Bug 206736 - CVE-2006-5989 mod_auth_kerb segfaults when talking to newest KRB5 libs
CVE-2006-5989 mod_auth_kerb segfaults when talking to newest KRB5 libs
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: mod_auth_kerb (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
impact=low,source=bugzilla,reported=2...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-15 18:49 EDT by Kevin Unthank
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: 5.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-02 14:36:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to allocate enough memory (470 bytes, patch)
2006-09-19 11:36 EDT, Nalin Dahyabhai
no flags Details | Diff

  None (edit)
Description Kevin Unthank 2006-09-15 18:49:48 EDT
Description of problem:

I successfully got krb5-libs-1.5-7.pal.0.0.4.i386.rpm libs
authenticating to a windows 2003 active directory kerberos
server with certificates read from a smartcard

I was then trying to setup kerberos auth with apache on a system
running fc6test2.

Using mod_auth_kerb-5.0-10 for the server
and 
krb5-libs-1.5-7.pal.0.0.4.i386.rpm for the client

Intially when I tried the access the kerberos protected page
apache displayed an error page complaining that I didn't have the 
correct servie principal so I fix that by using samba

net ads keytab add HTTP/fqdn@REALM

The webserver now shows a blank page.
/var/log/httpd/errors reports
exit signal Segmentation fault (11)
Comment 1 Nalin Dahyabhai 2006-09-19 11:36:04 EDT
This looks like a buffer overrun in der_get_oid().  There are two components
encoded in the first byte, but the length of the component array allocated is
only the same as the number of bytes.  If there are no components which require
more than one byte for encoding, then we'll write past the end of the allocated
array every time.  Attaching a patch.
Comment 2 Nalin Dahyabhai 2006-09-19 11:36:36 EDT
Created attachment 136650 [details]
patch to allocate enough memory
Comment 3 Joe Orton 2006-09-19 12:45:08 EDT
Can you test with mod_auth_kerb-5.1-2 from fc6-HEAD?  This completely removes
the SPNEGO-parsing code if built against krb5-1.4.
Comment 4 Nalin Dahyabhai 2006-09-19 16:31:50 EDT
5.1-2 also looks to work correctly.  Thanks!
Comment 5 Joe Orton 2006-09-20 11:40:00 EDT
Thanks a lot Nalin.  5.1-2 is moved to dist-fc6 so should get pulled in to -5E.
Comment 6 Jay Turner 2006-09-22 01:57:43 EDT
That version of mod_auth_kerb isn't built into a RHEL5 tree as of yet so
reopening (closed/rawhide isn't a valid state for RHEL bugs in the first place.)
Comment 7 Jay Turner 2006-10-02 14:36:44 EDT
[jkt@cobalt 4.91]$ find . -name "mod_auth_kerb*" -print
./i386/os/Server/mod_auth_kerb-5.1-2.i386.rpm
./i386/debug/mod_auth_kerb-debuginfo-5.1-2.i386.rpm
./ppc/os/Server/mod_auth_kerb-5.1-2.ppc.rpm
./ppc/debug/mod_auth_kerb-debuginfo-5.1-2.ppc.rpm
./x86_64/os/Server/mod_auth_kerb-5.1-2.x86_64.rpm
./x86_64/debug/mod_auth_kerb-debuginfo-5.1-2.x86_64.rpm
./s390x/os/Server/mod_auth_kerb-5.1-2.s390x.rpm
./s390x/debug/mod_auth_kerb-debuginfo-5.1-2.s390x.rpm
./ia64/os/Server/mod_auth_kerb-5.1-2.ia64.rpm
./ia64/debug/mod_auth_kerb-debuginfo-5.1-2.ia64.rpm
./source/SRPMS/mod_auth_kerb-5.1-2.src.rpm
[jkt@cobalt 4.91]$ pwd
/mnt/redhat/rel-eng/RHEL5-Server-20060927.0/4.91

Note You need to log in before you can comment on or make changes to this bug.