Red Hat Bugzilla – Bug 206736
CVE-2006-5989 mod_auth_kerb segfaults when talking to newest KRB5 libs
Last modified: 2007-11-30 17:07:33 EST
Description of problem:
I successfully got krb5-libs-1.5-7.pal.0.0.4.i386.rpm libs
authenticating to a windows 2003 active directory kerberos
server with certificates read from a smartcard
I was then trying to setup kerberos auth with apache on a system
Using mod_auth_kerb-5.0-10 for the server
krb5-libs-1.5-7.pal.0.0.4.i386.rpm for the client
Intially when I tried the access the kerberos protected page
apache displayed an error page complaining that I didn't have the
correct servie principal so I fix that by using samba
net ads keytab add HTTP/fqdn@REALM
The webserver now shows a blank page.
exit signal Segmentation fault (11)
This looks like a buffer overrun in der_get_oid(). There are two components
encoded in the first byte, but the length of the component array allocated is
only the same as the number of bytes. If there are no components which require
more than one byte for encoding, then we'll write past the end of the allocated
array every time. Attaching a patch.
Created attachment 136650 [details]
patch to allocate enough memory
Can you test with mod_auth_kerb-5.1-2 from fc6-HEAD? This completely removes
the SPNEGO-parsing code if built against krb5-1.4.
5.1-2 also looks to work correctly. Thanks!
Thanks a lot Nalin. 5.1-2 is moved to dist-fc6 so should get pulled in to -5E.
That version of mod_auth_kerb isn't built into a RHEL5 tree as of yet so
reopening (closed/rawhide isn't a valid state for RHEL bugs in the first place.)
[jkt@cobalt 4.91]$ find . -name "mod_auth_kerb*" -print
[jkt@cobalt 4.91]$ pwd