Bug 917464 (CVE-2023-36054, CVE-2023-39975)

Summary:	<app-crypt/mit-krb5-1.21.2: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	eras, kerberos
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://mailman.mit.edu/pipermail/kerberos-announce/2023q3/000205.html
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	917465
Bug Blocks:

Description John Helmert III archtester

2023-11-17 04:12:10 UTC

CVE-2023-36054 (https://web.mit.edu/kerberos/www/advisories/):

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

Patch seems to be: https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd

Also noted in 1.20.2 and 1.21.1 release notes:

"* Fix read overruns in SPNEGO parsing (already included in 1.21)."

Looks like we never had any vulnerable 1.21. Need to stabilize fixed
1.20.2.

Comment 1 John Helmert III archtester

2023-11-17 04:28:48 UTC

CVE-2023-39975 (https://mailman.mit.edu/pipermail/kerberos-announce/2023q3/000206.html):

kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.

https://github.com/krb5/krb5/commit/88a1701b423c13991a8064feeb26952d3641d840

Comment 2 Larry the Git Cow gentoo-dev

2024-04-05 07:15:21 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=804b1075226d5093c6541db7837efd767ab08bb2

commit 804b1075226d5093c6541db7837efd767ab08bb2
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2024-04-05 07:11:53 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2024-04-05 07:11:53 +0000

    app-crypt/mit-krb5: security cleanup
    
    Bug: https://bugs.gentoo.org/917464
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 app-crypt/mit-krb5/Manifest                        |   3 -
 .../files/mit-krb5-1.20-missing-time-include.patch |  20 ---
 .../files/mit-krb5-1.20.1-autoconf-2.72.patch      |  31 -----
 .../files/mit-krb5-config_LDFLAGS-r1.patch         |  12 --
 app-crypt/mit-krb5/mit-krb5-1.20.1.ebuild          | 149 ---------------------
 app-crypt/mit-krb5/mit-krb5-1.20.2.ebuild          | 148 --------------------
 app-crypt/mit-krb5/mit-krb5-1.21.1.ebuild          | 146 --------------------
 7 files changed, 509 deletions(-)

Comment 3 Larry the Git Cow gentoo-dev

2024-05-05 07:13:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=573380a79676407a84c4bd5cfca7805936336c8a

commit 573380a79676407a84c4bd5cfca7805936336c8a
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-05 07:13:18 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-05 07:13:49 +0000

    [ GLSA 202405-11 ] MIT krb5: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/803434
    Bug: https://bugs.gentoo.org/809845
    Bug: https://bugs.gentoo.org/879875
    Bug: https://bugs.gentoo.org/917464
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-11.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)