Debian Bug report logs -
#454974
krb5: Venustech AD-LAB CVEs (not serious)
Reported by: Nico Golde <nion@debian.org>
Date: Sat, 8 Dec 2007 14:24:02 UTC
Severity: normal
Tags: fixed-upstream, upstream
Found in version 1.1.7-1
Fixed in version krb5/1.6.dfsg.4~beta1-1
Done: Sam Hartman <hartmans@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#454974; Package krb5.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: krb5
Version: 1.1.7-1
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for krb5.
CVE-2007-5971[0]:
| Double-free vulnerability in the gss_krb5int_make_seal_token_v3
| function in lib/gssapi/krb5/k5sealv3.c in MIT Kerberos 5 (krb5) has
| unknown impact and attack vectors.
CVE-2007-5902[1]:
| Integer overflow in the svcauth_gss_get_principal function in
| lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (krb5) allows remote attackers to have
| an unknown impact via a large length value for a GSS client name in an RPC
| request.
CVE-2007-5901[2]:
| Use-after-free vulnerability in the gss_indicate_mechs function in
| lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact
| and attack vectors. NOTE: this might be the result of a typo in the source
| code.
CVE-2007-5894[3]:
| The reply function in ftpd.c in the gssftp ftpd in MIT Kerberos 5 (krb5) does
| not initialize the length variable when auth_type has a certain value, which
| has unknown impact and remote authenticated attack vectors. NOTE: the original
| disclosure misidentifies the conditions under which the uninitialized variable
| is used.
CVE-2007-5972[4]:
| Double-free vulnerability in the krb5_def_store_mkey function in
| lib/kdb/kdb_default.c in MIT Kerberos 5 (krb5) 1.5 has unknown impact and
| remote authenticated attack vectors. NOTE: the free operations occur in code
| that stores the krb5kdc master key, and thus the attacker must have privileges
| to store this key.
CVE-2007-5972 seems to be rather unimportant.
I did not check these vulnerabilities for stable or oldstable.
If you fix these vulnerabilities please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5971
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5902
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5901
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5894
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5972
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#454974; Package krb5.
(full text, mbox, link).
Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>.
(full text, mbox, link).
Message #10 received at 454974@bugs.debian.org (full text, mbox, reply):
severity 454974 normal
tags 454974 -security
retitle 454974 krb5: Venustech AD-LAB CVEs (not serious)
thanks
Here's the information about the CVEs reported against MIT Kerberos. The
summary is that this isn't significant enough to warrant an advisory or a
stable update, although we'll fix the bugs in a later release.
To: kerberos@mit.edu
Subject: Venustech reports of MIT krb5 vulns [CVE-2007-5894 CVE-2007-5901
CVE-2007-5902 CVE-2007-5971 CVE-2007-5972]
From: Tom Yu <tlyu@mit.edu>
Date: Tue, 11 Dec 2007 19:35:12 -0500
This message responds to multiple alleged vulnerabilities in MIT
Kerberos 5 reported by Venustech AD-LAB. The alleged vulnerabilities
have CVE identifiers CVE-2007-5894, CVE-2007-5901, CVE-2007-5902,
CVE-2007-5971, and CVE-2007-5972. For the most part, the bugs are not
exploitable, and the ones which are theoretically exploitable require
extremely unlikely conditions. We plan to fix these bugs in the next
release, and will open tickets for them in our bug database in the
near future.
CVE-2007-5894
http://bugs.gentoo.org/show_bug.cgi?id=199205
This is not a vulnerability, and only a stylistic bug. The alleged
vulnerability consists of reading an uninitialized variable, "length",
in the reply() function in src/appl/gssftp/ftpd/ftpd.c.
1878 /* Other auth types go here ... */
1879 if (length >= sizeof(in) / 4 * 3) {
1880 syslog(LOG_ERR, "input to radix_encode too long");
1881 fputs(in, stdout);
1882 } else if ((kerror = radix_encode(out, in, &length, 0))) {
1883 syslog(LOG_ERR, "Couldn't encode reply (%s)",
1884 radix_error(kerror));
1885 fputs(in,stdout);
The "length" variable is only uninitialized if "auth_type" is neither
the "KERBEROS_V4" nor "GSSAPI"; this condition cannot occur in the
unmodified source code. While the remote user can set the string in
"auth_type", this may only occur by way of the auth_data() function,
which will only set "auth_type" if it exactly matches one of the
aforementioned two strings.
CVE-2007-5901
http://bugs.gentoo.org/show_bug.cgi?id=199214
This bug is consists of freeing a non-heap pointer, and is not a
practical vulnerability due to the extreme difficulty of exploitation.
