Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 339866 (CVE-2010-1322) - <app-crypt/mit-krb5-1.8.3-r1: Uninitialized pointer in authorization data handling DoS (CVE-2010-1322)
Summary: <app-crypt/mit-krb5-1.8.3-r1: Uninitialized pointer in authorization data han...
Status: RESOLVED FIXED
Alias: CVE-2010-1322
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://web.mit.edu/kerberos/advisorie...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 328467
Blocks:
  Show dependency tree
 
Reported: 2010-10-05 19:53 UTC by Paul B. Henson
Modified: 2012-01-23 20:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
CVE-2010-1322.patch (CVE-2010-1322.patch,1.04 KB, patch)
2010-10-06 11:45 UTC, Eray Aslan
no flags Details | Diff
mit-krb5-1.8.3-r1.ebuild (mit-krb5-1.8.3-r1.ebuild,2.56 KB, text/plain)
2010-10-06 11:50 UTC, Eray Aslan
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Paul B. Henson 2010-10-05 19:53:46 UTC
MIT krb5 Security Advisory 2010-006

Topic: KDC uninitialized pointer crash in authorization data handling
[...]
AFFECTED SOFTWARE
=================

* KDC in MIT krb5-1.8 through krb5-1.8.3

* Earlier releases of MIT krb5 did not contain the vulnerable code.


Patch available at

  http://web.mit.edu/kerberos/advisories/2010-006-patch.txt

Please add to ebuild, thanks...
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-10-05 21:39:31 UTC
adding maintainers
Comment 2 Eray Aslan gentoo-dev 2010-10-06 11:45:34 UTC
Created attachment 249737 [details, diff]
CVE-2010-1322.patch
Comment 3 Eray Aslan gentoo-dev 2010-10-06 11:50:19 UTC
Created attachment 249739 [details]
mit-krb5-1.8.3-r1.ebuild

Changelog:

Security bump bug #339866.  Add double blocker to heimdal bug #339143.


On a side note, we can remove all patches in ${FILESDIR} except CVE-2010-1322.
Comment 4 Paul B. Henson 2010-10-21 22:36:51 UTC
Is someone going to add this to portage and get it stabilized? The current stable version is still vulnerable to this security issue.

Thanks...
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2010-10-23 14:04:52 UTC
CVE-2010-1322 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1322):
  The merge_authdata function in kdc_authdata.c in the Key Distribution Center
  (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly
  manage an index into an authorization-data list, which allows remote
  attackers to cause a denial of service (daemon crash), or possibly obtain
  sensitive information, spoof authorization, or execute arbitrary code, via a
  TGS request, as demonstrated by a request from a Windows Active Directory
  client.

Comment 6 Eray Aslan gentoo-dev 2010-11-05 21:15:46 UTC
+*mit-krb5-1.8.3-r1 (05 Nov 2010)
+
+  05 Nov 2010; Eray Aslan <eras@gentoo.org> +mit-krb5-1.8.3-r1.ebuild,
+  +files/CVE-2010-1322.patch:
+  Security bump - bug #339866
+
Comment 7 Paul B. Henson 2010-11-22 22:24:43 UTC
Any thoughts on getting this security fix marked stable?

Thanks...
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2010-11-22 23:11:15 UTC
Arches, please test and mark stable:
=app-crypt/mit-krb5-1.8.3-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2010-11-23 09:00:42 UTC
x86 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-23 18:02:34 UTC
Stable for HPPA PPC.
Comment 11 Agostino Sarubbo gentoo-dev 2010-11-24 18:17:57 UTC
amd64 ok
Comment 12 Brent Baude (RETIRED) gentoo-dev 2010-11-25 16:02:08 UTC
ppc64 done
Comment 13 Alex Buell 2010-11-25 20:32:00 UTC
Seems to build just fine on SPARC, but no tests to run though. 
Comment 14 Eray Aslan gentoo-dev 2010-11-26 07:25:23 UTC
(In reply to comment #13)
> Seems to build just fine on SPARC, but no tests to run though.

https://bugs.gentoo.org/show_bug.cgi?id=346549#c2
Comment 15 Markos Chandras (RETIRED) gentoo-dev 2010-11-26 08:37:14 UTC
amd64 done. Thanks Agostino
Comment 16 Alex Buell 2010-11-26 17:07:18 UTC
Retested 1.8.3-r1 as someone said they'd added tests to it. No sign of the tests. Perhaps another time but I didn't seen any problems.
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2010-11-27 12:17:40 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2010-11-27 15:41:56 UTC
Thanks, folks.

GLSA Vote: yes.
Comment 19 Dustin Polke 2010-11-27 18:21:51 UTC
Make this bug depend on #328467 as keyutils fails to merge on sparc right now.
Comment 20 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-23 22:59:53 UTC
Added to pending glsa request.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:38:26 UTC
This issue was resolved and addressed in
 GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml
by GLSA coordinator Sean Amoss (ackle).