[3.7] krb5: Multiple vulnerabilities (CVE-2017-15088, CVE-2018-5709, CVE-2018-5710) (#9302) · Issues · alpine / aports

[3.7] krb5: Multiple vulnerabilities (CVE-2017-15088, CVE-2018-5709, CVE-2018-5710)

CVE-2017-15088: Buffer overflow in get_matching_data()

plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name
(DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application
crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions.

References:

https://nvd.nist.gov/vuln/detail/CVE-2017-15088
https://github.com/krb5/krb5/pull/707

Patch:

https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4

CVE-2018-5709: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable “dbentry->n_key_data” in kadmin/dbutil/dump.c
that can store 16-bit data but unknowingly the developer has assigned a “u4” variable to it, which is for 32-bit data. An attacker can use this
vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-5709
https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities

CVE-2018-5710: null pointer deference in strlen function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function “strlen” is getting a “NULL” string as a parameter
value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users
to cause a denial of service (NULL pointer dereference) via a modified kadmin client.

References:

https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Denial%20Of%20Service%28DoS%29
https://nvd.nist.gov/vuln/detail/CVE-2018-5710

(from redmine: issue id 9302, created on 2018-08-21, closed on 2019-05-04)

Relations:
- copied_to #9299
- parent #9299
Changesets:
- Revision 896ae53d by Natanael Copa on 2018-08-21T14:37:39Z:

main/krb5: security upgrade to 1.15.3 (CVE-2017-15088,CVE-2018-5709,CVE-2018-5710)

fixes #9302

CVE-2017-15088: Buffer overflow in get\_matching\_data()
--------------------------------------------------------

plugins/preauth/pkinit/pkinit\_crypto\_openssl.c in MIT Kerberos 5 (aka
krb5) through 1.15.2 mishandles Distinguished Name  
(DN) fields, which allows remote attackers to execute arbitrary code or
cause a denial of service (buffer overflow and application  
crash) in situations involving untrusted X.509 data, related to the
get\_matching\_data and X509\_NAME\_oneline\_ex functions.

### References:

https://nvd.nist.gov/vuln/detail/CVE-2017-15088  
https://github.com/krb5/krb5/pull/707

### Patch:

https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4

CVE-2018-5709: integer overflow in dbentry-&gt;n\_key\_data in kadmin/dbutil/dump.c
-----------------------------------------------------------------------------------

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There
is a variable “dbentry-&gt;n\_key\_data” in kadmin/dbutil/dump.c  
that can store 16-bit data but unknowingly the developer has assigned a
“u4” variable to it, which is for 32-bit data. An attacker can use
this  
vulnerability to affect other artifacts of the database as we know that
a Kerberos database dump file contains trusted data.

### References:

https://nvd.nist.gov/vuln/detail/CVE-2018-5709  
https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities

CVE-2018-5710: null pointer deference in strlen function in plugins/kdb/ldap/libkdb\_ldap/ldap\_principal2.c
------------------------------------------------------------------------------------------------------------

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The
pre-defined function “strlen” is getting a “NULL” string as a
parameter  
value in plugins/kdb/ldap/libkdb\_ldap/ldap\_principal2.c in the Key
Distribution Center (KDC), which allows remote authenticated users  
to cause a denial of service (NULL pointer dereference) via a modified
kadmin client.

### References:

https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Denial%20Of%20Service%28DoS%29  
https://nvd.nist.gov/vuln/detail/CVE-2018-5710

*(from redmine: issue id 9302, created on 2018-08-21, closed on 2019-05-04)*

* Relations:
  * copied_to #9299
  * parent #9299
* Changesets:
  * Revision 896ae53d1849faa57ea676acd47332399c11bae7 by Natanael Copa on 2018-08-21T14:37:39Z:

```
main/krb5: security upgrade to 1.15.3 (CVE-2017-15088,CVE-2018-5709,CVE-2018-5710)

fixes #9302
```

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information