Bug 1278951 (CVE-2015-2698)

Summary: CVE-2015-2698 krb5: IAKERB context export/import
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abokovoy, dpal, jplans, nalin, nathaniel, pkis, rharwood
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-10 10:09:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1278952    
Bug Blocks: 1275873    

Description Kurt Seifried 2015-11-06 20:22:53 UTC 
The kerberos project reports:

The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory.  Fix the regression by properly
dereferencing the context_handle pointer before casting it.

Also, the patches did not implement an IAKERB gss_import_sec_context()
function, under the erroneous belief that an exported IAKERB context
would be tagged as a krb5 context.  Implement it now to allow IAKERB
contexts to be successfully exported and imported after establishment.

CVE-2015-2698:

In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated.

External reference:
https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd
Comment 1 Kurt Seifried 2015-11-06 20:23:53 UTC 
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1278952]
Comment 2 Robbie Harwood 2015-11-06 20:40:29 UTC 
Fix already pushed to rawhide.

Additionally:

https://bodhi.fedoraproject.org/updates/FEDORA-2015-1b9c33d713
https://bodhi.fedoraproject.org/updates/FEDORA-2015-58ae075703
https://bodhi.fedoraproject.org/updates/FEDORA-2015-200d2dfd9f
Comment 3 Stefan Cornelius 2015-12-10 10:08:45 UTC 
Statement:

This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 4, 5, 6, and 7.