Bug 1076229 – VUL-1: CVE-2018-5709: krb5: An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is avariable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bitdata but unknowingly the developer has assigned a "u4" va

Bug 1076229 - (CVE-2018-5709) VUL-1: CVE-2018-5709: krb5: An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is avariable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bitdata but unknowingly the developer has assigned a "u4" va

(CVE-2018-5709)
Summary:	VUL-1: CVE-2018-5709: krb5: An issue was discovered in MIT Kerberos 5 (aka kr...

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/198323/
Whiteboard:	CVSSv3:SUSE:CVE-2018-5709:5.3:(AV:L/A...
Keywords:

Depends on:
Blocks:	1132051
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-01-16 16:35 UTC by Marcus Meissner
Modified:	2020-06-29 06:32 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2018-01-16 16:35:03 UTC

CVE-2018-5709

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a
variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit
data but unknowingly the developer has assigned a "u4" variable to it, which is
for 32-bit data. An attacker can use this vulnerability to affect other
artifacts of the database as we know that a Kerberos database dump file contains
trusted data.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5709
https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow

Comment 1 Andreas Stieger 2018-01-17 12:53:45 UTC

https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/f4b35fdf75bd5eadea42eb04f0e9e2199cb09e6a/Integer%20Overflow

Comment 2 Alexander Bergmann 2018-03-14 09:44:07 UTC

So far, there is no upstream fix available.

Comment 6 Marcus Meissner 2019-04-26 15:52:20 UTC

The created dump can at most have MAX_INT (2^31) entries, so reading it in will also have at most 2^31 entries.

The reader scans this unsigned, with 2^32 options, where the INT will always fit in.

This cannot be exploited.

Comment 7 Marcus Meissner 2019-04-26 15:59:13 UTC

(small correction, it is a int16 value, but as it is written out, parsing it as unsigned int32 will not be a problem either.)

Comment 8 Samuel Cabrero 2019-06-19 15:48:22 UTC

Reassigned to security-team to closing it.

Comment 9 Marcus Meissner 2019-06-26 11:55:39 UTC

closing