Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 429324 (CVE-2012-1014) - <app-crypt/mit-krb5-1.9.4-r1 : KDC Two Memory Corruption Vulnerabilities (CVE-2012-{1014,1015})
Summary: <app-crypt/mit-krb5-1.9.4-r1 : KDC Two Memory Corruption Vulnerabilities (CVE...
Status: RESOLVED FIXED
Alias: CVE-2012-1014
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/50041/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-01 09:56 UTC by Agostino Sarubbo
Modified: 2013-12-16 17:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-08-01 09:56:25 UTC
From secunia at $URL:


Description
Two vulnerabilities have been reported in Kerberos, which can be exploited by malicious people to potentially compromise a vulnerable system.

1) An error within the "kdc_handle_protected_negotiation()" function (src/kdc/kdc_util.c) when creating a checksum does not properly verify the key type and can be exploited to free an uninitialized pointer via a specially crafted AS-REQ.

This vulnerability is reported in krb5-1.8 and later only.

2) An uninitialized pointer dereference error within the "finish_process_as_req()" function (src/kdc/do_as_req.c) can be exploited to corrupt the memory by sending a specially crafted AS-REQ.

This vulnerability is reported in krb5-1.10 and later only.

Successful exploitation of these vulnerabilities may allow execution of arbitrary code.


Solution
Apply the patch (fixes are scheduled for the upcoming release of krb5-1.10.3 and krb5-1.9.5).
Further details available in Customer Area

Provided and/or discovered by
The vendor credits Emmanuel Bouillon, NCI Agency.

Original Advisory
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2012-001.txt
Comment 1 Eray Aslan gentoo-dev 2012-08-01 16:38:45 UTC
+*mit-krb5-1.10.2-r1 (01 Aug 2012)
+*mit-krb5-1.9.4-r1 (01 Aug 2012)
+
+  01 Aug 2012; Eray Aslan <eras@gentoo.org> +mit-krb5-1.9.4-r1.ebuild,
+  +mit-krb5-1.10.2-r1.ebuild, +files/CVE-2012-1014.patch,
+  +files/CVE-2012-1015.patch:
+  Security bump - bug #429324
+

@security:  We should stabilize both =app-crypt/mit-krb5-1.9.4-r1 and =app-crypt/mit-krb5-1.10.2-r1.  But please note that =app-crypt/mit-krb5-1.10.2-r1 has additional keyword/stabilization requirements - see bug #412489.
Comment 2 Agostino Sarubbo gentoo-dev 2012-08-01 16:47:31 UTC
(In reply to comment #1)
> @security:  We should stabilize both =app-crypt/mit-krb5-1.9.4-r1 and
> =app-crypt/mit-krb5-1.10.2-r1.  But please note that
> =app-crypt/mit-krb5-1.10.2-r1 has additional keyword/stabilization
> requirements - see bug #412489.

1.10 never had stable keyword, so no need to stabilize here and cause delay because of missing keywords.

We stabilize only 1.9.

Arches, please test and mark stable:
=app-crypt/mit-krb5-appl-1.9.4-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-08-02 06:06:52 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2012-08-02 13:10:21 UTC
amd64 stable
Comment 5 Jeroen Roovers gentoo-dev 2012-08-03 01:37:37 UTC
(In reply to comment #2)
> Arches, please test and mark stable:
> =app-crypt/mit-krb5-appl-1.9.4-r1
> Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

=app-crypt/mit-krb5-1.9.4-r1
Comment 6 Jeroen Roovers gentoo-dev 2012-08-03 03:06:10 UTC
Stable for HPPA.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-08-07 00:55:13 UTC
CVE-2012-1015 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1015):
  The kdc_handle_protected_negotiation function in the Key Distribution Center
  (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x before 1.9.5, and 1.10.x
  before 1.10.3 attempts to calculate a checksum before verifying that the key
  type is appropriate for a checksum, which allows remote attackers to execute
  arbitrary code or cause a denial of service (uninitialized pointer free,
  heap memory corruption, and daemon crash) via a crafted AS-REQ request.

CVE-2012-1014 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1014):
  The process_as_req function in the Key Distribution Center (KDC) in MIT
  Kerberos 5 (aka krb5) 1.10.x before 1.10.3 does not initialize a certain
  structure member, which allows remote attackers to cause a denial of service
  (uninitialized pointer dereference and daemon crash) or possibly execute
  arbitrary code via a malformed AS-REQ request.
Comment 8 Markus Meier gentoo-dev 2012-08-12 16:39:16 UTC
arm stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2012-08-19 14:36:26 UTC
alpha/ia64/s390/sh/sparc stable
Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-22 07:47:46 UTC
ppc/ppc64 stable, last arch done
Comment 11 Sean Amoss gentoo-dev Security 2012-09-22 15:11:13 UTC
Thanks, everyone.

New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-12-16 17:53:55 UTC
This issue was resolved and addressed in
 GLSA 201312-12 at http://security.gentoo.org/glsa/glsa-201312-12.xml
by GLSA coordinator Sergey Popov (pinkbyte).