Bug 415341 (CVE-2007-5902) - CVE-2007-5902 krb5: integer overflow in rpc lib
Summary: CVE-2007-5902 krb5: integer overflow in rpc lib
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2007-5902
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-07 08:43 UTC by Tomas Hoger
Modified: 2021-11-12 19:46 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-12-14 09:40:21 UTC
Embargoed:

Attachments (Terms of Use)

Description Tomas Hoger 2007-12-07 08:43:04 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5902 to the following vulnerability:

Integer overflow in the svcauth_gss_get_principal function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (krb5) allows remote attackers to have an unknown impact via a large length value for a GSS client name in an RPC request.

References:

http://bugs.gentoo.org/show_bug.cgi?id=199214
Comment 1 Mark J. Cox 2007-12-14 09:40:21 UTC 
http://marc.info/?l=full-disclosure&m=119743235325151&w=2
MIT say:

CVE-2007-5902
http://bugs.gentoo.org/show_bug.cgi?id=199214

This bug consists of an integer overflow in
svcauth_gss_get_principal() in src/lib/rpc/svc_auth_gss.c, which can
cause an invocation of memcpy() to overflow a zero-length allocated
buffer.  This is not a practical vulnerability due to the
nigh-impossibility of producing the conditions required to trigger the
bug.

   641  svcauth_gss_get_principal(SVCAUTH *auth)
   642  {
   643          struct svc_rpc_gss_data *gd;
   644          char *pname;
   645  
   646          gd = SVCAUTH_PRIVATE(auth);
   647  
   648          if (gd->cname.length == 0)
   649                  return (NULL);
   650  
   651          if ((pname = malloc(gd->cname.length + 1)) == NULL)
   652                  return (NULL);
   653  
   654          memcpy(pname, gd->cname.value, gd->cname.length);
   655          pname[gd->cname.length] = '\0';
   656  
   657          return (pname);
   658  }

If "gd->cname.length" is exactly SIZE_MAX, then the call to malloc()
will have an argument of zero due to the modular arithmetic used on
unsigned integer types in C.  If malloc(0) returns a non-null pointer
on a specific platform, then the subsequent memcpy() call can attempt
to copy SIZE_MAX bytes and overflow the zero-length buffer.

The value "gd->cname" results from calling krb5_unparse_name() with a
principal obtained during authentication.  To successfully exploit
this vulnerability, an attacker would need to successfully
authenticate using a principal name whose unparsed string
representation is exactly SIZE_MAX+1 bytes long.  Such a principal
name is very unlikely to exist, and even if such an unusual principal
did exist, the C implementation would have to successfully allocate a
buffer SIZE_MAX+1 bytes long, which almost certainly will not succeed.
Note You need to log in before you can comment on or make changes to this bug.