Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 393429 (CVE-2011-1530) - <app-crypt/mit-krb5-1.9.2-r1 DoS (CVE-2011-1530)
Summary: <app-crypt/mit-krb5-1.9.2-r1 DoS (CVE-2011-1530)
Status: RESOLVED FIXED
Alias: CVE-2011-1530
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://web.mit.edu/kerberos/advisorie...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-06 19:46 UTC by Paul B. Henson
Modified: 2012-01-23 20:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paul B. Henson 2011-12-06 19:46:11 UTC
Per referenced URL, MIT Kerberos 1.9.x is vulnerable to a DoS due to a KDC null pointer dereference in TGS handling.

A patch to fix this issue is available at:

http://web.mit.edu/kerberos/advisories/2011-007-patch.txt

Reproducible: Always
Comment 1 Eray Aslan gentoo-dev 2011-12-07 08:07:22 UTC
+*mit-krb5-1.9.2-r1 (07 Dec 2011)
+
+  07 Dec 2011; Eray Aslan <eras@gentoo.org> +mit-krb5-1.9.2-r1.ebuild,
+  +files/CVE-2011-1530.patch:
+  security bump - bug #393429
+

@security:  Please stabilize =app-crypt/mit-krb5-1.9.2-r1.  Thank you.
Comment 2 Agostino Sarubbo gentoo-dev 2011-12-07 08:25:39 UTC
Thanks, Eray.

Arches, please test and mark stable:
=app-crypt/mit-krb5-1.9.2-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-12-07 10:40:30 UTC
amd64 ok
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2011-12-07 18:06:09 UTC
Stable for HPPA.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-12-08 17:03:55 UTC
x86 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2011-12-11 14:43:31 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2011-12-11 16:39:57 UTC
Stable for AMD64
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2011-12-13 00:34:02 UTC
CVE-2011-1530 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1530):
  The process_tgs_req function in do_tgs_req.c in the Key Distribution Center
  (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.2 allows remote
  authenticated users to cause a denial of service (NULL pointer dereference
  and daemon crash) via a crafted TGS request that triggers an error other
  than the KRB5_KDB_NOENTRY error.
Comment 9 Mark Loeser (RETIRED) gentoo-dev 2011-12-22 23:23:40 UTC
ppc/ppc64 done
Comment 10 Agostino Sarubbo gentoo-dev 2011-12-22 23:32:14 UTC
@Security, please proceed to vote.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-12-23 06:13:11 UTC
Thanks, folks. GLSA Vote: yes.
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-10 01:24:10 UTC
GLSA vote: yes. Adding to existing request.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:38:57 UTC
This issue was resolved and addressed in
 GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml
by GLSA coordinator Sean Amoss (ackle).