Subject: pkg/30740: Kerberos buffer overflow, heap corruption in KDC
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <zafer@gmx.org>
List: pkgsrc-bugs
Date: 07/13/2005 13:08:00
>Number: 30740
>Category: pkg
>Synopsis: Kerberos buffer overflow, heap corruption in KDC
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Jul 13 13:08:00 +0000 2005
>Originator: Zafer Aydogan
>Release: 2.0 i386
>Organization:
>Environment:
2.0 i386
>Description:
The MIT krb5 Key Distribution Center (KDC) implementation can corrupt
the heap by attempting to free memory at a random address when it
receives a certain unlikely (but valid) request via a TCP connection.
This attempt to free unallocated memory can result in a KDC crash and
consequent denial of service. [CAN-2005-1174, VU#259798]
Please read:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt
and
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt
>How-To-Repeat:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt
>Fix:
Patch1 for KDC:
http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt
Patch2 for recvauth.c
http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt