Bug 415341 - (CVE-2007-5902) CVE-2007-5902 krb5: integer overflow in rpc lib
CVE-2007-5902 krb5: integer overflow in rpc lib
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=gentoo,reported=20071115,publi...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-07 03:43 EST by Tomas Hoger
Modified: 2016-03-04 06:48 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-14 04:40:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-12-07 03:43:04 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5902 to the following vulnerability:

Integer overflow in the svcauth_gss_get_principal function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (krb5) allows remote attackers to have an unknown impact via a large length value for a GSS client name in an RPC request.

References:

http://bugs.gentoo.org/show_bug.cgi?id=199214
Comment 1 Mark J. Cox (Product Security) 2007-12-14 04:40:21 EST
http://marc.info/?l=full-disclosure&m=119743235325151&w=2
MIT say:

CVE-2007-5902
http://bugs.gentoo.org/show_bug.cgi?id=199214

This bug consists of an integer overflow in
svcauth_gss_get_principal() in src/lib/rpc/svc_auth_gss.c, which can
cause an invocation of memcpy() to overflow a zero-length allocated
buffer.  This is not a practical vulnerability due to the
nigh-impossibility of producing the conditions required to trigger the
bug.

   641  svcauth_gss_get_principal(SVCAUTH *auth)
   642  {
   643          struct svc_rpc_gss_data *gd;
   644          char *pname;
   645  
   646          gd = SVCAUTH_PRIVATE(auth);
   647  
   648          if (gd->cname.length == 0)
   649                  return (NULL);
   650  
   651          if ((pname = malloc(gd->cname.length + 1)) == NULL)
   652                  return (NULL);
   653  
   654          memcpy(pname, gd->cname.value, gd->cname.length);
   655          pname[gd->cname.length] = '\0';
   656  
   657          return (pname);
   658  }

If "gd->cname.length" is exactly SIZE_MAX, then the call to malloc()
will have an argument of zero due to the modular arithmetic used on
unsigned integer types in C.  If malloc(0) returns a non-null pointer
on a specific platform, then the subsequent memcpy() call can attempt
to copy SIZE_MAX bytes and overflow the zero-length buffer.

The value "gd->cname" results from calling krb5_unparse_name() with a
principal obtained during authentication.  To successfully exploit
this vulnerability, an attacker would need to successfully
authenticate using a principal name whose unparsed string
representation is exactly SIZE_MAX+1 bytes long.  Such a principal
name is very unlikely to exist, and even if such an unusual principal
did exist, the C implementation would have to successfully allocate a
buffer SIZE_MAX+1 bytes long, which almost certainly will not succeed.

Note You need to log in before you can comment on or make changes to this bug.