56562 – (CVE-2004-0523) VUL-0: CVE-2004-0523: heimdal: buffer overflows in krb5_aname_to_localname

Bug 56562 (CVE-2004-0523) - VUL-0: CVE-2004-0523: heimdal: buffer overflows in krb5_aname_to_localname

Summary: VUL-0: CVE-2004-0523: heimdal: buffer overflows in krb5_aname_to_localname

Status:	RESOLVED INVALID

Alias:	CVE-2004-0523

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Vladimir Nadvornik
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2004-0523: CVSS v2 Base Score: 10...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2004-06-03 15:51 UTC by Thomas Biege
Modified:	2021-10-02 09:05 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
MIT Advisory (10.71 KB, text/plain) 2004-06-03 15:55 UTC, Thomas Biege	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2004-06-03 15:51:46 UTC

Hello, 
an announcement about serveral buffer overflows in krb5_aname_to_localname() 
reached us.

Comment 1 Thomas Biege 2004-06-03 15:51:46 UTC

<!-- SBZ_reproduce  -->
-

Comment 2 Thomas Biege 2004-06-03 15:55:03 UTC

Created attachment 20634 [details]
MIT Advisory

Comment 3 Thomas Biege 2004-06-03 15:56:58 UTC

Should this update obsolete the folloeing update: 
c9e1b28a0689b282b00614ce00e02260

Comment 4 Thomas Biege 2004-06-03 15:57:39 UTC

CAN: CAN-2004-0523

Comment 5 Vladimir Nadvornik 2004-06-03 17:27:53 UTC

This is about MIT Kerberos. It does not affect heimdal.

Comment 6 Thomas Biege 2004-06-03 18:36:42 UTC

The heimdal code of SL8.1 include the following function: 
krb5_error_code 
krb5_aname_to_localname (krb5_context context, 
                         krb5_const_principal aname, 
                         size_t lnsize, 
                         char *lname) 
{ 
 
The code looks different but I'll check it.

Comment 7 Thomas Biege 2004-06-03 18:43:48 UTC

Hm, maybe this should get a trailing zero: 
    len = strlen (res); 
    if (len >= lnsize) 
        return ERANGE; 
    strcpy (lname, res); 
    // XXX thomas: append terminating 0 
    return 0;

Comment 8 Vladimir Nadvornik 2004-06-03 18:48:12 UTC

In heimdal form SLES9 there is strlcpy()

Comment 9 Thomas Biege 2004-06-03 18:52:27 UTC

Yes, saw it. 
    len = strlen (res); 
    if (len >= lnsize) 
        return ERANGE; 
    strlcpy (lname, res, lnsize); 
 
Do we use this function?

Comment 10 Olaf Kirch 2004-06-03 18:56:59 UTC

re comment #6: the code looks fine to me, assuming that lnsize == 
sizeof(lname). 
 
if (len >= lnsize) 
	return ERANGE 
 
now we now that len < lnsize, so that the string including NUL fits 
 
strcpy (lname, res); 
 
copies "res" including the NUL byte.

Comment 11 Thomas Biege 2004-06-03 19:00:13 UTC

Ah yes.. I missed that strcpy() copies the trailing 0 byte too. 
Can we be sure it exists?

Comment 12 Olaf Kirch 2004-06-03 19:13:52 UTC

Well, of course. We just did a strlen on the string! 
 
/me hands Thomas a large cup of strong coffee :)

Comment 13 Thomas Biege 2004-06-03 19:22:32 UTC

Thanks *schluerf* 
 
I will shut up now. :)

Comment 14 Thomas Biege 2009-10-13 20:24:03 UTC

CVE-2004-0523: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)