In src/lib/gssapi/mechglue/g_initialize.c, the function
gss_indicate_mechs() can make the call free(mechSet), which is
erroneous because "mechSet" is a pointer to type "gss_OID_set" passed
in by the caller of gss_indicate_mechs() and the dereferenced
"*mechSet" is where the pointer to allocated memory is assigned.
201 /* still need to copy each of the oid elements arrays */
202 for (i = 0; i < (*mechSet)->count; i++) {
203 curItem = &((*mechSet)->elements[i]);
204 curItem->elements =
205 (void *) malloc(g_mechSet.elements[i].length);
206 if (curItem->elements == NULL) {
207 (void) k5_mutex_unlock(&g_mechSetLock);
208 /*
209 * must still free the allocated elements for
210 * each allocated gss_OID_desc
211 */
212 for (j = 0; j < i; j++) {
213 free((*mechSet)->elements[j].elements);
214 }
215 free((*mechSet)->elements);
216 free(mechSet);
217 *mechSet = NULL;
218 return (GSS_S_FAILURE);
219 }
220 g_OID_copy(curItem, &g_mechSet.elements[i]);
221 }
If the allocation of (*mechSet)->elements fails, the erroneous call of
free(mechSet) occurs, freeing a pointer which probably points into the
stack frame of the caller. In order to successfully exploit this
vulnerability, an attacker would have to cause a malloc() failure to
occur at precisely the right time: almost immediately after a
different malloc() call has succeeded.
CVE-2007-5902
http://bugs.gentoo.org/show_bug.cgi?id=199214
This bug consists of an integer overflow in
svcauth_gss_get_principal() in src/lib/rpc/svc_auth_gss.c, which can
cause an invocation of memcpy() to overflow a zero-length allocated
buffer. This is not a practical vulnerability due to the
nigh-impossibility of producing the conditions required to trigger the
bug.
641 svcauth_gss_get_principal(SVCAUTH *auth)
642 {
643 struct svc_rpc_gss_data *gd;
644 char *pname;
645
646 gd = SVCAUTH_PRIVATE(auth);
647
648 if (gd->cname.length == 0)
649 return (NULL);
650
651 if ((pname = malloc(gd->cname.length + 1)) == NULL)
652 return (NULL);
653
654 memcpy(pname, gd->cname.value, gd->cname.length);
655 pname[gd->cname.length] = '\0';
656
657 return (pname);
658 }
If "gd->cname.length" is exactly SIZE_MAX, then the call to malloc()
will have an argument of zero due to the modular arithmetic used on
unsigned integer types in C. If malloc(0) returns a non-null pointer
on a specific platform, then the subsequent memcpy() call can attempt
to copy SIZE_MAX bytes and overflow the zero-length buffer.
The value "gd->cname" results from calling krb5_unparse_name() with a
principal obtained during authentication. To successfully exploit
this vulnerability, an attacker would need to successfully
authenticate using a principal name whose unparsed string
representation is exactly SIZE_MAX+1 bytes long. Such a principal
name is very unlikely to exist, and even if such an unusual principal
did exist, the C implementation would have to successfully allocate a
buffer SIZE_MAX+1 bytes long, which almost certainly will not succeed.
CVE-2007-5971
http://bugs.gentoo.org/show_bug.cgi?id=199212
This bug is a double-free condition which is not a practical
vulnerability due to the extreme difficulty of exploitation. If
krb5_c_make_checksum() (in src/lib/gssapi/krb5/k5sealv3.c) fails,
"outbuf" may be freed twice.
244 err = krb5_c_make_checksum(context, ctx->cksumtype, key,
245 key_usage, &plain, &sum);
246 zap(plain.data, plain.length);
247 free(plain.data);
248 plain.data = 0;
249 if (err) {
250 zap(outbuf,bufsize);
251 free(outbuf);
252 goto error;
253 }
...
290 error:
291 free(outbuf);
292 token->value = NULL;
293 token->length = 0;
294 return err;
295 }
krb5_c_make_checksum() only fails if malloc() fails to allocate a very
small amount of memory. To exploit this vulnerability, an attacker
would need to force a malloc() failure at exactly the point where
krb5_c_make_checksum is called.
CVE-2007-5972
http://bugs.gentoo.org/show_bug.cgi?id=199211
This bug is a double-free (actually a double-fclose) bug which is not
a vulnerability due to inaccessibility to an attacker. If the
fwrite() call in krb5_def_store_mkey() (in src/lib/kdb/kdb_default.c)
fails, the file pointer "kf" may have fclose() called on it twice.
