MITKRB5-SA-2007-006: kadmind RPC lib buffer overflow, uninitialized pointer
[CVE-2007-3999] An unauthenticated remote user may be able to cause a
host running kadmind to execute arbitrary code.
[CVE-2007-4000] An authenticated user with "modify policy" privilege
may be able to cause a host running kadmind to execute arbitrary code.
Steps to Reproduce:
*** Bug 191356 has been marked as a duplicate of this bug. ***
kerberos, please advise.
I think I have some patches laying around for this fix. Will report back.
Created attachment 130116 [details, diff]
The patch for CVE-2007-3999 has been revised; the patch originally
released for svc_auth_gss.c allowed a 32-byte overflow. Depending
on the compilation environment and machine architecture, this may or
may not be a significant continued vulnerability. The new patch
below correctly checks the buffer length.
*** Bug 191444 has been marked as a duplicate of this bug. ***
thanks for that Heath. New ebuild is 1.5.3-r1.
Arch teams can feel free to do what they need to.
Thanks Seemant. Arches, please test and mark stable. Target keywords are:
"alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
mit-krb5-1.5.3-r1 emerged fine here on sparc64 with both:
app-crypt/mit-krb5-1.5.3-r1 (ipv6 tcl)
Created attachment 130389 [details]
sparc64 emerge --info
GLSA drafted and ready for review
sparc team, please test and mark stable
Stable for SPARC.