Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 339866 (CVE-2010-1322) - <app-crypt/mit-krb5-1.8.3-r1: Uninitialized pointer in authorization data handling DoS (CVE-2010-1322)
Summary: <app-crypt/mit-krb5-1.8.3-r1: Uninitialized pointer in authorization data han...
Status: RESOLVED FIXED
Alias: CVE-2010-1322
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://web.mit.edu/kerberos/advisorie...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 328467
Blocks:
  Show dependency tree
 
Reported: 2010-10-05 19:53 UTC by Paul B. Henson
Modified: 2012-01-23 20:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
CVE-2010-1322.patch (CVE-2010-1322.patch,1.04 KB, patch)
2010-10-06 11:45 UTC, Eray Aslan 		no flags Details | Diff
mit-krb5-1.8.3-r1.ebuild (mit-krb5-1.8.3-r1.ebuild,2.56 KB, text/plain)
2010-10-06 11:50 UTC, Eray Aslan 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Paul B. Henson 2010-10-05 19:53:46 UTC 
MIT krb5 Security Advisory 2010-006

Topic: KDC uninitialized pointer crash in authorization data handling
[...]
AFFECTED SOFTWARE
=================

* KDC in MIT krb5-1.8 through krb5-1.8.3

* Earlier releases of MIT krb5 did not contain the vulnerable code.


Patch available at

  http://web.mit.edu/kerberos/advisories/2010-006-patch.txt

Please add to ebuild, thanks...
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-10-05 21:39:31 UTC 
adding maintainers
Comment 2 Eray Aslan gentoo-dev 2010-10-06 11:45:34 UTC 
Created attachment 249737 [details, diff]
CVE-2010-1322.patch
Comment 3 Eray Aslan gentoo-dev 2010-10-06 11:50:19 UTC 
Created attachment 249739 [details]
mit-krb5-1.8.3-r1.ebuild

Changelog:

Security bump bug #339866.  Add double blocker to heimdal bug #339143.


On a side note, we can remove all patches in ${FILESDIR} except CVE-2010-1322.
Comment 4 Paul B. Henson 2010-10-21 22:36:51 UTC 
Is someone going to add this to portage and get it stabilized? The current stable version is still vulnerable to this security issue.

Thanks...
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2010-10-23 14:04:52 UTC 
CVE-2010-1322 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1322):
  The merge_authdata function in kdc_authdata.c in the Key Distribution Center
  (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly
  manage an index into an authorization-data list, which allows remote
  attackers to cause a denial of service (daemon crash), or possibly obtain
  sensitive information, spoof authorization, or execute arbitrary code, via a
  TGS request, as demonstrated by a request from a Windows Active Directory
  client.
Comment 6 Eray Aslan gentoo-dev 2010-11-05 21:15:46 UTC 
+*mit-krb5-1.8.3-r1 (05 Nov 2010)
+
+  05 Nov 2010; Eray Aslan <eras@gentoo.org> +mit-krb5-1.8.3-r1.ebuild,
+  +files/CVE-2010-1322.patch:
+  Security bump - bug #339866
+
Comment 7 Paul B. Henson 2010-11-22 22:24:43 UTC 
Any thoughts on getting this security fix marked stable?

Thanks...
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2010-11-22 23:11:15 UTC 
Arches, please test and mark stable:
=app-crypt/mit-krb5-1.8.3-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2010-11-23 09:00:42 UTC 
x86 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-23 18:02:34 UTC 
Stable for HPPA PPC.
Comment 11 Agostino Sarubbo gentoo-dev 2010-11-24 18:17:57 UTC 
amd64 ok
Comment 12 Brent Baude (RETIRED) gentoo-dev 2010-11-25 16:02:08 UTC 
ppc64 done
Comment 13 Alex Buell 2010-11-25 20:32:00 UTC 
Seems to build just fine on SPARC, but no tests to run though.
Comment 14 Eray Aslan gentoo-dev 2010-11-26 07:25:23 UTC 
(In reply to comment #13)
> Seems to build just fine on SPARC, but no tests to run though.

https://bugs.gentoo.org/show_bug.cgi?id=346549#c2
Comment 15 Markos Chandras (RETIRED) gentoo-dev 2010-11-26 08:37:14 UTC 
amd64 done. Thanks Agostino
Comment 16 Alex Buell 2010-11-26 17:07:18 UTC 
Retested 1.8.3-r1 as someone said they'd added tests to it. No sign of the tests. Perhaps another time but I didn't seen any problems.
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2010-11-27 12:17:40 UTC 
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2010-11-27 15:41:56 UTC 
Thanks, folks.

GLSA Vote: yes.
Comment 19 Dustin Polke 2010-11-27 18:21:51 UTC 
Make this bug depend on #328467 as keyutils fails to merge on sparc right now.
Comment 20 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-23 22:59:53 UTC 
Added to pending glsa request.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:38:26 UTC 
This issue was resolved and addressed in
 GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml
by GLSA coordinator Sean Amoss (ackle).