Bug 1302642 - (CVE-2015-8631) CVE-2015-8631 krb5: Memory leak caused by supplying a null principal name in request
CVE-2015-8631 krb5: Memory leak caused by supplying a null principal name in ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160108,repor...
: Security
Depends On: 1302643 1306969 1306970 1306973 1306974
Blocks: 1302647
  Show dependency treegraph
 
Reported: 2016-01-28 05:19 EST by Adam Mariš
Modified: 2016-04-03 19:19 EDT (History)
20 users (show)

See Also:
Fixed In Version: krb5 1.14.1, krb5 1.13.4
Doc Type: Bug Fix
Doc Text:
A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-01 03:07:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-01-28 05:19:03 EST
It was reported that if krb5_unparse_name() fails, many of the stubs will leak the client and server name. In all versions of MIT krb5, an authenticated attacker can cause kadmind to leak memory by supplying a null principal name in a request which uses one. Repeating these requests will eventually cause kadmind to exhaust all available memory.

Upstream patch:

https://github.com/krb5/krb5/commit/83ed75feba32e46f736fcce0d96a0445f29b96c2
Comment 1 Adam Mariš 2016-01-28 05:19:31 EST
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1302643]
Comment 4 Cedric Buissart 2016-02-16 10:18:44 EST
Acknowledgements:

This issue was discovered by Simo Sorce of Red Hat.
Comment 6 Tomas Hoger 2016-03-03 16:29:15 EST
Upstream bug report:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=8343

Fixed upstream in krb5 1.14.1:

http://web.mit.edu/kerberos/krb5-1.14/krb5-1.14.1.html

The upstream bug report also indicates the issue will be fixed in 1.13.4.
Comment 7 errata-xmlrpc 2016-03-22 17:02:42 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0493 https://rhn.redhat.com/errata/RHSA-2016-0493.html
Comment 8 errata-xmlrpc 2016-03-31 18:03:43 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0532 https://rhn.redhat.com/errata/RHSA-2016-0532.html

Note You need to log in before you can comment on or make changes to this bug.