Bug 490634 - (CVE-2009-0845) CVE-2009-0845 krb5: NULL pointer dereference in GSSAPI SPNEGO (MITKRB5-SA-2009-001)
CVE-2009-0845 krb5: NULL pointer dereference in GSSAPI SPNEGO (MITKRB5-SA-200...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://krbdev.mit.edu/rt/Ticket/Displ...
source=vendorsec,impact=important,rep...
: Security
Depends On: 490635 490636
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-17 08:46 EDT by Jan Lieskovsky
Modified: 2016-03-04 06:21 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-09 05:35:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Gentoo 262736 None None None Never
Red Hat Product Errata RHSA-2009:0408 normal SHIPPED_LIVE Important: krb5 security update 2009-04-07 14:47:39 EDT

  None (edit)
Description Jan Lieskovsky 2009-03-17 08:46:15 EDT
A null pointer dereference flaw was found in Kerberos's GSS-API spnego
security mechanism implemenation. A local user could use this flaw
to cause a denial of service (krb5 daemon crash) via invalid ContextFlags for
the reqFlags field in the NegTokenInit (RFC 4178).

References:
http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=6402

Upstream patch:
http://src.mit.edu/fisheye/changelog/krb5/?cs=22099
Comment 2 Fedora Update System 2009-03-17 19:00:49 EDT
krb5-1.6.3-17.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/krb5-1.6.3-17.fc10
Comment 3 Fedora Update System 2009-03-17 19:01:09 EDT
krb5-1.6.3-15.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/krb5-1.6.3-15.fc9
Comment 4 Tomas Hoger 2009-03-18 04:20:18 EDT
This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 2.1, 3, and 4.
Comment 5 Mark J. Cox 2009-03-18 05:07:35 EDT
Upstream commit:
http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=22084&view=rev
Comment 9 Vincent Danen 2009-03-27 14:42:31 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0845 to
the following vulnerability:

Name: CVE-2009-0845
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0845
Assigned: 20090306
Reference: CONFIRM: http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=6402
Reference: CONFIRM: http://src.mit.edu/fisheye/browse/krb5/trunk/src/lib/gssapi/spnego/spnego_mech.c?r1=21875&r2=22084
Reference: CONFIRM: http://src.mit.edu/fisheye/changelog/krb5/?cs=22084
Reference: BID:34257
Reference: URL: http://www.securityfocus.com/bid/34257
Reference: SECUNIA:34347
Reference: URL: http://secunia.com/advisories/34347
Reference: VUPEN:ADV-2009-0847
Reference: URL: http://www.vupen.com/english/advisories/2009/0847 The spnego_gss_accept_sec_context function in
lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.6.3,
when SPNEGO is used, allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash) via invalid
ContextFlags data in the reqFlags field in a negTokenInit token.
Comment 10 Tomas Hoger 2009-04-07 14:20:56 EDT
Covered now in upstream security advisory:
  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-001.txt

Final upstream patch differs from the previous one:
  https://bugzilla.redhat.com/show_bug.cgi?id=491033#c7
Comment 11 errata-xmlrpc 2009-04-07 14:47:45 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0408 https://rhn.redhat.com/errata/RHSA-2009-0408.html
Comment 12 Fedora Update System 2009-04-07 19:23:02 EDT
krb5-1.6.3-16.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2009-04-07 19:23:22 EDT
krb5-1.6.3-18.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.