Bug 245548 - (CVE-2007-2443) CVE-2007-2443 krb5 RPC library stack overflow
CVE-2007-2443 krb5 RPC library stack overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,reported=20070503,pu...
: Security
Depends On: 239073 245544
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-25 07:41 EDT by Mark J. Cox (Product Security)
Modified: 2008-02-26 10:14 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-26 10:14:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2007-06-25 07:41:55 EDT
The MIT Kerberos Team has made us aware of this following flaw in krb5:
CVE-2007-2443: The RPC library can write past the end of a stack
buffer.

CVE-2007-2443: The function gssrpc__svcauth_unix() in
src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from
IXDR_GET_U_LONG into a signed integer variable "str_len".
Subsequently, it checks that "str_len" is less than MAX_MACHINE_NAME,
which will always be true of "str_len" is negative, which can happen
when a large unsigned integer is converted to a signed integer.  Once
the length check succeeds, gssrpc__svcauth_unix() calls memmove() with
a length of "str_len" with the target in a stack buffer.

This vulnerability is believed to be difficult to exploit because the
memmove() implementation receives a very large number (a negative
integer converted to a large unsigned value), which will almost
certainly cause some sort of memory access fault prior to returning.
This probably avoids any usage of the corrupted return address in the
overwritten stack frame.  Note that some (perhaps unlikely) memmove()
implementations may call other procedures and thus may be vulnerable
to corrupted return addresses.
Comment 1 Mark J. Cox (Product Security) 2007-06-25 07:45:21 EDT
On all architectures of Red Hat Enterprise Linux the memmove with large size
will just segfault and therefore this issue can lead to a denial of service.

( Note that this memmove overflow is not caught by FORTIFY_SOURCE due to the
structure of the code )
Comment 3 Josh Bressers 2007-06-26 14:21:03 EDT
Lifting embargo: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-004.txt
Comment 4 Red Hat Product Security 2008-02-26 10:14:46 EST
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0384.html
  http://rhn.redhat.com/errata/RHSA-2007-0562.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0740


Note You need to log in before you can comment on or make changes to this bug.