MIT krb5 Security Advisory 2010-006 Topic: KDC uninitialized pointer crash in authorization data handling [...] AFFECTED SOFTWARE ================= * KDC in MIT krb5-1.8 through krb5-1.8.3 * Earlier releases of MIT krb5 did not contain the vulnerable code. Patch available at http://web.mit.edu/kerberos/advisories/2010-006-patch.txt Please add to ebuild, thanks...
adding maintainers
Created attachment 249737 [details, diff] CVE-2010-1322.patch
Created attachment 249739 [details] mit-krb5-1.8.3-r1.ebuild Changelog: Security bump bug #339866. Add double blocker to heimdal bug #339143. On a side note, we can remove all patches in ${FILESDIR} except CVE-2010-1322.
Is someone going to add this to portage and get it stabilized? The current stable version is still vulnerable to this security issue. Thanks...
CVE-2010-1322 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1322): The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which allows remote attackers to cause a denial of service (daemon crash), or possibly obtain sensitive information, spoof authorization, or execute arbitrary code, via a TGS request, as demonstrated by a request from a Windows Active Directory client.
+*mit-krb5-1.8.3-r1 (05 Nov 2010) + + 05 Nov 2010; Eray Aslan <eras@gentoo.org> +mit-krb5-1.8.3-r1.ebuild, + +files/CVE-2010-1322.patch: + Security bump - bug #339866 +
Any thoughts on getting this security fix marked stable? Thanks...
Arches, please test and mark stable: =app-crypt/mit-krb5-1.8.3-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
x86 stable
Stable for HPPA PPC.
amd64 ok
ppc64 done
Seems to build just fine on SPARC, but no tests to run though.
(In reply to comment #13) > Seems to build just fine on SPARC, but no tests to run though. https://bugs.gentoo.org/show_bug.cgi?id=346549#c2
amd64 done. Thanks Agostino
Retested 1.8.3-r1 as someone said they'd added tests to it. No sign of the tests. Perhaps another time but I didn't seen any problems.
alpha/arm/ia64/m68k/s390/sh/sparc stable
Thanks, folks. GLSA Vote: yes.
Make this bug depend on #328467 as keyutils fails to merge on sparc right now.
Added to pending glsa request.
This issue was resolved and addressed in GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml by GLSA coordinator Sean Amoss (ackle).
