Bug 816413 – VUL-0: CVE-2013-1416: krb5: prep_reprocess_req NULL ptr deref

Bug 816413 - (CVE-2013-1416) VUL-0: CVE-2013-1416: krb5: prep_reprocess_req NULL ptr deref

(CVE-2013-1416)
Summary:	VUL-0: CVE-2013-1416: krb5: prep_reprocess_req NULL ptr deref

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:RedHat:CVE-2013-1416:4.0:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2013-04-22 06:08 UTC by Sebastian Krahmer
Modified:	2017-09-20 14:42 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2013-04-22 06:08:37 UTC

Via CVE-script:

Name: CVE-2013-1416

The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT
+Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral,
+which allows remote authenticated users to cause a denial of service (NULL pointer dereference
+and daemon crash) via a crafted TGS-REQ request.



Reference: CONFIRM: https://github.com/krb5/krb5/commit/8ee70ec63931d1e38567905387ab9b1d45734d81
Reference: CONFIRM: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7600

Comment 1 Michael Calmer 2013-04-22 07:59:14 UTC

Seems that only openSUSE is affected.
SLES has 1.6.x version

Comment 3 Bernhard Wiedemann 2013-04-22 13:00:07 UTC

This is an autogenerated message for OBS integration:
This bug (816413) was mentioned in
https://build.opensuse.org/request/show/172847 Maintenance /

Comment 4 Bernhard Wiedemann 2013-04-24 10:00:20 UTC

This is an autogenerated message for OBS integration:
This bug (816413) was mentioned in
https://build.opensuse.org/request/show/173147 Maintenance / 
https://build.opensuse.org/request/show/173154 Evergreen:11.2 / krb5

Comment 5 Swamp Workflow Management 2013-05-03 12:04:51 UTC

openSUSE-SU-2013:0746-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 816413
CVE References: CVE-2013-1416
Sources used:
openSUSE 12.2 (src):    krb5-1.10.2-3.16.1, krb5-doc-1.10.2-3.16.2, krb5-mini-1.10.2-3.16.1
openSUSE 12.1 (src):    krb5-1.9.1-24.20.1

Comment 6 Bernhard Wiedemann 2013-05-04 20:00:23 UTC

This is an autogenerated message for OBS integration:
This bug (816413) was mentioned in
https://build.opensuse.org/request/show/174500 Evergreen:11.2 / krb5

Comment 7 Swamp Workflow Management 2013-06-10 09:16:09 UTC

openSUSE-SU-2013:0904-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 816413
CVE References: CVE-2013-1416
Sources used:
openSUSE 12.3 (src):    krb5-1.10.2-10.13.1, krb5-doc-1.10.2-10.13.2, krb5-mini-1.10.2-10.13.1

Comment 8 Swamp Workflow Management 2013-06-10 10:22:48 UTC

openSUSE-SU-2013:0967-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 816413
CVE References: CVE-2013-1416
Sources used:
openSUSE 11.4 (src):    krb5-1.8.3-59.1

Comment 9 Marcus Meissner 2013-06-14 06:17:44 UTC

released