Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 538842 (CVE-2014-5352) - <app-crypt/mit-krb5-1.13-r1: MITKRB5-SA-2015-001 Vulnerabilities in kadmind, libgssrpc, gss_process_context_token (CVE-2014-{5352,9421,9422,9423})
Summary: <app-crypt/mit-krb5-1.13-r1: MITKRB5-SA-2015-001 Vulnerabilities in kadmind, ...
Status: RESOLVED FIXED
Alias: CVE-2014-5352
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2014-5353
  Show dependency tree
 
Reported: 2015-02-04 20:44 UTC by Paul B. Henson
Modified: 2015-05-11 15:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
updated ebuild (mit-krb5-1.13-r1.patch,31.64 KB, patch)
2015-02-04 20:44 UTC, Paul B. Henson
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Paul B. Henson 2015-02-04 20:44:22 UTC
Created attachment 395552 [details, diff]
updated ebuild

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt:

The MIT krb5 team has discovered four vulnerabilities affecting
kadmind.  Some of these vulnerabilities may also affect server
applications which use the gssrpc library or the
gss_process_context_token() function.  These are implementation
vulnerabilities, not vulnerabilities in the Kerberos protocol.

CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after
gss_process_context_token() is used to process a valid context
deletion token, the caller is left with a security context handle
containing a dangling pointer.  Further uses of this handle will
result in use-after-free and double-free memory access violations.
libgssrpc server applications such as kadmind are vulnerable as they
can be instructed to call gss_process_context_token().

CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR
data from an authenticated user, it may perform use-after-free and
double-free memory access violations while cleaning up the partial
deserialization results.  Other libgssrpc server applications may also
be vulnerable if they contain insufficiently defensive XDR functions.

CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepts
authentications to two-component server principals whose first
component is a left substring of "kadmin" or whose realm is a left
prefix of the default realm.

CVE-2014-9423: libgssrpc applications including kadmind output four or
eight bytes of uninitialized memory to the network as part of an
unused "handle" field in replies to clients.



I've attached a patch to update the ebuild to 1.13-r1, which fixes these vulnerabilities and also those from bug #533734.
Comment 1 Eray Aslan gentoo-dev 2015-02-05 16:29:19 UTC
+*mit-krb5-1.13-r1 (05 Feb 2015)
+
+  05 Feb 2015; Eray Aslan <eras@gentoo.org> +files/2015-001-patch-r113.patch,
+  +files/mit-krb5-CVE-2014-5353.patch, +files/mit-krb5-CVE-2014-5354.patch,
+  +mit-krb5-1.13-r1.ebuild:
+  Security bump - bugs #533734 #538842
+

Arches, please test and mark stable =app-crypt/mit-krb5-1.13-r1.  Thank you.

Target Stable Keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Jeroen Roovers gentoo-dev 2015-02-06 09:09:00 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2015-02-06 11:34:15 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-02-06 11:35:56 UTC
x86 stable
Comment 5 Markus Meier gentoo-dev 2015-02-08 21:12:58 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-02-16 10:23:46 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-02-18 08:52:50 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-02-18 09:18:15 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-23 11:38:28 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-02-24 10:58:38 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2015-04-12 22:39:52 UTC
CVE-2014-9423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9423):
  The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT
  Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and
  1.13.x before 1.13.1 transmits uninitialized interposer data to clients,
  which allows remote attackers to obtain sensitive information from process
  heap memory by sniffing the network for data in a handle field.

CVE-2014-9422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9422):
  The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in
  MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x
  before 1.13.1 allows remote authenticated users to bypass a kadmin/*
  authorization check and obtain administrative access by leveraging access to
  a two-component principal with an initial "kadmind" substring, as
  demonstrated by a "ka/x" principal.

CVE-2014-9421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9421):
  The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT
  Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x
  before 1.13.1 does not properly handle partial XDR deserialization, which
  allows remote authenticated users to cause a denial of service
  (use-after-free and double free, and daemon crash) or possibly execute
  arbitrary code via malformed XDR data, as demonstrated by data sent to
  kadmind.

CVE-2014-5352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5352):
  The krb5_gss_process_context_token function in
  lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in MIT
  Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x
  before 1.13.1 does not properly maintain security-context handles, which
  allows remote authenticated users to cause a denial of service
  (use-after-free and double free, and daemon crash) or possibly execute
  arbitrary code via crafted GSSAPI traffic, as demonstrated by traffic to
  kadmind.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-19 16:24:53 UTC
Arches, Thank you for your work.

GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 13 Yury German Gentoo Infrastructure gentoo-dev Security 2015-05-11 15:29:13 UTC
Maintainer(s), Thank you for you for cleanup.
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-05-11 15:31:10 UTC
GLSA vote: no.

Closing as [noglsa].