Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 533734 (CVE-2014-5353) - <app-crypt/mit-krb5-1.13-r1: kadmin NULL pointer dereference issues (CVE-2014-{5353,5354})
Summary: <app-crypt/mit-krb5-1.13-r1: kadmin NULL pointer dereference issues (CVE-2014...
Status: RESOLVED FIXED
Alias: CVE-2014-5353
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: CVE-2014-5352
Blocks:
  Show dependency tree
 
Reported: 2014-12-28 09:20 UTC by Agostino Sarubbo
Modified: 2015-05-11 15:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-28 09:20:47 UTC
From ${URL} :

If anyone missed it, there are two NULL pointer dereference issues when 
kadmind is used with an LDAP back end for the KDC database. Both require 
authentication.

CVE-2014-5353
https://github.com/krb5/krb5/commit/d1f707024f1d0af6e54a18885322d70fa15ec4d3

CVE-2014-5354
https://github.com/krb5/krb5/commit/04038bf3633c4b909b5ded3072dc88c8c419bf16

References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773226
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773228


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-12-29 22:13:23 UTC
CVE-2014-5354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5354):
  plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5)
  1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote
  authenticated users to cause a denial of service (NULL pointer dereference
  and daemon crash) by creating a database entry for a keyless principal, as
  demonstrated by a kadmin "add_principal -nokey" or "purgekeys -all" command.

CVE-2014-5353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5353):
  The krb5_ldap_get_password_policy_from_dn function in
  plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5)
  before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to
  cause a denial of service (daemon crash) via a successful LDAP query with no
  results, as demonstrated by using an incorrect object type for a password
  policy.
Comment 2 Paul B. Henson 2015-02-04 20:45:54 UTC
There's an updated ebuild in bug #538842 that resolves these issues.
Comment 3 Eray Aslan gentoo-dev 2015-02-05 16:30:58 UTC
+*mit-krb5-1.13-r1 (05 Feb 2015)
+
+  05 Feb 2015; Eray Aslan <eras@gentoo.org> +files/2015-001-patch-r113.patch,
+  +files/mit-krb5-CVE-2014-5353.patch, +files/mit-krb5-CVE-2014-5354.patch,
+  +mit-krb5-1.13-r1.ebuild:
+  Security bump - bugs #533734 #538842
+

Stabilization request filed at bug #538842
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-22 20:38:02 UTC
Maintainer(s), Thank you for you for cleanup.

GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2015-05-11 15:29:32 UTC
Maintainer(s), Thank you for you for cleanup.
Comment 6 Kristian Fiskerstrand gentoo-dev Security 2015-05-11 15:59:03 UTC
GLSA Vote: No