Bug 1349042

Summary: Incorrect length calculation in libkrad
Product: Red Hat Enterprise Linux 7 Reporter: Nathaniel McCallum <npmccallum>
Component: krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: dpal, ekeck, mkosek, pkis, thibaut.pouzet
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: krb5-1.14.1-18.el7 Doc Type: Bug Fix
Doc Text:
Cause: Incorrect length calculation in libkrad Consequence: ipa-otpd may experience timeouts Fix: Check length correctly Result: No more timeouts
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 20:25:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Nathaniel McCallum 2016-06-22 15:04:50 UTC
Upstream pull request: https://github.com/krb5/krb5/pull/471

Comment 7 Robbie Harwood 2016-06-29 15:16:21 UTC
*** Bug 1344031 has been marked as a duplicate of this bug. ***

Comment 11 thibaut.pouzet 2016-08-09 14:12:07 UTC
Should I be worried about this bug becoming a security issue if properly exploited ?

Comment 12 Robbie Harwood 2016-08-09 15:18:26 UTC
(In reply to thibaut.pouzet from comment #11)
> Should I be worried about this bug becoming a security issue if properly
> exploited ?

If exploited, it's a network-controlled write past the end of a buffer.  This buffer is on the heap, so it's very hard (though not impossible) to actually exploit.  That this issue may cause sporadic application failures was deemed a more pressing issue.

Comment 14 errata-xmlrpc 2016-11-03 20:25:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.