Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

krb5: CVE-2010-1321 GSS-API library null pointer dereference

Related Vulnerabilities: CVE-2010-1321  

Source

Debian Bug report logs - #582261
krb5: CVE-2010-1321 GSS-API library null pointer dereference

version graph

Package: src:krb5; Maintainer for src:krb5 is Sam Hartman <hartmans@debian.org>;

Reported by: Sebastien Delafond <seb@debian.org>

Date: Wed, 19 May 2010 14:33:01 UTC

Severity: grave

Tags: security

Fixed in version krb5/1.8.1+dfsg-3

Done: Sam Hartman <hartmans@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#582261; Package src:krb5. (Wed, 19 May 2010 14:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to Sebastien Delafond <seb@debian.org>:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>. (Wed, 19 May 2010 14:33:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sebastien Delafond <seb@debian.org>
To: submit@bugs.debian.org
Subject: krb5: CVE-2010-1321 GSS-API library null pointer dereference
Date: Wed, 19 May 2010 16:30:43 +0200
Source: krb5
Severity: grave
Tags: security

Hi,

the following CVE (Common Vulnerabilities & Exposures) id was
published for krb5.

CVE-2010-1321[0]:
| Certain invalid GSS-API tokens can cause a GSS-API acceptor (server)
| to crash due to a null pointer dereference in the GSS-API library.
|
| This is an implementation vulnerability in MIT krb5, and not a
| vulnerability in the Kerberos protocol.
|
| An authenticated remote attacker can cause a GSS-API application
| server (including the Kerberos administration daemon kadmind) to crash
| by sending a malformed GSS-API token that induces a null pointer
| dereference.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

There is a new upstream release which fixes these issues.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321
    http://security-tracker.debian.net/tracker/CVE-2010-1321
    http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-005.txt

Cheers,

--Seb

Added tag(s) pending. Request was from Sam Hartman <hartmans@debian.org> to control@bugs.debian.org. (Wed, 19 May 2010 20:27:09 GMT) (full text, mbox, link).

Reply sent to Sam Hartman <hartmans@debian.org>:
You have taken responsibility. (Wed, 19 May 2010 21:45:22 GMT) (full text, mbox, link).

Notification sent to Sebastien Delafond <seb@debian.org>:
Bug acknowledged by developer. (Wed, 19 May 2010 21:45:22 GMT) (full text, mbox, link).

Message #12 received at 582261-close@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>
To: 582261-close@bugs.debian.org
Subject: Bug#582261: fixed in krb5 1.8.1+dfsg-3
Date: Wed, 19 May 2010 21:41:40 +0000
Source: krb5
Source-Version: 1.8.1+dfsg-3

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive:

