Bug 154276

Summary: krb5 CAN-2005-046{8,9] - buffer overflows
Product: [Retired] Fedora Legacy Reporter: Michal Jaegermann <michal>
Component: krb5Assignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dkl, jimpop, mattdm, pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: 1, LEGACY, rhl73, rhl9
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-24 14:53:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
spec file modifications
none
krb5-1.2.7-tcp3.patch adjusted for 1.2.4
none
krb5-1.2-MITKRB5SA-2005-001.patch in a unified diff format none

Description Michal Jaegermann 2005-04-08 22:26:45 UTC
Created attachment 112883 [details]
spec file modifications

Comment 1 Michal Jaegermann 2005-04-08 22:26:45 UTC
Description of problem:

https://rhn.redhat.com/errata/RHSA-2005-330.html

describes two buffer overflows in sources which are rather close to
those in the current Legacy-testing.  It appears that some other issues
are also fixed.  The following patches show up there on the top what is
present in, say, krb5-1.2.4-16.legacy:

krb5-1.2.7-gss-ccache-free.patch
krb5-1.2.7-tcp3.patch
krb5-1.2.7-stdarg.patch
krb5-1.2-MITKRB5SA-2005-001.patch
krb5-1.2.7-endiansize.patch

A patch krb5-1.2.7-tcp3.patch applies with sizeable offsets and
krb5-1.2-MITKRB5SA-2005-001.patch is in a form (probably mangled a bit by
mail) which is not acceptable to 'patch' utility from at least RH7.3.
Therefore attaches are reworked versions of these two patches and a diff
to a spec from krb5-1.2.4-16.legacy.  Some modification to make that closer
to a spec file from RHEL are also included.

The remaining three patches do not need any adjustments before application.

Comment 2 Michal Jaegermann 2005-04-08 22:28:03 UTC
Created attachment 112884 [details]
krb5-1.2.7-tcp3.patch adjusted for 1.2.4

Comment 3 Michal Jaegermann 2005-04-08 22:29:10 UTC
Created attachment 112885 [details]
krb5-1.2-MITKRB5SA-2005-001.patch in a unified diff format

Comment 4 Marc Deslauriers 2005-04-12 00:10:22 UTC
*** Bug 152585 has been marked as a duplicate of this bug. ***

Comment 5 Matthew Miller 2005-04-12 23:43:40 UTC
Fedora Core 2 was already updated for this, by the way.

Comment 6 Michal Jaegermann 2005-04-13 02:04:32 UTC
ftp://ftp.harddata.com/pub/Legacy_srpms/krb5-1.2.4-16.mj.src.rpm
is a srpm for RH7.3 patched in a way described in this report.

Comment 7 Pekka Savola 2005-05-01 07:04:25 UTC
I guess this applies to RHL9 and FC1 as well..

Comment 8 Pekka Savola 2005-05-11 09:00:12 UTC
I didn't include the other patches, because they seemed more like
bugfixes/enhancements (like the tcp3 one), rather than security fixes.

If there is consensus to include them (in the interest of getting closer to RHEL
versions), that would be OK by me.

Comment 9 Pekka Savola 2005-06-07 07:48:03 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
No discussion seems to have taken place, so here are new RPMs which
fix CAN-2005-0468 & CAN-2005-0469.  These do not include any
other (non-security) patches from RHEL.  FC2 was already fixed.
 
http://staff.csc.fi/psavola/fl/krb5-1.2.4-16.1.legacy.src.rpm (RHL73)
http://staff.csc.fi/psavola/fl/krb5-1.2.7-38.3.legacy.src.rpm (RHL9)
http://staff.csc.fi/psavola/fl/krb5-1.3.4-5.3.legacy.src.rpm (FC1)
 
fc5363d0cf47f379c4df032871d6fca09db51cbf  krb5-1.2.4-16.1.legacy.src.rpm
dd2bb6e3c1e2c45631b59bd294fc25e2e1e044c7  krb5-1.2.7-38.3.legacy.src.rpm
3fc1e78ea65c0100c05ee1340faf80eb04b190a5  krb5-1.3.4-5.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCpVCpGHbTkzxSL7QRAneWAKCd8RGk0Ku8W10DpR+stiBV55avpACgingD
4ipRXswSZ8VqxsP/nNd1+aE=
=3eYF
-----END PGP SIGNATURE-----


Comment 10 Matthew Miller 2005-06-08 18:25:18 UTC
Was there an earlier legacy krb5 release for rhl9? The latest I can find in the
mirror is krb5-1.2.7-14, with no post-RH changes.