180 if ((fwrite((krb5_pointer) &enctype,
181 2, 1, kf) != 1) ||
182 (fwrite((krb5_pointer) &key->length,
183 sizeof(key->length), 1, kf) != 1) ||
184 (fwrite((krb5_pointer) key->contents,
185 sizeof(key->contents[0]), (unsigned) key->length,
186 kf) != key->length)) {
187 retval = errno;
188 (void) fclose(kf);
189 }
190 if (fclose(kf) == EOF)
191 retval = errno;
The relevant code stashes a KDC master key. It is only run by
explicit action of a KDC administrator, who already has all the
privileges that exploiting this bug would gain. A properly configured
KDC will have no unprivileged users having shell or other login
access; therefore, an unprivileged user cannot cause the fwrite()
failure necessary for triggering this bug. Also, under normal
conditions, the code is run exactly once in the lifetime of a KDC: at
database creation time.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Severity set to `normal' from `grave'
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Wed, 12 Dec 2007 00:54:15 GMT) (full text, mbox, link).
Tags removed: security
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Wed, 12 Dec 2007 00:54:16 GMT) (full text, mbox, link).
Changed Bug title to `krb5: Venustech AD-LAB CVEs (not serious)' from `krb5: multiple vulnerabilities'.
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Wed, 12 Dec 2007 00:54:17 GMT) (full text, mbox, link).
Tags added: upstream
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Mon, 28 Apr 2008 23:42:02 GMT) (full text, mbox, link).
Tags added: fixed-upstream
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Tue, 29 Apr 2008 04:03:12 GMT) (full text, mbox, link).
Reply sent to Sam Hartman <hartmans@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #25 received at 454974-close@bugs.debian.org (full text, mbox, reply):
Source: krb5
Source-Version: 1.6.dfsg.4~beta1-1
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive:
krb5-admin-server_1.6.dfsg.4~beta1-1_i386.deb
to pool/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-1_i386.deb
krb5-clients_1.6.dfsg.4~beta1-1_i386.deb
to pool/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-1_i386.deb
krb5-doc_1.6.dfsg.4~beta1-1_all.deb
to pool/main/k/krb5/krb5-doc_1.6.dfsg.4~beta1-1_all.deb
krb5-ftpd_1.6.dfsg.4~beta1-1_i386.deb
to pool/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-1_i386.deb
krb5-kdc-ldap_1.6.dfsg.4~beta1-1_i386.deb
to pool/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-1_i386.deb
krb5-kdc_1.6.dfsg.4~beta1-1_i386.deb
to pool/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-1_i386.deb
krb5-pkinit_1.6.dfsg.4~beta1-1_i386.deb
to pool/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-1_i386.deb
krb5-rsh-server_1.6.dfsg.4~beta1-1_i386.deb
to pool/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-1_i386.deb
krb5-telnetd_1.6.dfsg.4~beta1-1_i386.deb
to pool/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-1_i386.deb
krb5-user_1.6.dfsg.4~beta1-1_i386.deb
to pool/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-1_i386.deb
krb5_1.6.dfsg.4~beta1-1.diff.gz
to pool/main/k/krb5/krb5_1.6.dfsg.4~beta1-1.diff.gz
krb5_1.6.dfsg.4~beta1-1.dsc
to pool/main/k/krb5/krb5_1.6.dfsg.4~beta1-1.dsc
krb5_1.6.dfsg.4~beta1.orig.tar.gz
to pool/main/k/krb5/krb5_1.6.dfsg.4~beta1.orig.tar.gz
libkadm55_1.6.dfsg.4~beta1-1_i386.deb
to pool/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-1_i386.deb
libkrb5-dbg_1.6.dfsg.4~beta1-1_i386.deb
to pool/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-1_i386.deb
libkrb5-dev_1.6.dfsg.4~beta1-1_i386.deb
to pool/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-1_i386.deb
libkrb53_1.6.dfsg.4~beta1-1_i386.deb
to pool/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 454974@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 31 May 2008 10:53:21 -0400
Source: krb5
Binary: libkadm55 libkrb53 krb5-user krb5-clients krb5-rsh-server krb5-ftpd krb5-telnetd krb5-kdc krb5-kdc-ldap krb5-admin-server libkrb5-dev libkrb5-dbg krb5-pkinit krb5-doc
Architecture: source all i386
Version: 1.6.dfsg.4~beta1-1
Distribution: experimental
Urgency: low
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description:
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-clients - Secure replacements for ftp, telnet and rsh using MIT Kerberos
krb5-doc - Documentation for MIT Kerberos
krb5-ftpd - Secure FTP server supporting MIT Kerberos
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-rsh-server - Secure replacements for rshd and rlogind using MIT Kerberos
krb5-telnetd - Secure telnet server supporting MIT Kerberos
krb5-user - Basic programs to authenticate using MIT Kerberos
libkadm55 - MIT Kerberos administration runtime libraries
libkrb5-dbg - Debugging files for MIT Kerberos
libkrb5-dev - Headers and development libraries for MIT Kerberos
libkrb53 - MIT Kerberos runtime libraries
Closes: 454974 482324 482326 482362 482366 482376 482428 482682 483049
Changes:
krb5 (1.6.dfsg.4~beta1-1) experimental; urgency=low
.
