-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2003-005 Original release date: 2003-03-19 Last update: 2003-03-20 Topic: Buffer overrun and underrun in principal name handling Severity: SERIOUS SUMMARY ======= Buffer overrun and underrun problems exist in Kerberos principal name handling in unusual cases, such as names with zero components, names with one empty component, or host-based service principal names with no host name component. IMPACT ====== * Corruption of malloc pool, probably leading to program crash. + The KDC may be vulnerable. + Depending on the malloc implementation and platform, it may be possible to build more serious exploits on this. * Reference to data just past the end of an array in the KDC, for comparison against certain fixed data. May result in crashing the KDC. AFFECTED SOFTWARE ================= MIT Kerberos 5, all released versions though 1.2.7 and 1.3-alpha1. FIX === The following patches should fix the most urgent aspects of the problems in the 1.2.7 release. If these patches do not apply cleanly to 1.2.6 and earlier versions, the corresponding changes should be fairly straightforward. The patch to krb5.hin should change any missed overrun cases in this area into null pointer dereferences, which will be more likely to crash the program instead of referencing arbitrary data. Patch: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-patch.txt Patch PGP signature: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-patch.txt.asc The problem exists in other parts of the code as well, but should only result in crashing application servers when the realm has been misconfigured to use broken service names, or crashing application clients when they are supplied broken principal names. REFERENCES ========== CVE CAN-2003-0082 Buffer underrun CVE CAN-2003-0072 Array overrun -- only the portions that appeared to affect a server with no strange realm configurations were included here. ACKNOWLEDGMENTS =============== Thanks to Nalin Dahyabhai of Red Hat for bringing the problems to our attention. CONTACT ======= For more information, contact Ken Raeburn , Sam Hartman , or Marshall Vale . This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/www/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/www/index.html REVISION HISTORY ================ 2003-03-19 original release 2003-03-19 moved patch to separate file with separate signature 2003-03-20 added CVE identification -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+ejUuUqOaDMQ+e5gRAm/nAJ9jZg/hMXnBk9WYG1qUOtH4hO9IowCg3vVR XUH3AHu/7KLAW3tvHlHeBGk= =qzhr -----END PGP SIGNATURE-----