Comment 11 Pekka Savola 2005-06-08 18:47:23 UTC
Nothing has been officially released by FL, but my updates are based on those in
updates-testing, developed in PR 152773.

Comment 12 Matthew Miller 2005-06-08 18:49:24 UTC
Okay, thanks. Will look at bug #152773 again.

Comment 13 Donald Maner 2005-06-17 03:15:50 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the RHL73, RH9, and FC1 packages.

fc5363d0cf47f379c4df032871d6fca09db51cbf  krb5-1.2.4-16.1.legacy.src.rpm
dd2bb6e3c1e2c45631b59bd294fc25e2e1e044c7  krb5-1.2.7-38.3.legacy.src.rpm
3fc1e78ea65c0100c05ee1340faf80eb04b190a5  krb5-1.3.4-5.3.legacy.src.rpm

I compared sha1sums of the individual files in each .src.rpm to the prevously
released FedoraLegacy update, and they all match.

Patch is as expected.

Specfile changes are to package version, addition of new patch, and changelog.

+PUBLISH RH73,RH9,FC1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFCsj+hTnwK660bsQMRAjKHAJ4w7A6N26djaFqXD+9l06D6rATkrwCgoa2S
Vg/VgP8gVVSrGm7nMhj/Guo=
=Zl3L
-----END PGP SIGNATURE-----

Comment 14 Pekka Savola 2005-06-17 07:04:27 UTC
*** Bug 152773 has been marked as a duplicate of this bug. ***

Comment 15 Marc Deslauriers 2005-06-19 15:16:38 UTC
Packages were pushed to updates-testing

Comment 16 Eric Jon Rostetter 2005-07-07 21:07:01 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 9
++VERIFY for RHL 7.3
 
RHL 9 Packages:
krb5-devel-1.2.7-38.3.legacy.i386.rpm
krb5-libs-1.2.7-38.3.legacy.i386.rpm
krb5-server-1.2.7-38.3.legacy.i386.rpm
krb5-workstation-1.2.7-38.3.legacy.i386.rpm
 
RHL 7.3 Packages:
krb5-devel-1.2.4-16.1.legacy.i386.rpm
krb5-libs-1.2.4-16.1.legacy.i386.rpm
krb5-server-1.2.4-16.1.legacy.i386.rpm
krb5-workstation-1.2.4-16.1.legacy.i386.rpm
 
SHA1 checksums all match test update advisory.  Signatures verify okay.
 
I installed, removed (except for krb5-libs), and re-installed all the
updates on a RHL 9 machine and a RHL 7.3 machine without problem.  Did
not notice any problems or issues on either machine.  NOTE: I did not test
any kerberos functionality as I don't use kerberos here.  I only tested that
installing, removing, and re-installing all worked without any noticed
problems or issues.
 
Vote for release for RHL 9 and RHL 7.3. ++VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFCzZj44jZRbknHoPIRAmEwAJ9F0k84bFcpTy4PfINqTJQ3p7wioACgtYSh
jlnTyQbllPx/jOXx5v1VROA=
=Ol3V
-----END PGP SIGNATURE-----

Comment 17 Pekka Savola 2005-07-08 04:39:30 UTC
Thanks.  Timeouts in two weeks.

Comment 18 Jim Popovitch 2005-07-10 22:19:56 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RHL 7.3

5b8e4296a97f8ac0b5fb38fb634226216fc7a7bc  krb5-libs-1.2.4-16.legacy.i386.rpm

- -Jim P.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC0Z83MyG7U7lo69MRAsXRAJoCWKzwcK2CMUAJ9z9mcUugtfrJZwCghD0h
0VyEy2tQT0Za42GHJdXWsH0=
=UILR


Comment 19 Pekka Savola 2005-07-23 15:40:12 UTC
Timeout over.

Comment 20 Marc Deslauriers 2005-07-24 14:53:56 UTC
These have been officially released.