206736 – CVE-2006-5989 mod_auth_kerb segfaults when talking to newest KRB5 libs

Bug 206736 - CVE-2006-5989 mod_auth_kerb segfaults when talking to newest KRB5 libs

Summary: CVE-2006-5989 mod_auth_kerb segfaults when talking to newest KRB5 libs

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	mod_auth_kerb
Sub Component:
Version:	5.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Joe Orton
QA Contact:
Docs Contact:
URL:
Whiteboard:	impact=low,source=bugzilla,reported=2...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-09-15 22:49 UTC by Kevin Unthank
Modified:	2007-11-30 22:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	5.0.0
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-10-02 18:36:44 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
patch to allocate enough memory (470 bytes, patch) 2006-09-19 15:36 UTC, Nalin Dahyabhai	no flags	Details \| Diff
View All

Description Kevin Unthank 2006-09-15 22:49:48 UTC

Description of problem:

I successfully got krb5-libs-1.5-7.pal.0.0.4.i386.rpm libs
authenticating to a windows 2003 active directory kerberos
server with certificates read from a smartcard

I was then trying to setup kerberos auth with apache on a system
running fc6test2.

Using mod_auth_kerb-5.0-10 for the server
and 
krb5-libs-1.5-7.pal.0.0.4.i386.rpm for the client

Intially when I tried the access the kerberos protected page
apache displayed an error page complaining that I didn't have the 
correct servie principal so I fix that by using samba

net ads keytab add HTTP/fqdn@REALM

The webserver now shows a blank page.
/var/log/httpd/errors reports
exit signal Segmentation fault (11)

Comment 1 Nalin Dahyabhai 2006-09-19 15:36:04 UTC

This looks like a buffer overrun in der_get_oid().  There are two components
encoded in the first byte, but the length of the component array allocated is
only the same as the number of bytes.  If there are no components which require
more than one byte for encoding, then we'll write past the end of the allocated
array every time.  Attaching a patch.

Comment 2 Nalin Dahyabhai 2006-09-19 15:36:36 UTC

Created attachment 136650 [details]
patch to allocate enough memory

Comment 3 Joe Orton 2006-09-19 16:45:08 UTC

Can you test with mod_auth_kerb-5.1-2 from fc6-HEAD?  This completely removes
the SPNEGO-parsing code if built against krb5-1.4.

Comment 4 Nalin Dahyabhai 2006-09-19 20:31:50 UTC

5.1-2 also looks to work correctly.  Thanks!

Comment 5 Joe Orton 2006-09-20 15:40:00 UTC

Thanks a lot Nalin.  5.1-2 is moved to dist-fc6 so should get pulled in to -5E.

Comment 6 Jay Turner 2006-09-22 05:57:43 UTC

That version of mod_auth_kerb isn't built into a RHEL5 tree as of yet so
reopening (closed/rawhide isn't a valid state for RHEL bugs in the first place.)

Comment 7 Jay Turner 2006-10-02 18:36:44 UTC

[jkt@cobalt 4.91]$ find . -name "mod_auth_kerb*" -print
./i386/os/Server/mod_auth_kerb-5.1-2.i386.rpm
./i386/debug/mod_auth_kerb-debuginfo-5.1-2.i386.rpm
./ppc/os/Server/mod_auth_kerb-5.1-2.ppc.rpm
./ppc/debug/mod_auth_kerb-debuginfo-5.1-2.ppc.rpm
./x86_64/os/Server/mod_auth_kerb-5.1-2.x86_64.rpm
./x86_64/debug/mod_auth_kerb-debuginfo-5.1-2.x86_64.rpm
./s390x/os/Server/mod_auth_kerb-5.1-2.s390x.rpm
./s390x/debug/mod_auth_kerb-debuginfo-5.1-2.s390x.rpm
./ia64/os/Server/mod_auth_kerb-5.1-2.ia64.rpm
./ia64/debug/mod_auth_kerb-debuginfo-5.1-2.ia64.rpm
./source/SRPMS/mod_auth_kerb-5.1-2.src.rpm
[jkt@cobalt 4.91]$ pwd
/mnt/redhat/rel-eng/RHEL5-Server-20060927.0/4.91

Note You need to log in before you can comment on or make changes to this bug.