krb5-admin-server_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/krb5-admin-server_1.8.1+dfsg-3_amd64.deb
krb5-doc_1.8.1+dfsg-3_all.deb
  to main/k/krb5/krb5-doc_1.8.1+dfsg-3_all.deb
krb5-kdc-ldap_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/krb5-kdc-ldap_1.8.1+dfsg-3_amd64.deb
krb5-kdc_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/krb5-kdc_1.8.1+dfsg-3_amd64.deb
krb5-multidev_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/krb5-multidev_1.8.1+dfsg-3_amd64.deb
krb5-pkinit_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/krb5-pkinit_1.8.1+dfsg-3_amd64.deb
krb5-user_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/krb5-user_1.8.1+dfsg-3_amd64.deb
krb5_1.8.1+dfsg-3.diff.gz
  to main/k/krb5/krb5_1.8.1+dfsg-3.diff.gz
krb5_1.8.1+dfsg-3.dsc
  to main/k/krb5/krb5_1.8.1+dfsg-3.dsc
libgssapi-krb5-2_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/libgssapi-krb5-2_1.8.1+dfsg-3_amd64.deb
libgssrpc4_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/libgssrpc4_1.8.1+dfsg-3_amd64.deb
libk5crypto3_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/libk5crypto3_1.8.1+dfsg-3_amd64.deb
libkadm5clnt-mit7_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/libkadm5clnt-mit7_1.8.1+dfsg-3_amd64.deb
libkadm5srv-mit7_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/libkadm5srv-mit7_1.8.1+dfsg-3_amd64.deb
libkdb5-4_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/libkdb5-4_1.8.1+dfsg-3_amd64.deb
libkrb5-3_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/libkrb5-3_1.8.1+dfsg-3_amd64.deb
libkrb5-dbg_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/libkrb5-dbg_1.8.1+dfsg-3_amd64.deb
libkrb5-dev_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/libkrb5-dev_1.8.1+dfsg-3_amd64.deb
libkrb5support0_1.8.1+dfsg-3_amd64.deb
  to main/k/krb5/libkrb5support0_1.8.1+dfsg-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 582261@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 19 May 2010 16:37:36 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit7 libkadm5clnt-mit7 libk5crypto3 libkdb5-4 libkrb5support0
Architecture: source all amd64
Version: 1.8.1+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description: 
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - Documentation for MIT Kerberos
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit7 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit7 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-4  - MIT Kerberos runtime libraries - Kerberos database
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 581473 582122 582261
Changes: 
 krb5 (1.8.1+dfsg-3) unstable; urgency=high
 .
   * CVE-2010-1321 GSS-API accept sec context null pointer deref, Closes:
     #582261
   * Force use of bash for build, Closes: #581473
   * Start slapd before krb5 when krb5-kdc-ldap installed, Closes:
     #582122
Checksums-Sha1: 
 1dcb1f686c089085429b60d3320a13f3e96f83cd 1568 krb5_1.8.1+dfsg-3.dsc
 9b05d910bc1924d468833029cd62d307f6888262 122613 krb5_1.8.1+dfsg-3.diff.gz
 891976cbb0462a29a8b1cd6d5bf775292a600506 2247298 krb5-doc_1.8.1+dfsg-3_all.deb
 5b3faeb818e265c3d173d1c6e11f6eb795adba72 135866 krb5-user_1.8.1+dfsg-3_amd64.deb
 086b15795db19313a8d96e48c32b9d0cefde01dd 215964 krb5-kdc_1.8.1+dfsg-3_amd64.deb
 cee09d74e1d1e538d80074c02d2d084d63413748 115740 krb5-kdc-ldap_1.8.1+dfsg-3_amd64.deb
 66b37625b34f841f4bfa29e42bc632f363e56ac0 110760 krb5-admin-server_1.8.1+dfsg-3_amd64.deb
 a961ffe1bc0d17511504783e1bdd0a98d7efcf64 102198 krb5-multidev_1.8.1+dfsg-3_amd64.deb
 3f81cd691a678d90344e2ee894fa4d1a54da7146 35772 libkrb5-dev_1.8.1+dfsg-3_amd64.deb
 5a37d6b7789677193af46768f8b34642a7b09183 1626104 libkrb5-dbg_1.8.1+dfsg-3_amd64.deb
 fa2b24c6d90d7010cec0ef49833dc548be621b32 76112 krb5-pkinit_1.8.1+dfsg-3_amd64.deb
 392b78e8783379b63dc7fe0adf1996d7008b14d7 371830 libkrb5-3_1.8.1+dfsg-3_amd64.deb
 344e8e80284529c3b9c1715e759c35c3a8bb4087 128944 libgssapi-krb5-2_1.8.1+dfsg-3_amd64.deb
 0a193b536067e7ef24c660e1ad581a4266236a62 82378 libgssrpc4_1.8.1+dfsg-3_amd64.deb
 8e6d1d7a242883e490fbb98f0d595ca079e590ad 76582 libkadm5srv-mit7_1.8.1+dfsg-3_amd64.deb
 0a12600ec33efd60239f6c601a96daca692db1f2 63150 libkadm5clnt-mit7_1.8.1+dfsg-3_amd64.deb
 eb5a5b0e37980c031fc515059e6b7e36f01c9f45 104578 libk5crypto3_1.8.1+dfsg-3_amd64.deb
