Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 262736 (CVE-2009-0845) - <app-crypt/mit-krb5-1.6.3-r5: SPNEGO can dereference a null pointer (CVE-2009-0845)
Summary: <app-crypt/mit-krb5-1.6.3-r5: SPNEGO can dereference a null pointer (CVE-2009...
Status: RESOLVED FIXED
Alias: CVE-2009-0845
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://krbdev.mit.edu/rt/Ticket/Displ...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-16 22:20 UTC by Robert Buchholz (RETIRED)
Modified: 2009-04-08 22:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-16 22:20:33 UTC
A null pointer dereference in libgssapi_krb5 can lead to a Denial of Service in kerberized daemons. See referenced bug report for details and patch (committed to SVN trunk and 1.7 branch).
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-03-18 17:24:38 UTC
ping, please apply this patch.
http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=22084&view=rev
Comment 2 Michael Hammer (RETIRED) gentoo-dev 2009-03-20 09:31:37 UTC
Committed mit-krb5-1.6.3-r5 with new patch set release including this patch. Made arch unstable as local installed files are definitely modified.

g, mueli
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-20 10:46:34 UTC
Arches, please test and mark stable:
=app-crypt/mit-krb5-1.6.3-r5
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Brent Baude (RETIRED) gentoo-dev 2009-03-20 15:31:30 UTC
ppc64 done
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-03-20 15:31:40 UTC
ppc done
Comment 6 Markus Meier gentoo-dev 2009-03-20 23:36:57 UTC
amd64/x86 stable
Comment 7 Tobias Klausmann gentoo-dev 2009-03-22 18:40:35 UTC
Stable on alpha.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2009-03-23 14:32:12 UTC
arm/ia64/m68k/s390/sh/sparc stable
Comment 9 Jeroen Roovers gentoo-dev 2009-03-27 21:41:52 UTC
Stable for HPPA.
Comment 10 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-28 10:25:50 UTC
CVE-2009-0845 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0845):
  The spnego_gss_accept_sec_context function in
  lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.6.3,
  when SPNEGO is used, allows remote attackers to cause a denial of
  service (NULL pointer dereference and application crash) via invalid
  ContextFlags data in the reqFlags field in a negTokenInit token.

Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-08 18:18:57 UTC
glsa with #263398
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-04-08 22:47:26 UTC
GLSA 200904-09