Bugzilla – Bug 52079
VUL-0: CVE-2004-0371: cross realm bug in heimdal
Last modified: 2021-10-04 08:37:57 UTC
We got this report: From: Love <lha@stacken.kth.se> To: security@suse.de Cc: joda@pdc.kth.se Date: Thu, 25 Mar 2004 00:19:24 +0100 Subject: [security@suse.de] foo Hello, There is a cross-realm vulnerability in Heimdal, that will be fixed in the upcoming 0.6.1 (should be out in a couple of days). This letter is mostly to let you know about it. Love
<!-- SBZ_reproduce --> ...
Is there more info available? I can't find anything.
No, this was just some pre-notification about an unspecified vulnerability.
There is more info available now. Please see http://www.pdc.kth.se/heimdal/advisory/2004-04-01/
We have now heimdal-0.6.1rc3 in 9.1 Andreas, is it possible to update to final heimdal-0.6.1 ?
Not possible for 9.1.
Do they offer any patches? I assume verseions < 0.6.1 to be affected as well. (SL 9.0 etc)
Debian has some patches. I am now looking at it.
The heimdal 0.6.1 changelog entry dated 2003-10-21 seems to be the fix. That means that heimdal-0.6.1rc3 in 9.1 is not affected. The diff between 0.5.2 and 0.5.3 seems to contain only the fix. I propose to use it to patch older releases.
Created attachment 18169 [details] diff between 0.5.2 and 0.5.3, .c and .h files only
Ah, nice. Tell us when you need patchinfo files.
I have extracted the patches. Can you please attach the patchinfo files?
Which SL versions are affected and which maintained versions? Each of them, or do I need to remove some versions?
All SL versions are affected, except 9.1. SLES7 and SLES8 are affected too.
Created attachment 18354 [details] patchinfo The patchinfo file.
Created attachment 18355 [details] patchinfo for box the patchinfo for box products.
Any news here?
The package is submitted. I forgot to write it here, sorry.
Thanks!
Still problems while QA testing maintainer has been involved - but no solutions all other architecture has been OK. Added meissner as PPC-guru Added patch-request for release tracking Set to blocker as this fix is waiting since more than one month for release/"sucussfull testing", to get some attention! Could be deescalated to critical, BUT not below after this long time without any real progress
No reaction by Sebastian, so i assign it th the complete security-team. Added draht to CC. Problem exists since over several weeks: All tests ok except PPC I will reject the current heimdal-Update even so it isn't clear if it is a bug or a problem of the setup.
The security-team tried to help (s. Olaf's mails). The rest of us can't be a help here. We do not know anything about Kerberos that is technical valuable. It's like doing rocket science with closed eyes. :)
Thomas, Thank you for your reaction - i won't reject yet. I think Olaf is overloaded due to SLES9, he isn't security-team anymore. I would expect a escaltion by security-team if there is no solution after quite some time. I will escalate it now to get some resources. Olaf Kirch and Marcus Meissner should be able to solve the issue, but probably we have to wait till RC1 to get them. Taking the bug for esclation. German saying: "Tue es selbst, dann weisst es ist getan"
Marcus, you could have a look at the problem in conjunction with PPC. Maybe svollath could be helpful, AFAIK he was the tester of heimdal at PPC. THX
Some new insights? Time keeps moving!
retested, found good, updates released.
CVE-2004-0371
CVE-2004-0371: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)