[3.7] krb5: Multiple vulnerabilities (CVE-2017-15088, CVE-2018-5709, CVE-2018-5710) (#9302) · Issues · alpine / aports

[3.7] krb5: Multiple vulnerabilities (CVE-2017-15088, CVE-2018-5709, CVE-2018-5710)

CVE-2017-15088: Buffer overflow in get_matching_data()

plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name
(DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application
crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions.

References:

https://nvd.nist.gov/vuln/detail/CVE-2017-15088
https://github.com/krb5/krb5/pull/707

Patch:

https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4

CVE-2018-5709: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable “dbentry->n_key_data” in kadmin/dbutil/dump.c
that can store 16-bit data but unknowingly the developer has assigned a “u4” variable to it, which is for 32-bit data. An attacker can use this
vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-5709
https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities

CVE-2018-5710: null pointer deference in strlen function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function “strlen” is getting a “NULL” string as a parameter
value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users
to cause a denial of service (NULL pointer dereference) via a modified kadmin client.

References:

https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Denial%20Of%20Service%28DoS%29
https://nvd.nist.gov/vuln/detail/CVE-2018-5710

(from redmine: issue id 9302, created on 2018-08-21, closed on 2019-05-04)

Relations:
- copied_to #9299
- parent #9299
Changesets:
- Revision 896ae53d by Natanael Copa on 2018-08-21T14:37:39Z:

main/krb5: security upgrade to 1.15.3 (CVE-2017-15088,CVE-2018-5709,CVE-2018-5710)

fixes #9302

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information