 bcf8d801c26db5fd341780092441d662225f764e 62602 libkdb5-4_1.8.1+dfsg-3_amd64.deb
 28d71b115d4060299cb09e58f630a1d793ca257f 44134 libkrb5support0_1.8.1+dfsg-3_amd64.deb
Checksums-Sha256: 
 073aaba3dae4e452c523dd7dba6870eb6a5073e58cfa99ef88b908a6175fdbff 1568 krb5_1.8.1+dfsg-3.dsc
 4b5d2661af1332c05c41438c5eb2027be64d47c41b64264dcb231e38b04e55e0 122613 krb5_1.8.1+dfsg-3.diff.gz
 753333a470dda528df77acb21c4fe42da9efc2ae9cbd5d2a76db09f2cc44814b 2247298 krb5-doc_1.8.1+dfsg-3_all.deb
 75bf2b968e0097a795ebe0fe6e4a42d516ade3c63c2688e7cdd2ad6d825383c0 135866 krb5-user_1.8.1+dfsg-3_amd64.deb
 68f0394936450f9015f2bcaf208f4f668861c816d7676fad94ce7059d453de08 215964 krb5-kdc_1.8.1+dfsg-3_amd64.deb
 920ffdffa5dc1eb9179b48e84e6df5eb32e4280a17888ae2e4b28a1103ff662a 115740 krb5-kdc-ldap_1.8.1+dfsg-3_amd64.deb
 37e6776e79c565cc477dcb69c90be6469fdb985c4ba95b19425e6753b2cf7cd4 110760 krb5-admin-server_1.8.1+dfsg-3_amd64.deb
 289ac7a00e62ebefd33b4decc5c64c801bab58e4802a69b4d4d324df2c05c775 102198 krb5-multidev_1.8.1+dfsg-3_amd64.deb
 d3ab7c5d54839a6920f09b864a5ab4f1863da6bc8d5027dcbe9eebda117f8a4f 35772 libkrb5-dev_1.8.1+dfsg-3_amd64.deb
 3eed44ee89063ade9e96378c748abcc5718adb5b1f1c6c34c7a9f36a08258c68 1626104 libkrb5-dbg_1.8.1+dfsg-3_amd64.deb
 dc0b68ab66331be63c76bfa544a7fd847eff37fd5412b206d5b093916b6fe3af 76112 krb5-pkinit_1.8.1+dfsg-3_amd64.deb
 316ae988ee603945e556232964fc4f92fd2fe6b7fd70fd495e5cd178c026db71 371830 libkrb5-3_1.8.1+dfsg-3_amd64.deb
 818b0e50bb930b779f02cd0d029798491e8008c589b4b4b886e5eb1922bacf2e 128944 libgssapi-krb5-2_1.8.1+dfsg-3_amd64.deb
 afa199f149f398fa468e8f493cc51ca527741cfe4bac6e5ff5d6ff5f6662c174 82378 libgssrpc4_1.8.1+dfsg-3_amd64.deb
 2ac68bd9c8b0498474e52969fbb804d179713dbfd24b235e85ff832dfa326acf 76582 libkadm5srv-mit7_1.8.1+dfsg-3_amd64.deb
 f04f94e4872973c66441758b72a4433b35bcdb9c137c56cf2ed5e7cf4e0dba20 63150 libkadm5clnt-mit7_1.8.1+dfsg-3_amd64.deb
 6c0c6e6f6fa64c06ee6f99367fd5b39647ed3566683685dd0ce5371493087b21 104578 libk5crypto3_1.8.1+dfsg-3_amd64.deb
 328f3a15351641828783d1fbb2614e90deb54bfee0de5059e171902c84078a00 62602 libkdb5-4_1.8.1+dfsg-3_amd64.deb
 d81912329d32ebfdaca559e277b2737bf8b3087f41608b07a106ad0842750ff5 44134 libkrb5support0_1.8.1+dfsg-3_amd64.deb
Files: 
 8317641f0f8ff6a6fc6814303827b767 1568 net standard krb5_1.8.1+dfsg-3.dsc
 0ce346330f41e308c071a11056885353 122613 net standard krb5_1.8.1+dfsg-3.diff.gz
 d60102707397be9e60e0bf7287c77228 2247298 doc optional krb5-doc_1.8.1+dfsg-3_all.deb
 39d06de2fd6b446cbc4c0097b5acee82 135866 net optional krb5-user_1.8.1+dfsg-3_amd64.deb
 b69464db89009050183761a1e468b2d4 215964 net optional krb5-kdc_1.8.1+dfsg-3_amd64.deb
 70d198cba74252652c9fbc6552fe6eda 115740 net extra krb5-kdc-ldap_1.8.1+dfsg-3_amd64.deb
 6677aad42162dda68830db32dd58eaa9 110760 net optional krb5-admin-server_1.8.1+dfsg-3_amd64.deb
 de8fa2114b91f43412f178eed7078833 102198 libdevel optional krb5-multidev_1.8.1+dfsg-3_amd64.deb
 a7558bfccf8d06c0ed7b9c48ad119b92 35772 libdevel extra libkrb5-dev_1.8.1+dfsg-3_amd64.deb
 38828047bcc971d32f5acd273af81150 1626104 debug extra libkrb5-dbg_1.8.1+dfsg-3_amd64.deb
 cf7c499bcab580d64ce59e88b861ec87 76112 net extra krb5-pkinit_1.8.1+dfsg-3_amd64.deb
 73a91c1f712bd1cd06725585267a89ec 371830 libs standard libkrb5-3_1.8.1+dfsg-3_amd64.deb
 cc0e930b9c713b4095b733ac84724138 128944 libs standard libgssapi-krb5-2_1.8.1+dfsg-3_amd64.deb
 3bf7738cc018e8b33b4ee0b79d4625da 82378 libs standard libgssrpc4_1.8.1+dfsg-3_amd64.deb
 87b833d1ff0d266ac7fac7ce61e60b10 76582 libs standard libkadm5srv-mit7_1.8.1+dfsg-3_amd64.deb
 92d34e8172967dda5c44f8f72e2d048b 63150 libs standard libkadm5clnt-mit7_1.8.1+dfsg-3_amd64.deb
 a1526f37e29b08259a894ebb2ca009a2 104578 libs standard libk5crypto3_1.8.1+dfsg-3_amd64.deb
 e8b5acf36dafc40c14fa51b46c4cad94 62602 libs standard libkdb5-4_1.8.1+dfsg-3_amd64.deb
 58243442849ae52d71e14c7e52668c06 44134 libs standard libkrb5support0_1.8.1+dfsg-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkv0Tf4ACgkQ/I12czyGJg/XWwCgvdpwxuPkFOvnw7ByxXPmQNdp
8cwAn1lXiQ5nrS0KgtN3IiMcMvYnaO85
=bDtS
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 17 Jun 2010 07:36:09 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:17:17 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started