Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 52744 - app-crypt/mit-krb5 buffer overflows in krb5_aname_to_localname
Summary: app-crypt/mit-krb5 buffer overflows in krb5_aname_to_localname
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://web.mit.edu/kerberos/advisorie...
Whiteboard: C0 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-01 18:59 UTC by Dan Margolis (RETIRED)
Modified: 2011-10-30 22:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Margolis (RETIRED) gentoo-dev 2004-06-01 18:59:48 UTC
It seems there's a buffer overflow in MIT's kerberos 5. 

``The krb5_aname_to_localname() library function contains multiple
buffer overflows which could be exploited to gain unauthorized root
access.  Exploitation of these flaws requires an unusual combination
of factors, including successful authentication to a vulnerable
service and a non-default configuration on the target service.  (See
MITIGATING FACTORS below.)  No exploits are known to exist yet.''

It seems that most servers will not be configured in a way that  makes them vulnerable, but if vulnerable, an authenticated user could execute code remotely. See the advisory for more information. 

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-06-02 02:14:02 UTC
Patch for 1.3.3 available at :
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt

netmon : please apply patch and bump to 1.3.3-r1
Comment 2 solar (RETIRED) gentoo-dev 2004-06-02 05:20:40 UTC
kerberos vuln.. who would of ever guessed
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-06-05 01:37:36 UTC
Patch has been recently updated at given URL.

netmon does not have much time for the moment, so security can apply patch with their blessing. If anyone with commit feels like it...
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-06-15 12:51:07 UTC
netmon herd : if you have more disponibilities now to patch this, as noone in the security team stepped up yet... We are getting quite late.
Comment 5 Jon Hood (RETIRED) gentoo-dev 2004-06-15 14:38:28 UTC
Sorry this took so long; I haven't done any security-related bugs before, but seeing as no one else has worked on this, could everyone please test 1.3.3-r1 which I just put into portage with the suggested patch?
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-06-16 01:01:13 UTC
Thank you Jon.
Adding all arches for testing : please test and mark app-crypt/mit-krb5-1.3.3-r1 stable.
Comment 7 Bryan Østergaard (RETIRED) gentoo-dev 2004-06-17 02:15:19 UTC
Stable on alpha.
Comment 8 Jason Wever (RETIRED) gentoo-dev 2004-06-17 05:43:40 UTC
Stable on sparc.
Comment 9 Guy Martin (RETIRED) gentoo-dev 2004-06-18 04:55:08 UTC
Stable on hppa.
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2004-06-21 08:23:24 UTC
GLSA drafted: security please review.

x86 ppc amd64 please mark stable asap.
Comment 11 SpanKY gentoo-dev 2004-06-24 18:00:02 UTC
sorry for delay, marked arm stable

btw, wtf is this for:
    CFLAGS=`echo ${CFLAGS} | xargs`
    CXXFLAGS=`echo ${CXXFLAGS} | xargs`
    LDFLAGS=`echo ${LDFLAGS} | xargs`
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-06-25 13:54:37 UTC
We're getting very late on that one. Other distributions have advisories out since June 2...

x86, ppc, amd64 : please mark stable so that the GLSA can go out... or report why you can't mark stable.
Comment 13 Jon Hood (RETIRED) gentoo-dev 2004-06-27 20:06:14 UTC
I have tested this on stable x86 servers and other systems- it works fine. I marked it stable on x86 since I got tired of waiting.
Comment 14 Jeremy Huddleston (RETIRED) gentoo-dev 2004-06-27 23:26:16 UTC
stable on amd64.
Comment 15 Joshua Kinard gentoo-dev 2004-06-28 00:13:45 UTC
Stable on mips yesterday, removing CC.
Comment 16 Luca Barbato gentoo-dev 2004-06-28 13:59:29 UTC
Eventually marked ppc, sorry but I was busy
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-06-29 00:34:57 UTC
This is ready for GLSA publication.
ia64,ppc64,s390 : don't forget to mark stable to benefit from the GLSA.
Comment 18 Kurt Lieber (RETIRED) gentoo-dev 2004-06-29 09:22:14 UTC
glsa 200406-21
Comment 19 Tom Gall (RETIRED) gentoo-dev 2004-07-13 19:55:58 UTC
1.3.1-r1 marked stable on ppc64