Bug 442314

Summary: Buffer overflow when SElinux enabled.
Product: Red Hat Enterprise Linux 5 Reporter: Pawel Salek <pawsa>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED DUPLICATE QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 5.1CC: jplans
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-15 15:24:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 436345    
Bug Blocks:    

Description Pawel Salek 2008-04-14 09:49:16 UTC 
+++ This bug was initially created as a clone of Bug #436345 +++

Description of problem:
selinux-label patch adds code that does not compute buffer size correctly (a
typical off-by-one error).  This will at best corrupt heap whenever the code is
executed.

Version-Release number of selected component (if applicable):
krb5-libs-1.6.1-17.el5_1.1

How reproducible:
100%

Steps to Reproduce:
1. have selinux enabled.
2. try transferring a file from a local directory so that path does not start
with /.
3. watch heap being corrupted (MALLOC_CHECK_=2 helps to see it already at the
first time).

Additional info:
Patch is attached to original report. Bug has been fixed in F8 already in
krb5-1.6.2-14.fc8 release.
Comment 1 Nalin Dahyabhai 2008-04-15 15:24:41 UTC 

*** This bug has been marked as a duplicate of 426085 ***
Comment 2 Kevin B. Hendricks 2008-04-15 16:00:29 UTC 
Hi,

One question, why hasn't there been an update for this released for RedHat  Enterprise 5.* yet?
   - the dates on the main report indicate the fix was made *months* ago
   - the problem is a "simple off by one" according to the report
   - the fix has been field tested in fc8 (which exdplains why my fc8 machine did not have the problem)
   - heap corruption can in general be a serious issue
   - it is impacting Redhat Enterprise 5 clients in the field as we speak

Just wondering, why it has taken months to see an update.

I realize you can't control when it is released but this one sure seems like it should have already been 
out there given it can't make things any worse than the sigabort we are seeing now.
Comment 3 Nalin Dahyabhai 2008-04-15 16:41:47 UTC 
The fix is currently slated for inclusion in the upcoming update release.  The
corruption in this case doesn't look at all server-influenced, so it hasn't been
bumped to a higher priority.