* Changes from Russ:
* Do not translate the Kerberos v4 modes. They are literal strings
passed to the Kerberos KDC as arguments to the -4 option. Comment
mentions of those strings in the debconf template so that
translators know this.
* Rather than prompting at installation time for whether the KDC
database should be deleted on purge, prompt in prerm when the package
is being removed for whether the database should be deleted.
* Translation updates:
- Galician, thanks Jacobo Tarrio. (Closes: #482324)
- French, thanks Christian Perrier. (Closes: #482326)
- Vietnamese, thanks Clytie Siddall. (Closes: #482362)
- Basque, thanks Piarres Beobide. (Closes: #482376)
- Czech, thanks Miroslav Kure. (Closes: #482428)
- German, thanks Helge Kreutzmann. (Closes: #482366)
- Spanish, thanks Diego D'Onofrio.
- Finnish, thanks Esko Arajärvi. (Closes: #482682)
- Portuguese, thanks Miguel Figueiredo. (Closes: #483049)
* From Sam:
* remove extra space in debian/rules so upstream configure scripts can work
* Upgrade to 1.6.4 beta 1
* Upstream includes several fixes to bugs that were assigned CVE
numbers; upstream does not actually consider these security issues and
no advisory was issued, but they are included here for the benefit of
the security team in case anyone asks. , Closes: #454974
- fix CVE-2007-5972: double fclose() in
krb5_def_store_mkey()
- fix CVE-2007-5971: double-free in gss_krb5int_make_seal_token_v3()
- fix CVE-2007-5902: integer overflow in svcauth_gss_get_principal()
- fix CVE-2007-5971: free of non-heap pointer in
gss_indicate_mechs()
- fix CVE-2007-5894: apparent uninit length in ftpd.c:reply()
Files:
89268ea6d6ebf1c0032f140bf8589224 1088 net standard krb5_1.6.dfsg.4~beta1-1.dsc
08d6ce311204803acbe878ef0bb23c71 11647547 net standard krb5_1.6.dfsg.4~beta1.orig.tar.gz
5fe53a391108b1826594f31f2b486aaa 840934 net standard krb5_1.6.dfsg.4~beta1-1.diff.gz
d7cf83e09445e58c6d269f3c1606f9f7 2147806 doc optional krb5-doc_1.6.dfsg.4~beta1-1_all.deb
95d873a07763f8de28d23b7fdabb6045 149382 libs optional libkadm55_1.6.dfsg.4~beta1-1_i386.deb
bdad5a8abcefd936d938b00cec2abeeb 468996 libs standard libkrb53_1.6.dfsg.4~beta1-1_i386.deb
945da0cc85bfebbf2973c299d7db2b92 134346 net optional krb5-user_1.6.dfsg.4~beta1-1_i386.deb
d6ba6a8b6d92266419e15d9a8b7b40d0 201822 net optional krb5-clients_1.6.dfsg.4~beta1-1_i386.deb
0e059f10bbf59beee4af4042f65e4feb 84060 net optional krb5-rsh-server_1.6.dfsg.4~beta1-1_i386.deb
1cfe4e45787898ac137998f750d0c21f 61824 net extra krb5-ftpd_1.6.dfsg.4~beta1-1_i386.deb
420320f63aa5e870c56cf1cd0237552c 67768 net extra krb5-telnetd_1.6.dfsg.4~beta1-1_i386.deb
727f612448f21288078aecc29f6a0fd5 175912 net optional krb5-kdc_1.6.dfsg.4~beta1-1_i386.deb
1b9a2349afc2ffe9e88ae08ad52af095 99588 net extra krb5-kdc-ldap_1.6.dfsg.4~beta1-1_i386.deb
a52889e93bc9d3481e72af8042f434c1 83740 net optional krb5-admin-server_1.6.dfsg.4~beta1-1_i386.deb
feff6ce4b1b5c69eacf7e734890aeddf 91410 libdevel extra libkrb5-dev_1.6.dfsg.4~beta1-1_i386.deb
6bd00b1090773eabc1d55839ddd868ba 1287932 libdevel extra libkrb5-dbg_1.6.dfsg.4~beta1-1_i386.deb
e5adf151f847c38026de931cb8d1d226 62638 net extra krb5-pkinit_1.6.dfsg.4~beta1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIQWof/I12czyGJg8RAkVuAJ40iDZumZCXe5Ti6YsZAusGyDvjowCgpsQz
K6HfTN1FaAaVvVRuiORIJck=
=KXnI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 29 Jun 2008 07:35:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:02:31 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon