Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 934994 (CVE-2024-37370, CVE-2024-37371) - <app-crypt/mit-krb5-1.21.3 vulnerabilities in GSS message token handling
Summary: <app-crypt/mit-krb5-1.21.3 vulnerabilities in GSS message token handling
Status: CONFIRMED
Alias: CVE-2024-37370, CVE-2024-37371
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://web.mit.edu/kerberos/www/krb5...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 934995
Blocks:
  Show dependency tree
 
Reported: 2024-06-27 07:19 UTC by Eray Aslan
Modified: 2024-09-01 12:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eray Aslan gentoo-dev 2024-06-27 07:19:55 UTC
From the release notes:

Major changes in 1.21.3 (2024-06-26)
====================================

This is a bug fix release.

* Fix vulnerabilities in GSS message token handling [CVE-2024-37370,
  CVE-2024-37371].

* Fix a potential bad pointer free in krb5_cccol_have_contents().

* Fix a memory leak in the macOS ccache type.
Comment 1 Larry the Git Cow gentoo-dev 2024-06-27 07:29:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b0b1dcf64f222410abcf1cb8cc953ffe497a205

commit 0b0b1dcf64f222410abcf1cb8cc953ffe497a205
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2024-06-27 07:27:20 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2024-06-27 07:29:23 +0000

    app-crypt/mit-krb5: add 1.21.3 security bump
    
    also
    - install ldif files when openldap USE flag is in use
    - make +threads USE flag mandatory
    
    Bug: https://bugs.gentoo.org/934994
    Closes: https://bugs.gentoo.org/890038
    Closes: https://bugs.gentoo.org/868462
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 app-crypt/mit-krb5/Manifest               |   1 +
 app-crypt/mit-krb5/mit-krb5-1.21.3.ebuild | 154 ++++++++++++++++++++++++++++++
 2 files changed, 155 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2024-06-28 04:57:21 UTC
CVE-2024-37370:

In MIT krb5 release 1.3 and later, an attacker can modify the
plaintext Extra Count field of a confidential GSS krb5 wrap token,
causing the unwrapped token to appear truncated to the application.

CVE-2024-37371:

In MIT krb5 release 1.3 and later, an attacker can cause invalid
memory reads by sending message tokens with invalid length fields.


These sound like Denial of Service issues to me, but I'm not familiar enough with Kerberos to be sure and the description here is a bit sparse.
Comment 3 Larry the Git Cow gentoo-dev 2024-09-01 12:37:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=705f34d940f47cffff7f2ab8083b068b4c909c66

commit 705f34d940f47cffff7f2ab8083b068b4c909c66
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2024-09-01 12:36:55 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2024-09-01 12:36:55 +0000

    app-crypt/mit-krb5: drop 1.21.2
    
    Bug: https://bugs.gentoo.org/934994
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 app-crypt/mit-krb5/Manifest               |   1 -
 app-crypt/mit-krb5/mit-krb5-1.21.2.ebuild | 152 ------------------------------
 2 files changed, 153 deletions(-)