Bug 206736

Summary: CVE-2006-5989 mod_auth_kerb segfaults when talking to newest KRB5 libs
Product: Red Hat Enterprise Linux 5 Reporter: Kevin Unthank <kevinu>
Component: mod_auth_kerbAssignee: Joe Orton <jorton>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: bressers, jturner, nalin
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,source=bugzilla,reported=20060915,public=20061113
Fixed In Version: 5.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-02 18:36:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch to allocate enough memory none

Description Kevin Unthank 2006-09-15 22:49:48 UTC 
Description of problem:

I successfully got krb5-libs-1.5-7.pal.0.0.4.i386.rpm libs
authenticating to a windows 2003 active directory kerberos
server with certificates read from a smartcard

I was then trying to setup kerberos auth with apache on a system
running fc6test2.

Using mod_auth_kerb-5.0-10 for the server
and 
krb5-libs-1.5-7.pal.0.0.4.i386.rpm for the client

Intially when I tried the access the kerberos protected page
apache displayed an error page complaining that I didn't have the 
correct servie principal so I fix that by using samba

net ads keytab add HTTP/fqdn@REALM

The webserver now shows a blank page.
/var/log/httpd/errors reports
exit signal Segmentation fault (11)
Comment 1 Nalin Dahyabhai 2006-09-19 15:36:04 UTC 
This looks like a buffer overrun in der_get_oid().  There are two components
encoded in the first byte, but the length of the component array allocated is
only the same as the number of bytes.  If there are no components which require
more than one byte for encoding, then we'll write past the end of the allocated
array every time.  Attaching a patch.
Comment 2 Nalin Dahyabhai 2006-09-19 15:36:36 UTC 
Created attachment 136650 [details]
patch to allocate enough memory
Comment 3 Joe Orton 2006-09-19 16:45:08 UTC 
Can you test with mod_auth_kerb-5.1-2 from fc6-HEAD?  This completely removes
the SPNEGO-parsing code if built against krb5-1.4.
Comment 4 Nalin Dahyabhai 2006-09-19 20:31:50 UTC 
5.1-2 also looks to work correctly.  Thanks!
Comment 5 Joe Orton 2006-09-20 15:40:00 UTC 
Thanks a lot Nalin.  5.1-2 is moved to dist-fc6 so should get pulled in to -5E.
Comment 6 Jay Turner 2006-09-22 05:57:43 UTC 
That version of mod_auth_kerb isn't built into a RHEL5 tree as of yet so
reopening (closed/rawhide isn't a valid state for RHEL bugs in the first place.)
Comment 7 Jay Turner 2006-10-02 18:36:44 UTC 
[jkt@cobalt 4.91]$ find . -name "mod_auth_kerb*" -print
./i386/os/Server/mod_auth_kerb-5.1-2.i386.rpm
./i386/debug/mod_auth_kerb-debuginfo-5.1-2.i386.rpm
./ppc/os/Server/mod_auth_kerb-5.1-2.ppc.rpm
./ppc/debug/mod_auth_kerb-debuginfo-5.1-2.ppc.rpm
./x86_64/os/Server/mod_auth_kerb-5.1-2.x86_64.rpm
./x86_64/debug/mod_auth_kerb-debuginfo-5.1-2.x86_64.rpm
./s390x/os/Server/mod_auth_kerb-5.1-2.s390x.rpm
./s390x/debug/mod_auth_kerb-debuginfo-5.1-2.s390x.rpm
./ia64/os/Server/mod_auth_kerb-5.1-2.ia64.rpm
./ia64/debug/mod_auth_kerb-debuginfo-5.1-2.ia64.rpm
./source/SRPMS/mod_auth_kerb-5.1-2.src.rpm
[jkt@cobalt 4.91]$ pwd
/mnt/redhat/rel-eng/RHEL5-Server-20060927.0/4.91