Bug 152731 - buffer overflows in krb5_aname_to_localname
buffer overflows in krb5_aname_to_localname
Status: CLOSED DUPLICATE of bug 152773
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://web.mit.edu/kerberos/advisorie...
LEGACY, REVIEWED, rh73, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-05 03:50 EDT by Marc Deslauriers
Modified: 2014-01-21 17:51 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 19:08:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:25:29 EST
The krb5_aname_to_localname() library function contains multiple
buffer overflows which could be exploited to gain unauthorized root
access.  Exploitation of these flaws requires an unusual combination
of factors, including successful authentication to a vulnerable
service and a non-default configuration on the target service.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-05 03:53:16 ----

Additional info:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0523
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:056
http://fedoranews.org/updates/FEDORA-2004-150.shtml




------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-05 03:59:57 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages with the MIT patch for 7.3 and 9.

Changelog:
* Sat Jun 05 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 1.2.7-15.legacy
- - apply updated patch from MITKRB5-SA-2004-001 (revision 2004-06-02)

7.3:
225b92c03d5fe8b556b69791eb5bfac40d20e9fc  krb5-1.2.4-12.legacy.src.rpm
24f9607879df708927140f3b0754ea201a5ff2fd  krb5-devel-1.2.4-12.legacy.i386.rpm
74f891418238cb2ff1aff10bf48ab054302eddd5  krb5-libs-1.2.4-12.legacy.i386.rpm
2a54c51299798dc0ef330da26908f7693c22960b  krb5-server-1.2.4-12.legacy.i386.rpm
4364fd606caf3e9af578fb9183468441fc323e0c  krb5-workstation-1.2.4-12.legacy.i386.rpm

9:
4b7eb17eb6358060b3639db117592e413889dc80  krb5-1.2.7-15.legacy.src.rpm
8296cc33572c7cf5549df676ece7582cc7eedd5f  krb5-devel-1.2.7-15.legacy.i386.rpm
1a9984bf1c5621f08cc6d1c2b4ccd435ccf7cc97  krb5-libs-1.2.7-15.legacy.i386.rpm
76c6ca79728997f71ffb8cf2ba803e6f01bb8edb  krb5-server-1.2.7-15.legacy.i386.rpm
fdd8cc44288ab441ccc6ca6cba855c8d9a2aa6f8  krb5-workstation-1.2.7-15.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/krb5-1.2.4-12.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/krb5-devel-1.2.4-12.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/krb5-libs-1.2.4-12.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/krb5-server-1.2.4-12.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/krb5-workstation-1.2.4-12.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/krb5-1.2.7-15.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/krb5-devel-1.2.7-15.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/krb5-libs-1.2.7-15.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/krb5-server-1.2.7-15.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/krb5-workstation-1.2.7-15.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAwdHILMAs/0C4zNoRAsMNAKCse8EWDpHb7YMqbRjRoNLrqTgRggCfd/Vj
tPqTkFQrcDnen+WXLCRvvKc=
=v5f0
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom@netikka.fi 2004-06-05 06:32:15 ----

I did a QA on the RH 9 packages of krb5.

SHA1 is ok.

Installs ok.

I did basic functionallity testing and everyting is working as expected.


I wote for publish.





------- Additional Comments From abo@stacken.kth.se 2004-06-07 00:13:44 ----

It seems ok. I can log in through GDM and telnet to and from the test machine.




------- Additional Comments From jkeating@j2solutions.net 2004-06-17 09:21:01 ----

Guys, can I get some gpg signed sha1sum'd QA reports?  I'm in a build frenzy and
I'd like to build these out for updates-testing....



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-02 13:47:19 ----

This bug has been obsoleted by bug 2040



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-06 14:29:08 ----

Packages in bug 2040 were pushed to updates-testing.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:25 -------

This bug previously known as bug 1726 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1726
Originally filed under the Fedora Legacy product and Package request component.
Bug depends on bug(s) 2040.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Marc Deslauriers 2005-04-05 19:08:12 EDT

*** This bug has been marked as a duplicate of 152773 ***

Note You need to log in before you can comment on or make changes to this bug.