** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** [CVE-2009-0844] The MIT krb5 implementation of the SPNEGO GSS-API mechanism can read beyond the end of a network input buffer. This can cause a GSS-API application to crash by reading from invalid address space. Under theoretically possible but very unlikely conditions, a small information leak may occur. We believe that no successful exploit exists that could induce an information leak. [CVE-2009-0847] MIT krb5 can perform an incorrect length check inside an ASN.1 decoder. This only presents a problem in the PK-INIT code paths. In the MIT krb5 KDC or kinit program, this could lead to spurious malloc() failures or, under some conditions, program crash. We have heard reports of the spurious malloc() failures, but nobody has yet made the publicly made the connection to a security issue.
Note that CVE-2009-0845 will also be covered in MITKRB5-SA-2009-001, but has been disclosed in bug 262736 previously. Mueli, please prepare an ebuild applying the patch and attach it to this bug report. Do not commit anything to CVS, we will do prestable testing on this bug.
Created attachment 185901 [details, diff] CVE-2009-0844+CVE-2009-0847.patch
Created attachment 185967 [details] ebuild using the attached patch
To build 1.6.3-r6 simply copy the applied patch into $FILESDIR with the given name. g, mueli
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink, armin76 amd64 : keytoaster, tester hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : maekke, armin76
OK for HPPA.
looks good on amd64/x86.
add ranger
Removing yoswink and adding klausman as per armin's request.
I'm sorry to inform you all that another vulnerability has been brought to our attention confidentially by MIT upstream, and we should fix this issue as well. It might allow for remote execution of code with root privileges. I have forwarded details to mueli, and I hope he will have a new prestable ebuild here to test shortly. MITKRB5-SA-2009-002 [CVE-2009-0846]: ASN.1 decoder frees uninitialized pointer An ASN.1 decoder can free an uninitialized pointer when decoding an invalid encoding. This can cause a Kerberos application to crash, or, under theoretically possible but unlikely circumstances, execute arbitrary malicious code. No exploit is known to exist that would cause arbitrary code execution. ... An unauthenticated, remote attacker could cause a Kerberos application, including the Kerberos administration daemon (kadmind) or the KDC to crash, and possibly to execute arbitrary code. Compromise of the KDC or kadmind can compromise the Kerberos key database and host security on the KDC host. (The KDC and kadmind typically run as root.) Third-party applications using MIT krb5 may also be vulnerable.
Created attachment 187080 [details] ebuild including the latest CVE patch
Created attachment 187082 [details, diff] CVE patch to comment #10
(In reply to comment #10) Sry for the delay. See attached patch and new ebuild using this patch. g, mueli
Sparc looks good.
Adding another new minion for prestable love.
Builds fine and seems to work on ppc/ppc64.
now public, please commit with the stable keywords gathered ASAP.
*** Bug 265392 has been marked as a duplicate of this bug. ***
(In reply to comment #17) > now public, please commit with the stable keywords gathered ASAP. OK for HPPA as well.
Sure, once it makes it to CVS.
Commited -r6 revision including the patches - sry for missing that ... g, mueli
(In reply to comment #17) > now public, please commit with the stable keywords gathered ASAP. The keywords for sparc, ppc{,64} and hppa didn't make it into the ebuild.
+ 08 Apr 2009; Raúl Porcel <armin76@gentoo.org> mit-krb5-1.6.3-r6.ebuild: + alpha/arm/ia64/m68k/s390/sh/sparc/x86 stable wrt #263398 and also + stabilize on hppa/ppc/ppc64 Remaining: amd64
amd64 stable.
GLSA 200904-09
CVE-2009-0844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0844): The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read. CVE-2009-0846 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0846): The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. CVE-2009-0847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0847): The asn1buf_imbed function in the ASN.1 decoder in MIT Kerberos 5 (aka krb5) 1.6.3, when PK-INIT is used, allows remote attackers to cause a denial of service (application crash) via a crafted length value that triggers an erroneous malloc call, related to incorrect calculations with pointer arithmetic.
