MITKRB5-SA-2007-006: kadmind RPC lib buffer overflow, uninitialized pointer [CVE-2007-3999] An unauthenticated remote user may be able to cause a host running kadmind to execute arbitrary code. [CVE-2007-4000] An authenticated user with "modify policy" privilege may be able to cause a host running kadmind to execute arbitrary code. See: http://www.securityfocus.com/archive/1/478544 Reproducible: Always Steps to Reproduce:
*** Bug 191356 has been marked as a duplicate of this bug. ***
kerberos, please advise.
I think I have some patches laying around for this fix. Will report back.
Created attachment 130116 [details, diff] Revised patch. See http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-006.txt "... The patch for CVE-2007-3999 has been revised; the patch originally released for svc_auth_gss.c allowed a 32-byte overflow. Depending on the compilation environment and machine architecture, this may or may not be a significant continued vulnerability. The new patch below correctly checks the buffer length. ..."
*** Bug 191444 has been marked as a duplicate of this bug. ***
thanks for that Heath. New ebuild is 1.5.3-r1. Arch teams can feel free to do what they need to.
Thanks Seemant. Arches, please test and mark stable. Target keywords are: "alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
alpha/ia64/x86 stable
ppc stable
amd64 done
ppc64 stable
mit-krb5-1.5.3-r1 emerged fine here on sparc64 with both: app-crypt/mit-krb5-1.5.3-r1 (ipv6 tcl) app-crypt/mit-krb5-1.5.3-r1
Created attachment 130389 [details] sparc64 emerge --info
security: GLSA drafted and ready for review sparc team, please test and mark stable
Stable for SPARC.
GLSA 200709-01 thanks everyone