Bugzilla – Bug 1220772
VUL-0: CVE-2024-26462: krb5: memory leak at /krb5/src/kdc/ndr.c
Last modified: 2024-07-05 11:15:09 UTC
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26462 https://bugzilla.redhat.com/show_bug.cgi?id=2266742 https://www.cve.org/CVERecord?id=CVE-2024-26462 https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md
https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html On 3/1/24 07:13, Alexander Bergmann via Kerberos wrote: > We got notified via NVD about 3 new security issues. Right now there > seams to be no upstream reference. Could someone please comment on this? > > CVE-2024-26458: Memory leak at /krb5/src/lib/rpc/pmap_rmt.c > CVE-2024-26461: Memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c > CVE-2024-26462: Memory leak at /krb5/src/kdc/ndr.c These CVEs appear to be the result of someone running a static analysis tool over the MIT krb5 code base and assigning CVEs to each resulting defect, without performing any additional impact analysis or upstream consultation. The pmap_rmt.c leak only affects pmap_rmtcall(), which is unused by the rest of the krb5 code base and likely unused by anyone else. The k5sealv3.c leak affects an encoding function, and happens on a bounds check which likely cannot be triggered with any choice of memory-valid API inputs. (The bounds check was itself introduced to quash a different static analysis defect.) The ndr.c leak also affects an encoding function, and triggers if the input contains invalid UTF-8. This one might be triggerable by a request (though it may require elevated privilege), but I would not have requested a CVE for it myself. I will fix these on the mainline, but I only expect to assign a ticket to the third one.
SUSE-SU-2024:0997-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1220770, 1220771, 1220772 CVE References: CVE-2024-26458, CVE-2024-26461, CVE-2024-26462 Maintenance Incident: [SUSE:Maintenance:33037](https://smelt.suse.de/incident/33037/) Sources used: openSUSE Leap 15.5 (src): krb5-mini-1.20.1-150500.3.6.1, krb5-1.20.1-150500.3.6.1 SUSE Linux Enterprise Micro 5.5 (src): krb5-1.20.1-150500.3.6.1 Basesystem Module 15-SP5 (src): krb5-1.20.1-150500.3.6.1 Server Applications Module 15-SP5 (src): krb5-1.20.1-150500.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
As indicated at https://bugzilla.suse.com/show_bug.cgi?id=1221579#c3, point 4, I think 11SP4 is _not_ affected, but I see in smash it's still under analysis. Security team, could you confirm 11SP4 is _not_ affected?
This is an autogenerated message for OBS integration: This bug (1220772) was mentioned in https://build.opensuse.org/request/show/1185764 Factory / krb5