Bugzilla – Bug 1220771
VUL-0: CVE-2024-26461: krb5: memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c
Last modified: 2024-07-05 11:15:07 UTC
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26461 https://bugzilla.redhat.com/show_bug.cgi?id=2266740 https://www.cve.org/CVERecord?id=CVE-2024-26461 https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md
https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html On 3/1/24 07:13, Alexander Bergmann via Kerberos wrote: > We got notified via NVD about 3 new security issues. Right now there > seams to be no upstream reference. Could someone please comment on this? > > CVE-2024-26458: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c > CVE-2024-26461: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c > CVE-2024-26462: Memory leak at /krb5/src/kdc/ndr.c These CVEs appear to be the result of someone running a static analysis tool over the MIT krb5 code base and assigning CVEs to each resulting defect, without performing any additional impact analysis or upstream consultation. The pmap_rmt.c leak only affects pmap_rmtcall(), which is unused by the rest of the krb5 code base and likely unused by anyone else. The k5sealv3.c leak affects an encoding function, and happens on a bounds check which likely cannot be triggered with any choice of memory-valid API inputs. (The bounds check was itself introduced to quash a different static analysis defect.) The ndr.c leak also affects an encoding function, and triggers if the input contains invalid UTF-8. This one might be triggerable by a request (though it may require elevated privilege), but I would not have requested a CVE for it myself. I will fix these on the mainline, but I only expect to assign a ticket to the third one.
SUSE-SU-2024:0997-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1220770, 1220771, 1220772 CVE References: CVE-2024-26458, CVE-2024-26461, CVE-2024-26462 Maintenance Incident: [SUSE:Maintenance:33037](https://smelt.suse.de/incident/33037/) Sources used: openSUSE Leap 15.5 (src): krb5-mini-1.20.1-150500.3.6.1, krb5-1.20.1-150500.3.6.1 SUSE Linux Enterprise Micro 5.5 (src): krb5-1.20.1-150500.3.6.1 Basesystem Module 15-SP5 (src): krb5-1.20.1-150500.3.6.1 Server Applications Module 15-SP5 (src): krb5-1.20.1-150500.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0999-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1220770, 1220771 CVE References: CVE-2024-26458, CVE-2024-26461 Maintenance Incident: [SUSE:Maintenance:33040](https://smelt.suse.de/incident/33040/) Sources used: SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): krb5-1.16.3-150100.3.33.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): krb5-1.16.3-150100.3.33.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): krb5-1.16.3-150100.3.33.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1001-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1220770, 1220771 CVE References: CVE-2024-26458, CVE-2024-26461 Maintenance Incident: [SUSE:Maintenance:33039](https://smelt.suse.de/incident/33039/) Sources used: SUSE Enterprise Storage 7.1 (src): krb5-1.19.2-150300.16.1 SUSE Linux Enterprise Micro 5.1 (src): krb5-1.19.2-150300.16.1 SUSE Linux Enterprise Micro 5.2 (src): krb5-1.19.2-150300.16.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): krb5-1.19.2-150300.16.1 openSUSE Leap 15.3 (src): krb5-1.19.2-150300.16.1, krb5-mini-1.19.2-150300.16.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): krb5-1.19.2-150300.16.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): krb5-1.19.2-150300.16.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): krb5-1.19.2-150300.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1006-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1220770, 1220771 CVE References: CVE-2024-26458, CVE-2024-26461 Maintenance Incident: [SUSE:Maintenance:33038](https://smelt.suse.de/incident/33038/) Sources used: SUSE Manager Proxy 4.3 (src): krb5-1.19.2-150400.3.9.1 SUSE Manager Retail Branch Server 4.3 (src): krb5-1.19.2-150400.3.9.1 SUSE Manager Server 4.3 (src): krb5-1.19.2-150400.3.9.1 openSUSE Leap 15.4 (src): krb5-1.19.2-150400.3.9.1, krb5-mini-1.19.2-150400.3.9.1 openSUSE Leap Micro 5.3 (src): krb5-1.19.2-150400.3.9.1 openSUSE Leap Micro 5.4 (src): krb5-1.19.2-150400.3.9.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): krb5-1.19.2-150400.3.9.1 SUSE Linux Enterprise Micro 5.3 (src): krb5-1.19.2-150400.3.9.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): krb5-1.19.2-150400.3.9.1 SUSE Linux Enterprise Micro 5.4 (src): krb5-1.19.2-150400.3.9.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): krb5-1.19.2-150400.3.9.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): krb5-1.19.2-150400.3.9.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): krb5-1.19.2-150400.3.9.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): krb5-1.19.2-150400.3.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): krb5-1.19.2-150400.3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
As indicated at https://bugzilla.suse.com/show_bug.cgi?id=1221579#c3, point 3, I think 11SP4 is _not_ affected, but I see in smash it's still under analysis. Security team, could you confirm 11SP4 is _not_ affected?
SUSE-SU-2024:1148-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1220770, 1220771 CVE References: CVE-2024-26458, CVE-2024-26461 Maintenance Incident: [SUSE:Maintenance:33148](https://smelt.suse.de/incident/33148/) Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): krb5-1.16.3-46.6.1 SUSE Linux Enterprise Server 12 SP5 (src): krb5-1.16.3-46.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): krb5-1.16.3-46.6.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): krb5-1.16.3-46.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1220771) was mentioned in https://build.opensuse.org/request/show/1185764 Factory / krb5