The kerberos project reports: The IAKERB mechanism currently replaces its context handle with the krb5 mechanism handle upon establishment, under the assumption that most GSS functions are only called after context establishment. This assumption is incorrect, and can lead to aliasing violations for some programs. Maintain the IAKERB context structure after context establishment and add new IAKERB entry points to refer to it with that type. Add initiate and established flags to the IAKERB context structure for use in gss_inquire_context() prior to context establishment. CVE-2015-2696: In MIT krb5 1.9 and later, applications which call gss_inquire_context() on a partially-established IAKERB context can cause the GSS-API library to read from a pointer using the wrong type, generally causing a process crash. Java server applications using the native JGSS provider are vulnerable to this bug. A carefully crafted IAKERB packet might allow the gss_inquire_context() call to succeed with attacker-determined results, but applications should not make access control decisions based on gss_inquire_context() results prior to context establishment. External references: https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a
Created krb5 tracking bugs for this issue: Affects: fedora-all [bug 1275872]
https://bodhi.fedoraproject.org/updates/FEDORA-2015-be1b87a3b7 https://bodhi.fedoraproject.org/updates/FEDORA-2015-e6791ce284 https://bodhi.fedoraproject.org/updates/FEDORA-2015-ae56161457 Unfortunately I don't see an easy way to associate these bugs with those.
The patches for CVE-2015-2696 contained a regression in the newly added IAKERB iakerb_gss_export_sec_context() function, which could cause it to corrupt memory. Fix the regression by properly dereferencing the context_handle pointer before casting it. Please see BZ#1278951 for information on CVE-2015-2698 which addresses this regression.