Bug 56562 (CVE-2004-0523)

Summary:	VUL-0: CVE-2004-0523: heimdal: buffer overflows in krb5_aname_to_localname
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Thomas Biege <thomas>
Component:	Incidents	Assignee:	Vladimir Nadvornik <nadvornik>
Status:	RESOLVED INVALID	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	patch-request, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2004-0523: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	MIT Advisory

Description Thomas Biege 2004-06-03 15:51:46 UTC

Hello, 
an announcement about serveral buffer overflows in krb5_aname_to_localname() 
reached us.

Comment 1 Thomas Biege 2004-06-03 15:51:46 UTC

<!-- SBZ_reproduce  -->
-

Comment 2 Thomas Biege 2004-06-03 15:55:03 UTC

Created attachment 20634 [details]
MIT Advisory

Comment 3 Thomas Biege 2004-06-03 15:56:58 UTC

Should this update obsolete the folloeing update: 
c9e1b28a0689b282b00614ce00e02260

Comment 4 Thomas Biege 2004-06-03 15:57:39 UTC

CAN: CAN-2004-0523

Comment 5 Vladimir Nadvornik 2004-06-03 17:27:53 UTC

This is about MIT Kerberos. It does not affect heimdal.

Comment 6 Thomas Biege 2004-06-03 18:36:42 UTC

The heimdal code of SL8.1 include the following function: 
krb5_error_code 
krb5_aname_to_localname (krb5_context context, 
                         krb5_const_principal aname, 
                         size_t lnsize, 
                         char *lname) 
{ 
 
The code looks different but I'll check it.

Comment 7 Thomas Biege 2004-06-03 18:43:48 UTC

Hm, maybe this should get a trailing zero: 
    len = strlen (res); 
    if (len >= lnsize) 
        return ERANGE; 
    strcpy (lname, res); 
    // XXX thomas: append terminating 0 
    return 0;

Comment 8 Vladimir Nadvornik 2004-06-03 18:48:12 UTC

In heimdal form SLES9 there is strlcpy()

Comment 9 Thomas Biege 2004-06-03 18:52:27 UTC

Yes, saw it. 
    len = strlen (res); 
    if (len >= lnsize) 
        return ERANGE; 
    strlcpy (lname, res, lnsize); 
 
Do we use this function?

Comment 10 Olaf Kirch 2004-06-03 18:56:59 UTC

re comment #6: the code looks fine to me, assuming that lnsize == 
sizeof(lname). 
 
if (len >= lnsize) 
	return ERANGE 
 
now we now that len < lnsize, so that the string including NUL fits 
 
strcpy (lname, res); 
 
copies "res" including the NUL byte.

Comment 11 Thomas Biege 2004-06-03 19:00:13 UTC

Ah yes.. I missed that strcpy() copies the trailing 0 byte too. 
Can we be sure it exists?

Comment 12 Olaf Kirch 2004-06-03 19:13:52 UTC

Well, of course. We just did a strlen on the string! 
 
/me hands Thomas a large cup of strong coffee :)

Comment 13 Thomas Biege 2004-06-03 19:22:32 UTC

Thanks *schluerf* 
 
I will shut up now. :)

Comment 14 Thomas Biege 2009-10-13 20:24:03 UTC

CVE-2004-0523: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)