Bug 58010 (CVE-2004-0772)

Summary: VUL-0: CVE-2004-0772: heimdal: double free errors from MIT krb5, may they affect us too?
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Vladimir Nadvornik <nadvornik>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0772: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2004-07-14 20:32:03 UTC 
Hello Vladimir, 
I know we don't ship MIT kerberos but it may affect heimdal code too by 
copy-n-pasting code or using compat. libs. 
 
Note, this issue should be kept private. 
 
Date: Tue, 13 Jul 2004 19:19:08 -0400 
From: Tom Yu <tlyu@mit.edu> 
To: cert@cert.org, vendor-sec@lst.de, Emily Ratliff <ratliff@austin.ibm.com>, 
Umesh Khatwani <ukhatwan@us.ibm.com>, 
    Mounir Bsaibes <bsaibis@us.ibm.com>, Ut Le <utle@us.ibm.com>, Douglas R.  
Lamoureux <douglas_lamoureux@hp.com>, 
    "Morrison, Wayne" <Wayne.Morrison@hp.com> 
Subject: [vendor-sec] confidential - pending MIT krb5 security advisories 
 
-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
The MIT Kerberos Development Team is aware of the following 
vulnerabilities in the MIT krb5 software.  We are targeting mid-August 
for public disclosure.  Please do not publicly disseminate this 
information prior to our public disclosure. 
 
At this time, we prefer to communicate details of the vulnerabilities 
via secure channels, preferably via PGP.  We prefer to only 
communicate details with vendors actually shipping our code.  If you 
are a vendor shipping our code and would like additional details, 
please provide us with a PGP key for your organization's security 
contact. 
 
The vulnerabilities (with CVE names) are: 
 
CAN-2004-0642 
 
        in krb5-1.3.4 and earlier, double-free errors may allow 
        unauthenticated remote attackers to execute arbitrary code on 
        KDC or clients 
 
CAN-2004-0643 
 
        in krb5-1.3.1 and earlier, double-free errors may allow 
        authenticated attackers to execute arbitrary code on 
        application servers 
 
CAN-2004-0644 
 
        in krb5-1.3.4 and earlier, there is remote denial-of-service 
        vulnerability in the KDC and libraries 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.0.7 (SunOS) 
 
iD8DBQFA9G33SO8fWy4vZo4RAqASAJ9YZgsh/MCuu5RgGN9Zl4JOZjmBbACghcX6 
M6KBSMj2TqPHxJDjbqWGKTU= 
=1rCG 
-----END PGP SIGNATURE-----
Comment 1 Thomas Biege 2004-07-14 20:32:03 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Vladimir Nadvornik 2004-07-16 00:07:08 UTC 
Where can I get more details?
Comment 3 Thomas Biege 2004-07-16 00:17:04 UTC 
i think you have to get in contact with Tom Yu <tlyu@mit.edu>.
Comment 4 Thomas Biege 2004-07-27 16:28:13 UTC 
private mail from CERT: 
 
 
Hello, 
 
We have received the following report from MIT regarding 
vulnerabilities in MIT Kerberos 5.  MIT has asked that vendors using 
MIT krb5 contact them directly for further technical details, 
including patches.  We do not presently have this information. 
 
Contact information for MIT krb5: 
 
  Tom Yu <tlyu@mit.edu> 
 
  <http://web.mit.edu/kerberos/contact.html> 
 
We will be publishing Vulnerability Notes and possibly an Alert.  We'd 
appreciate status information and/or vendor statements when possible. 
As noted below, MIT is planning for a mid-August public release. 
 
 
====================================================================== 
 
MIT Kerberos 5 Vulnerability Reports 
 
====================================================================== 
 
The MIT Kerberos Development Team is aware of the following 
vulnerabilities in the MIT krb5 software.  We are targeting mid-August 
for public disclosure.  Please do not publicly disseminate this 
information prior to our public disclosure. 
 
At this time, we prefer to communicate details of the vulnerabilities 
via secure channels, preferably via PGP.  We prefer to only 
communicate details with vendors actually shipping our code.  If you 
are a vendor shipping our code and would like additional details, 
please provide us with a PGP key for your organization's security 
contact. 
 
The vulnerabilities (with CVE names) are: 
 
CAN-2004-0642 [VU#795632] 
 
        in krb5-1.3.4 and earlier, double-free errors may allow 
        unauthenticated remote attackers to execute arbitrary code on 
        KDC or clients 
 
CAN-2004-0643 [VU#866472] 
 
        in krb5-1.3.1 and earlier, double-free errors may allow 
        authenticated attackers to execute arbitrary code on 
        application servers 
 
CAN-2004-0644 [VU#550464] 
 
        in krb5-1.3.4 and earlier, there is remote denial-of-service 
        vulnerability in the KDC and libraries 
 
====================================================================== 
 
 
Regards, 
 
  - Art 
 
 
             Art Manion  --  CERT Coordination Center 
    <http://www.cert.org/>   <cert@cert.org>   +1 412-268-7090 
         AB 21 AE 19 EE 89 A1 5A  D7 D8 0C 44 2D 87 F6 96
Comment 5 Marcus Meissner 2004-08-30 19:43:58 UTC 
coordinated release dates from vendor-sec: 
CAN-2004-0642/3/4   krb5                Aug 31 ????UTC                           
CAN-2004-0772       krb5                Aug 31 ????UTC
Comment 6 Sebastian Krahmer 2004-09-03 17:30:52 UTC 
I have seen this has gone public. Whats our status?
Comment 7 Vladimir Nadvornik 2004-09-03 18:20:53 UTC 
The heimdal code is is completely different and does 
not contain these bugs.
Comment 8 Thomas Biege 2009-10-13 20:28:55 UTC 
CVE-2004-0772: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)