Bug 490634 (CVE-2009-0845) - CVE-2009-0845 krb5: NULL pointer dereference in GSSAPI SPNEGO (MITKRB5-SA-2009-001)
Summary: CVE-2009-0845 krb5: NULL pointer dereference in GSSAPI SPNEGO (MITKRB5-SA-200...
Status: CLOSED ERRATA
Alias: CVE-2009-0845
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://krbdev.mit.edu/rt/Ticket/Displ...
Whiteboard: source=vendorsec,impact=important,rep...
Keywords: Security
Depends On: 490635 490636
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-17 12:46 UTC by Jan Lieskovsky
Modified: 2019-06-08 12:43 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2009-04-09 09:35:20 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0408 normal SHIPPED_LIVE Important: krb5 security update 2009-04-07 18:47:39 UTC
Gentoo 262736 None None None Never

Description Jan Lieskovsky 2009-03-17 12:46:15 UTC
A null pointer dereference flaw was found in Kerberos's GSS-API spnego
security mechanism implemenation. A local user could use this flaw
to cause a denial of service (krb5 daemon crash) via invalid ContextFlags for
the reqFlags field in the NegTokenInit (RFC 4178).

References:
http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=6402

Upstream patch:
http://src.mit.edu/fisheye/changelog/krb5/?cs=22099

Comment 2 Fedora Update System 2009-03-17 23:00:49 UTC
krb5-1.6.3-17.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/krb5-1.6.3-17.fc10

Comment 3 Fedora Update System 2009-03-17 23:01:09 UTC
krb5-1.6.3-15.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/krb5-1.6.3-15.fc9

Comment 4 Tomas Hoger 2009-03-18 08:20:18 UTC
This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 2.1, 3, and 4.

Comment 5 Mark J. Cox 2009-03-18 09:07:35 UTC
Upstream commit:
http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=22084&view=rev

Comment 9 Vincent Danen 2009-03-27 18:42:31 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0845 to
the following vulnerability:

Name: CVE-2009-0845
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0845
Assigned: 20090306
Reference: CONFIRM: http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=6402
Reference: CONFIRM: http://src.mit.edu/fisheye/browse/krb5/trunk/src/lib/gssapi/spnego/spnego_mech.c?r1=21875&r2=22084
Reference: CONFIRM: http://src.mit.edu/fisheye/changelog/krb5/?cs=22084
Reference: BID:34257
Reference: URL: http://www.securityfocus.com/bid/34257
Reference: SECUNIA:34347
Reference: URL: http://secunia.com/advisories/34347
Reference: VUPEN:ADV-2009-0847
Reference: URL: http://www.vupen.com/english/advisories/2009/0847 The spnego_gss_accept_sec_context function in
lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.6.3,
when SPNEGO is used, allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash) via invalid
ContextFlags data in the reqFlags field in a negTokenInit token.

Comment 10 Tomas Hoger 2009-04-07 18:20:56 UTC
Covered now in upstream security advisory:
  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-001.txt

Final upstream patch differs from the previous one:
  https://bugzilla.redhat.com/show_bug.cgi?id=491033#c7

Comment 11 errata-xmlrpc 2009-04-07 18:47:45 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0408 https://rhn.redhat.com/errata/RHSA-2009-0408.html

Comment 12 Fedora Update System 2009-04-07 23:23:02 UTC
krb5-1.6.3-16.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2009-04-07 23:23:22 UTC
krb5-1.6.3-18.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.