Bug 491036 (CVE-2009-0846)
Summary: | CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | unspecified | CC: | jrusnack, kreilly, nalin, rcvalle | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0846 | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-04-09 09:35:37 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 490635, 490636, 491833, 491834, 491835, 491836 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Vincent Danen
2009-03-19 02:48:19 UTC
Created attachment 335794 [details] upstream patch to fix MITKRB5-SA-2009-002 issue (CVE-2009-0846) This flaw can easily allow an attacker to crash affected application. Code execution depends on ability to exploit free() called on uninitialized pointer. glibc on Red Hat Enterprise Linux 4 and later provides hardened malloc/free implementations, greatly mitigating possibility of exploitation of this flaw. Red Hat Enterprise Linux 2.1 and 3 do not offer such hardening, resulting in higher impact rating for those versions. Public now via: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-002.txt This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0408 https://rhn.redhat.com/errata/RHSA-2009-0408.html This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:0409 https://rhn.redhat.com/errata/RHSA-2009-0409.html This issue has been addressed in following products: Red Hat Enterprise Linux 2.1 Red Hat Enterprise Linux 3 Via RHSA-2009:0410 https://rhn.redhat.com/errata/RHSA-2009-0410.html krb5-1.6.3-16.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. krb5-1.6.3-18.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2009-0408.html http://rhn.redhat.com/errata/RHSA-2009-0410.html http://rhn.redhat.com/errata/RHSA-2009-0409.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-2852 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-2834 |