Summary: | app-crypt/mit-krb5: heap buffer overflow in libkadm5srv | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthias Geerdsen (RETIRED) <vorlon> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | aliz, christophe, jaervosz, rphillips | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
URL: | http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-004-pwhist.txt | ||||||
Whiteboard: | B1 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Matthias Geerdsen (RETIRED)
2004-12-21 01:00:40 UTC
aliz, rphillips, please provide an updated ebuild with the patches *** Bug 74449 has been marked as a duplicate of this bug. *** rphillips/aliz: This is nasty, please patch it asap mit-krb5 1.3.6 has been released. This security bug has been fixed. We should *really* upgrade. http://web.mit.edu/kerberos/www/krb5-1.3/ Version 1.3.6 has been commited. Arches need to test and unmask. -r Thx Ryan. Arches please test and mark stable. I get this on ppc64: --- SNIP --- checking for socket... yes checking if DNS Kerberos lookup support should be compiled in... yes checking for res_search... no checking for res_search in -lresolv... no configure: error: Cannot find resolver support routine res_search in -lresolv. !!! ERROR: app-crypt/mit-krb5-1.3.6 failed. !!! Function econf, Line 449, Exitcode 1 !!! econf failed --- SNIP --- Markus Markus: can you try the previous stable one (1.3.4-r1) and see if it compiles right ? Just to be sure we're dealing with a regression here, not a missing dep that has always been missing. 1.3.4-r1 compiles and works for me. sparc stable. same result... :-( Stable on mips. Created attachment 47192 [details, diff]
mit-krb5-1.3.6-ppc64.patch
I'm sorry. I first regenerated the configure scripts and then applied the
patch.. Of cause this has to be the other way around. Now it works. Here is the
patch.
This should be tested on other archs, too. If it works, I'll add it arch
independend. otherwise I have to use "use ppc64 && patch ..."
Stable on alpha. Markus: given that other arches tested without the patch and reported success maybe it's better not to force them to test a new version. I think the best way to handle this is to submit a 1.3.6-r1 as "~* ppc64" with the patch in "use ppc64 &&"-style and mark it stable on ppc64. Another way of doing it if you feel the patch is useful for everyone is to have it "-* ppc64" with the patch applied to all arches. They will test it in time and unmask -r1 for them if it works, but we can still issue the GLSA as unaffected: >=1.3.6 I've added 1.3.6-r1 and applied the ppc64 using "use ppc64 && .." Markus amd64 also needs -r1, so i changed the name of the patch and changed use ppc64 && to 64-bit &&. it's stable now on amd64 Patch file for 64bit should be called: files/mit-krb5-1.3.6-64-bit.patch as stated in ebuild, but actually is files/mit-krb5-1.3.6-64bit.patch arm/hppa/ia64/s390 stable also fixed 64 bit patch name It compiles on ppc. But is it normal that ktelnet quits with a segmentation fault? So, it's not masked stable yet. sorry for the delay.... x86 stable and happy new year.. stable on ppc Thx everyone closing with GLSA 200501-05 |