtime testing required: ---

Description Sam James archtester gentoo-dev Security 2020-03-31 11:37:40 UTC
From URL:
Vulnerability type:  Buffer overflow
Versions affected:   All versions prior to 4.8
Versions fixed:      4.9 and later
Discovered:          2020-03-02
Public announcement: 2009-03-30
CVE ID:              CVE-2020-10595

During a refactor of my pam-krb5 Kerberos PAM module, I discovered a
single byte buffer overflow that had been there since either the first
version of the module or very early in its development.  During prompting
initiated by the Kerberos library, an attacker who enters a response
exactly as long as the length of the buffer provided by the underlying
Kerberos library will cause pam-krb5 to write a single nul byte past the
end of that buffer.

----
See URL for more info.
Comment 1 Sam James archtester gentoo-dev Security 2020-03-31 11:37:59 UTC
@maintainer(s), please create an appropriate ebuild
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-03-31 18:00:11 UTC
*** Bug 711840 has been marked as a duplicate of this bug. ***
Comment 3 Larry the Git Cow gentoo-dev 2020-04-02 08:02:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bca9f938e3b08bafcb35c882398c8b130015b08

commit 1bca9f938e3b08bafcb35c882398c8b130015b08
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-04-02 08:02:23 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-04-02 08:02:23 +0000

    sys-auth/pam_krb5: security bump to 4.9
    
    Bug: https://bugs.gentoo.org/715606
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 sys-auth/pam_krb5/Manifest            |  1 +
 sys-auth/pam_krb5/pam_krb5-4.9.ebuild | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
Comment 4 Sam James archtester gentoo-dev Security 2020-04-02 08:11:25 UTC
@maintainer(s), please advise if ready for stabilisation, or call yourself
Comment 5 Eray Aslan gentoo-dev 2020-04-07 14:48:09 UTC
Arches, please test and mark stable
=sys-auth/pam_krb5-4.9

Target Keywords = ~alpha amd64 arm ~hppa ~ia64 ppc ppc64 ~s390 ~sparc x86
Comment 6 Agostino Sarubbo gentoo-dev 2020-04-13 15:53:20 UTC
This is an automatic message.

@maintainer(s):
I'm getting test-failure(s) (that were already reported) on amd64. If you want the package to pass my CI environment and got stabilized, please carry out the necessary operations to make sure that src_test() won't fail.
Thanks.
Comment 7 Eray Aslan gentoo-dev 2020-04-14 07:12:21 UTC
(In reply to Agostino Sarubbo from comment #6)
> @maintainer(s):
> I'm getting test-failure(s) (that were already reported) on amd64. If you
> want the package to pass my CI environment and got stabilized, please carry
> out the necessary operations to make sure that src_test() won't fail.

Did you have mit-krb5 or heimdal installed when running the tests?  I think known problem of test failure when kerberos is not installed.
Comment 8 Eray Aslan gentoo-dev 2020-04-14 13:09:28 UTC
(In reply to Eray Aslan from comment #7)
> Did you have mit-krb5 or heimdal installed when running the tests?  I think
> known problem of test failure when kerberos is not installed.

and I mean configured - not installed in the above comment.  sorry.  the failing test needs a /etc/krb5.conf if I am not mistaken.  in other words, tests fail if kerberos is installed but not configured.

anyway, added RESTRICT="test" for now
Comment 9 Agostino Sarubbo gentoo-dev 2020-04-14 16:43:55 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-04-14 16:44:37 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-04-15 06:55:19 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-04-15 06:58:42 UTC
x86 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-04-15 13:36:11 UTC
arm stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 NATTkA bot gentoo-dev 2020-04-15 13:40:36 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 15 Larry the Git Cow gentoo-dev 2020-04-15 16:56:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=311371918f8e7165027abb59e413f1d53033e926

commit 311371918f8e7165027abb59e413f1d53033e926
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-04-15 16:55:52 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-04-15 16:55:52 +0000

    sys-auth/pam_krb5: remove vulnerable
    
    Bug: https://bugs.gentoo.org/715606
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 sys-auth/pam_krb5/Manifest            |  2 --
 sys-auth/pam_krb5/pam_krb5-4.6.ebuild | 34 ----------------------------------
 sys-auth/pam_krb5/pam_krb5-4.7.ebuild | 35 -----------------------------------
 3 files changed, 71 deletions(-)
Comment 16 Rolf Eike Beer archtester 2020-04-15 21:56:45 UTC
hppa stable
Comment 17 Rolf Eike Beer archtester 2020-04-18 08:12:33 UTC
sparc stable