Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 639702 (CVE-2017-15088) - <app-crypt/mit-krb5-1.15.2-r1: Remote Code Execution vulnerability
Summary: <app-crypt/mit-krb5-1.15.2-r1: Remote Code Execution vulnerability
Alias: CVE-2017-15088
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B1 [noglsa cve]
Depends on:
Reported: 2017-12-04 01:58 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-27 22:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-12-04 01:58:22 UTC
CVE-2017-15088 (
  plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5)
  through 1.15.2 mishandles Distinguished Name (DN) fields, which allows
  remote attackers to execute arbitrary code or cause a denial of service
  (buffer overflow and application crash) in situations involving untrusted
  X.509 data, related to the get_matching_data and X509_NAME_oneline_ex
  functions. NOTE: this has security relevance only in use cases outside of
  the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC
  certauth plugin code that is specific to Red Hat.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-12-04 01:59:04 UTC
@Maintainers could you confirm if we are affected? 

Thank you
Comment 2 Eray Aslan gentoo-dev 2017-12-05 10:04:09 UTC
app-crypt/mit-krb5-1.15.2 is vulnerable.

Arches, please test and mark stable

Target Keywords = alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86
Comment 3 Agostino Sarubbo gentoo-dev 2017-12-06 20:57:33 UTC
amd64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-08 20:40:34 UTC
x86 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-09 14:54:18 UTC
hppa stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-10 23:01:06 UTC
ppc/ppc64 stable
Comment 7 Markus Meier gentoo-dev 2017-12-13 21:06:45 UTC
arm stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-28 22:03:09 UTC
ia64 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2018-01-20 16:52:09 UTC
Stable on alpha.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 19:49:52 UTC
GLSA request filed.

@maintainer(s), please clean the vulnerable version from the tree (note that sparc is now an exp profile and has a previous stable keyword).
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2018-01-27 22:08:01 UTC
After further discussion with other team members, this vulnerability is not relevant to Gentoo.  It only impacts Redhat's MIT KRB5 implementation due to additional code/changes.  Upstream is not impacted and as such Gentoo is not.