Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 199207 (CVE-2007-5939) - app-crypt/heimdal ftpd uninitialized vulnerability (CVE-2007-5939)
Summary: app-crypt/heimdal ftpd uninitialized vulnerability (CVE-2007-5939)
Alias: CVE-2007-5939
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on: 244707
  Show dependency tree
Reported: 2007-11-15 08:22 UTC by airsupply
Modified: 2009-04-23 17:09 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description airsupply 2007-11-15 08:22:15 UTC
Heimdal ftpd uninitialized vulnerability

[Security Advisory]

Advisory: [AD_LAB-07015] Heimdal ftpd uninitialized vulnerability

Class: implementation Error




	<=heimdal 0.7.2
Affected distribution:
	Gentoo <=heimdal-0.7.2-r3
	ubuntu <=heimdal-0.7.2



A vulnerability has been discovered in Heimdal's ftpd.




The Heimdal's ftpd is a  kerberized FTP server , that can be authenticated with Kerberos 5.


	There is a uninitialized  vulnerability in function gss_userok() in ftpd.c.
int  	gss_userok(void *app_data, char *username) 	
77   	        if (data->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
78   	           krb5_ccache ccache = NULL; 
79 (1)		   char* ticketfile; 	<---- declared ticketfile  without initializer
80   	           struct passwd *pw;
82   	           pw = getpwnam(username);
84 (2) 		   if (pw == NULL) {
85   		       ret = 1;
86   		       goto fail;
87   		   }
111  	fail:
112  	           if (ccache)
113  	              krb5_cc_close(gssapi_krb5_context, ccache); 
114 (3)		   free(ticketfile); <---- free the uninitialized variable
115  	        }

at (1) declared ticketfile  without initializer, if match (2) condition,will go to (3) without 
initialize the ticketfile, then free will cause security problem.

Free uninitialized variables can result in unpredictable behavior, crashes, or security holes.



    Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys.



The information in this bulletin is provided "AS IS" without warranty of any

kind. In no event shall we be liable for any damages whatsoever including direct,

indirect, incidental, consequential, loss of business profits or special damages. 

Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab 



Trusted {Solution} Provider


Reproducible: Always
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2007-11-16 14:47:58 UTC
I can't find this security announcement referenced on heimdal's website. What exact versions does it affect?

provides no details currently.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-16 22:42:25 UTC
Is there a fix available somewhere?
Comment 3 Doug Goldstein (RETIRED) gentoo-dev 2007-11-16 22:47:47 UTC
The fix is trivial. I'll write it. But I was hoping to get more details on the affected versions since I added 1.0.1 to the tree recently and that could be stabled if unaffected.
Comment 4 Doug Goldstein (RETIRED) gentoo-dev 2007-11-16 22:57:54 UTC
Peeking at the 1.0.1 code it looks totally different then what's pasted below so I'd say it's not affected.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-12-10 01:23:13 UTC
Doug, sorry for getting back so late. Please bump to 1.0.1.
Comment 6 Doug Goldstein (RETIRED) gentoo-dev 2007-12-10 14:42:36 UTC
Turns out just plain 1.0.1 isn't going to work. There's a bunch of issues that Seemant was working on with other users to fix regressions. I have tried to recruit those users to become a heimdal maintainer because I only use heimdal in 1 minor situation which is going away so I wouldn't be a good maintainer for it. None of the users were interested in becoming maintainers. This app is dead from a Gentoo side and contains a security hole.

I've just contacted the Gentoo-Dev ML to hope that someone picks this up. If not, I'll fix the security issue but I'm going to take steps to remove it from the tree.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-01-02 01:46:24 UTC
Mandriva apparantly has a fix:
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-11 13:43:02 UTC
(In reply to comment #7)
> Mandriva apparantly has a fix:

any news here?
Comment 9 Michael Hammer (RETIRED) gentoo-dev 2008-05-13 11:19:50 UTC
No real news on it. We have first stabilized and secured mit-krb5. It will be my next step to get heimdal in an actual version (1.1) into the tree. But this will require some effort and needs time because of the dependencies.

g, mueli
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-08-10 12:01:39 UTC
(In reply to comment #9)
> No real news on it. We have first stabilized and secured mit-krb5. It will be
> my next step to get heimdal in an actual version (1.1) into the tree. But this
> will require some effort and needs time because of the dependencies.
> g, mueli
I see that you added 1.2.1 to the tree. Is it ok to go stable?
Comment 11 Michael Hammer (RETIRED) gentoo-dev 2008-08-19 08:06:36 UTC
See bug #185899 for the status of heimdal 1.x in portage. The core problem are some dependencies where my proposed solutions aren't commited yet. I've created all bugs -> see the dependency graph. Apart from that heimdal is fully ready to stabalize it.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 09:08:30 UTC
The bugs blocking #185899 are all for support of heimdal in applications (nfs-utils and others). Why are they holding up stabilization of heimdal-1 ?
Support for heimdal in more applications could be easily delivered after it goes stable, or am I missing something?
Comment 13 Michael Hammer (RETIRED) gentoo-dev 2008-08-19 10:09:51 UTC
That's more or less a question of policy. heimdal and mit-krb5 are providing virtual/krb5 and therefore my intention was to make the same compatibility for heimdal as for mit-krb5. nfs-utils is some kind of core util for me and that was the reason for me holding back stabilization. I's simply possible for a lot of people that stable nfs-utils won't compile because it depends on stable heimdal - not very satisfying.

Comments on my view of the situation are really appreciated! As you might now I am rather alone with kerberos ;)

g, mueli
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 10:54:18 UTC
Is our in-tree nfs-utils working with stable heimdal-0.7 ? 

nfs-utils-1.1.0-r1 reads:
# kth-krb doesn't provide the right include
# files, and nfs-utils doesn't build against heimdal either,
# so don't depend on virtual/krb.
# (04 Feb 2005 agriffis)
        kerberos? (

If it does not cause a regression, I see no reason to upgrade heimdal first and nfs-utils later.
Comment 15 Michael Hammer (RETIRED) gentoo-dev 2008-08-19 11:04:39 UTC
Hmmm ... it's not a regression. I agree with you that we can uncouple heimdal and nfs-utils. The dependency on fetchmail isn't that worse either.

One issue I forgot is still left. We need >=sys-devel/autoconf-2.62 and would need >=sys-devel/libtool-2.2 which is a dep I prevent with a hack. At least the dependency on the unstable autoconf is a problem for which I haven't seen a solution. (Have forgotten to mention it in the first answer - sry)
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 22:56:23 UTC
Ok, so per bug 227603 we cannot currently stable that autoconf version. One workaround would be to prepare the autotool files and ship them as another patch against the vanilla tarball, and not call eautoreconf.
We should either do that or try to find a timeframe for autoconf stabilization.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-10-27 20:33:00 UTC
bug 217647 is closed, let's revisit this bug then. Is there still a blocker for stable?
Comment 18 Michael Hammer (RETIRED) gentoo-dev 2008-10-28 06:48:35 UTC
No - I'd say we can go stable with heimdal-1.2.1-r1. I am going to open a stabilization bug.
Comment 19 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-10-31 11:02:10 UTC
(In reply to comment #18)
> No - I'd say we can go stable with heimdal-1.2.1-r1. I am going to open a
> stabilization bug.
Just FYI, for security issues, we handle stabling on the same bug, as it's easier for us to track...
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-15 19:08:13 UTC
Time for GLSA decision. I vote NO.
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2009-03-17 00:43:20 UTC
NO, closing.