Bug 245548 (CVE-2007-2443)

Summary: CVE-2007-2443 krb5 RPC library stack overflow
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-26 15:14:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 239073, 245544    
Bug Blocks:    

Description Mark J. Cox 2007-06-25 11:41:55 UTC
The MIT Kerberos Team has made us aware of this following flaw in krb5:
CVE-2007-2443: The RPC library can write past the end of a stack
buffer.

CVE-2007-2443: The function gssrpc__svcauth_unix() in
src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from
IXDR_GET_U_LONG into a signed integer variable "str_len".
Subsequently, it checks that "str_len" is less than MAX_MACHINE_NAME,
which will always be true of "str_len" is negative, which can happen
when a large unsigned integer is converted to a signed integer.  Once
the length check succeeds, gssrpc__svcauth_unix() calls memmove() with
a length of "str_len" with the target in a stack buffer.

This vulnerability is believed to be difficult to exploit because the
memmove() implementation receives a very large number (a negative
integer converted to a large unsigned value), which will almost
certainly cause some sort of memory access fault prior to returning.
This probably avoids any usage of the corrupted return address in the
overwritten stack frame.  Note that some (perhaps unlikely) memmove()
implementations may call other procedures and thus may be vulnerable
to corrupted return addresses.

Comment 1 Mark J. Cox 2007-06-25 11:45:21 UTC
On all architectures of Red Hat Enterprise Linux the memmove with large size
will just segfault and therefore this issue can lead to a denial of service.

( Note that this memmove overflow is not caught by FORTIFY_SOURCE due to the
structure of the code )

Comment 3 Josh Bressers 2007-06-26 18:21:03 UTC
Lifting embargo: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-004.txt

Comment 4 Red Hat Product Security 2008-02-26 15:14:46 UTC
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0384.html
  http://rhn.redhat.com/errata/RHSA-2007-0562.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0740