Bug 52079 (CVE-2004-0371)

Summary: VUL-0: CVE-2004-0371: cross realm bug in heimdal
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: hmuelle, meissner, patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0371: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: diff between 0.5.2 and 0.5.3, .c and .h files only
patchinfo
patchinfo for box

Description Sebastian Krahmer 2004-03-26 20:04:49 UTC 
We got this report:

From: Love <lha@stacken.kth.se>
To: security@suse.de
Cc: joda@pdc.kth.se
Date: Thu, 25 Mar 2004 00:19:24 +0100
Subject: [security@suse.de] foo


Hello,

There is a cross-realm vulnerability in Heimdal, that will be fixed in
the upcoming 0.6.1 (should be out in a couple of days). This letter is
mostly to let you know about it.

Love
Comment 1 Sebastian Krahmer 2004-03-26 20:04:49 UTC 
<!-- SBZ_reproduce  -->
...
Comment 2 Vladimir Nadvornik 2004-03-26 21:02:20 UTC 
Is there more info available? I can't find anything.
Comment 3 Carl-Daniel Hailfinger 2004-03-26 21:07:10 UTC 
No, this was just some pre-notification about an unspecified vulnerability.
Comment 4 Sebastian Krahmer 2004-04-07 18:14:36 UTC 
There is more info available now. Please see

http://www.pdc.kth.se/heimdal/advisory/2004-04-01/
Comment 5 Vladimir Nadvornik 2004-04-07 18:42:59 UTC 
We have now heimdal-0.6.1rc3 in 9.1 
 
Andreas, is it possible to update to final heimdal-0.6.1 ?
Comment 6 Andreas Jaeger 2004-04-07 18:49:15 UTC 
Not possible for 9.1.
Comment 7 Sebastian Krahmer 2004-04-07 18:51:51 UTC 
Do they offer any patches? I assume verseions < 0.6.1 to be affected
as well. (SL 9.0 etc)
Comment 8 Vladimir Nadvornik 2004-04-07 19:43:18 UTC 
Debian has some patches. I am now looking at it.
Comment 9 Vladimir Nadvornik 2004-04-08 21:08:46 UTC 
The heimdal 0.6.1 changelog entry dated 2003-10-21 seems to be the fix. 
That means that heimdal-0.6.1rc3 in 9.1 is not affected. 
 
The diff between 0.5.2 and 0.5.3 seems to contain only the fix. I propose 
to use it to patch older releases.
Comment 10 Vladimir Nadvornik 2004-04-08 21:10:55 UTC 
Created attachment 18169 [details]
diff between 0.5.2 and 0.5.3, .c and .h files only
Comment 11 Sebastian Krahmer 2004-04-09 17:12:44 UTC 
Ah, nice. Tell us when you need patchinfo files.
Comment 12 Vladimir Nadvornik 2004-04-13 21:54:41 UTC 
I have extracted the patches. 
Can you please attach the patchinfo files?
Comment 13 Sebastian Krahmer 2004-04-14 17:17:10 UTC 
Which SL versions are affected and which maintained versions?
Each of them, or do I need to remove some versions?
Comment 14 Vladimir Nadvornik 2004-04-14 17:46:45 UTC 
All SL versions are affected, except 9.1. 
SLES7 and SLES8 are affected too.
Comment 15 Sebastian Krahmer 2004-04-16 18:04:13 UTC 
Created attachment 18354 [details]
patchinfo

The patchinfo file.
Comment 16 Sebastian Krahmer 2004-04-16 18:05:12 UTC 
Created attachment 18355 [details]
patchinfo for box

the patchinfo for box products.
Comment 17 Thomas Biege 2004-04-22 16:01:50 UTC 
Any news here?
Comment 18 Vladimir Nadvornik 2004-04-22 17:02:16 UTC 
The package is submitted. I forgot to write it here, sorry.
Comment 19 Thomas Biege 2004-04-22 20:07:07 UTC 
Thanks!
Comment 20 Harald Mueller-Ney 2004-05-26 19:58:36 UTC 
Still problems while QA testing 

maintainer has been involved - but no solutions all other architecture has been OK. 

Added meissner as PPC-guru
Added patch-request for release tracking

Set to blocker as this fix is waiting since more than one month for
release/"sucussfull testing", to get some attention!

Could be deescalated to critical, BUT not below after this long time without any
 real progress
Comment 21 Harald Mueller-Ney 2004-05-28 18:27:00 UTC 
No reaction by Sebastian, so i assign it th the complete security-team.
Added draht to CC.

Problem exists since over several weeks:

All tests ok except PPC

I will reject the current heimdal-Update even so it isn't clear if it is a bug
or a problem of the setup.
Comment 22 Thomas Biege 2004-05-28 19:14:50 UTC 
The security-team tried to help (s. Olaf's mails). 
 
The rest of us can't be a help here. We do not know anything 
about Kerberos that is technical valuable. It's like doing 
rocket science with closed eyes. :)
Comment 23 Harald Mueller-Ney 2004-05-28 19:31:30 UTC 
Thomas, Thank you for your reaction - i won't reject yet.

I think Olaf is overloaded due to SLES9, he isn't security-team anymore.
I would expect a escaltion by security-team if there is no solution after quite
some time.

I will escalate it now to get some resources.
Olaf Kirch and Marcus Meissner should be able to solve the issue, but probably
we have to wait till RC1 to get them.

Taking the bug for esclation. German saying: "Tue es selbst, dann weisst es ist
getan"
Comment 24 Harald Mueller-Ney 2004-06-07 18:47:50 UTC 
Marcus, you could have a look at the problem in conjunction with PPC.
Maybe svollath could be helpful, AFAIK he was the tester of heimdal at PPC.
THX
Comment 25 Harald Mueller-Ney 2004-06-09 18:13:25 UTC 
Some new insights? Time keeps moving!
Comment 26 Marcus Meissner 2004-06-16 03:07:50 UTC 
retested, found good, updates released.
Comment 27 Marcus Meissner 2007-11-13 22:23:17 UTC 
CVE-2004-0371
Comment 28 Thomas Biege 2009-10-13 20:18:44 UTC 
CVE-2004-0371: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)