Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 753281 (CVE-2020-28196) - <app-crypt/mit-krb5-1.18.2-r2: Denial of service via crafted ASN.1-encoded message (CVE-2020-28196)
Summary: <app-crypt/mit-krb5-1.18.2-r2: Denial of service via crafted ASN.1-encoded me...
Status: RESOLVED FIXED
Alias: CVE-2020-28196
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/krb5/krb5/commit/5...
Whiteboard: B3 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-06 07:55 UTC by Sam James
Modified: 2020-11-19 15:50 UTC (History)
1 user (show)

See Also:
Package list:
app-crypt/mit-krb5-1.18.2-r2
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-11-06 07:55:51 UTC
"MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit."
Comment 1 Sam James archtester gentoo-dev Security 2020-11-06 07:56:28 UTC
From the commit (see URL):
"The libkrb5 ASN.1 decoder supports BER indefinite lengths.  It
computes the tag length using recursion; the lack of a recursion limit
allows an attacker to overrun the stack and cause the process to
crash.  Reported by Demi Obenour.

CVE-2020-28196:

In MIT krb5 releases 1.11 and later, an unauthenticated attacker can
cause a denial of service for any client or server to which it can
send an ASN.1-encoded Kerberos message of sufficient length."
Comment 2 Larry the Git Cow gentoo-dev 2020-11-10 07:35:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c6a41be59b79c996b2e0493399c035e35f8fed9

commit 7c6a41be59b79c996b2e0493399c035e35f8fed9
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-11-10 07:35:33 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-11-10 07:35:33 +0000

    app-crypt/mit-krb5: CVE-2020-28196 security bump
    
    Bug: https://bugs.gentoo.org/753281
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 app-crypt/mit-krb5/mit-krb5-1.18.2-r2.ebuild | 168 +++++++++++++++++++++++++++
 1 file changed, 168 insertions(+)
Comment 3 Sam James archtester gentoo-dev Security 2020-11-10 21:02:54 UTC
arm64 done
Comment 4 Sam James archtester gentoo-dev Security 2020-11-10 21:03:20 UTC
arm done
Comment 5 Sam James archtester gentoo-dev Security 2020-11-10 23:49:07 UTC
amd64 done
Comment 6 Sam James archtester gentoo-dev Security 2020-11-10 23:49:55 UTC
ppc64 stable
Comment 7 Sam James archtester gentoo-dev Security 2020-11-11 04:57:21 UTC
x86 done
Comment 8 Sergei Trofimovich gentoo-dev 2020-11-12 07:53:05 UTC
hppa/ppc stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2020-11-16 02:43:29 UTC
This issue was resolved and addressed in
 GLSA 202011-17 at https://security.gentoo.org/glsa/202011-17
by GLSA coordinator Aaron Bauman (b-man).
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-11-16 02:44:05 UTC
re-opened for cleanup
Comment 11 Larry the Git Cow gentoo-dev 2020-11-17 08:18:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed0bf071cd61eb893b480fc5a212023fdd0e4f34

commit ed0bf071cd61eb893b480fc5a212023fdd0e4f34
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-11-17 08:18:19 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-11-17 08:18:19 +0000

    app-crypt/mit-krb5: security cleanup
    
    Bug: https://bugs.gentoo.org/753281
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 app-crypt/mit-krb5/mit-krb5-1.18.2-r1.ebuild | 167 ---------------------------
 1 file changed, 167 deletions(-)
Comment 12 Larry the Git Cow gentoo-dev 2020-11-17 09:21:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c7ac26c4dca6eeb952253a922735dbea7af285b

commit 1c7ac26c4dca6eeb952253a922735dbea7af285b
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2020-11-17 09:19:03 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-11-17 09:20:23 +0000

    Revert "app-crypt/mit-krb5: security cleanup"
    
    This reverts commit ed0bf071cd61eb893b480fc5a212023fdd0e4f34.
    
     - not all arches are yet stabilized.
    
    Bug: https://bugs.gentoo.org/753281
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-crypt/mit-krb5/mit-krb5-1.18.2-r1.ebuild | 167 +++++++++++++++++++++++++++
 1 file changed, 167 insertions(+)
Comment 13 Agostino Sarubbo gentoo-dev 2020-11-17 19:12:17 UTC
sparc stable.

Maintainer(s), please cleanup.
Comment 14 Larry the Git Cow gentoo-dev 2020-11-19 09:02:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93c74315c5ee625013b6e4d7cc5a99f927aed325

commit 93c74315c5ee625013b6e4d7cc5a99f927aed325
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-11-19 09:00:23 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-11-19 09:00:23 +0000

    app-crypt/mit-krb5: security cleanup
    
    Bug: https://bugs.gentoo.org/753281
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 app-crypt/mit-krb5/mit-krb5-1.18.2-r1.ebuild | 167 ---------------------------
 1 file changed, 167 deletions(-)
Comment 15 John Helmert III (ajak) 2020-11-19 15:44:04 UTC
GLSA'd, tree is clean, closing.