Bug 250973 (CVE-2007-3999)

Summary: CVE-2007-3999 krb5 RPC library buffer overflow
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: cvsbot-xmlrpc, kreilly, nalin, steved
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: 0.1.7-15.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-06 16:35:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 250997, 250998, 265001, 265021, 265041, 265061, 294901, 294911, 294921, 294931, 362091, 362101, 362111, 362121    
Bug Blocks:    
Description Flags
proposed patch from MIT
Updated patch from MIT none

Description Mark J. Cox 2007-08-06 09:19:50 UTC
MIT notified us of kadmind RPC lib buffer overflow, uninitialized pointer.  Will
be public on 04 September 2007, at 14:00 US/Eastern time.

This issue has not been triaged as it may well affect recent RHEL distributions
with a different severity (flaw type is likely caught by fortify_source)

Comment 3 Mark J. Cox 2007-08-06 09:24:04 UTC
Created attachment 160738 [details]
proposed patch from MIT

Comment 7 Tomas Hoger 2007-08-28 06:13:55 UTC
Update from MIT Kerberos team:

We have discovered that the server-side code in nfs-utils is also
vulnerable to CVE-2007-3999.  If you are distributing nfs-utils or
some derivative, you may care about this.  According to Kevin Coffman
of the University of Michigan, nfs-utils is probably not vulnerable
because it does not actually execute any server-side RPC code.  We are
working to confirm this assertion, but note that third-party server
applications that link with the RPC library in nfs-utils may be
vulnerable to CVE-2007-3999.

Comment 9 Mark J. Cox 2007-09-04 18:11:14 UTC
now public at http://web.mit.edu/Kerberos/advisories/
removing embargo

Comment 10 Josh Bressers 2007-09-12 13:10:43 UTC
Created attachment 193381 [details]
Updated patch from MIT

Comment 15 Fedora Update System 2008-01-26 14:55:40 UTC
libtirpc-0.1.7-15.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libtirpc'.  You can provide feedback for this update here: http://admin.fedoraproject.org/F8/FEDORA-2008-1017

Comment 16 Luke Macken 2008-01-26 18:15:12 UTC
The above url should read

Comment 17 Fedora Update System 2008-03-06 16:35:43 UTC
libtirpc-0.1.7-15.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.