Bug 952190 - (CVE-2015-2697) VUL-0: CVE-2015-2697: krb5: invalid string processing
(CVE-2015-2697)
VUL-0: CVE-2015-2697: krb5: invalid string processing
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Howard Guo
Security Team bot
https://smash.suse.de/issue/158284/
CVSSv2:NVD:CVE-2015-2697:6.8:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-27 12:08 UTC by Andreas Stieger
Modified: 2017-05-16 06:41 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-10-27 12:08:24 UTC
https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789

In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string.  This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va().  krb5_build_principal_ext() is not
affected.

CVE-2015-2697:

In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte.  If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm.  Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.

CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

SLE: SLE 12 and up.
openSUSE: 13.1, 13.2, Leap 42.1 and Tumbleweed

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2697
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2697.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2697
Comment 1 Swamp Workflow Management 2015-10-27 23:00:35 UTC
bugbot adjusting priority
Comment 2 Bernhard Wiedemann 2015-10-29 16:00:55 UTC
This is an autogenerated message for OBS integration:
This bug (952190) was mentioned in
https://build.opensuse.org/request/show/341522 13.1 / krb5
https://build.opensuse.org/request/show/341525 13.2 / krb5
Comment 3 Swamp Workflow Management 2015-11-04 09:12:20 UTC
SUSE-SU-2015:1897-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 948011,952188,952189,952190
CVE References: CVE-2015-2695,CVE-2015-2696,CVE-2015-2697
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    krb5-1.12.1-19.1
SUSE Linux Enterprise Server 12 (src):    krb5-1.12.1-19.1
SUSE Linux Enterprise Desktop 12 (src):    krb5-1.12.1-19.1
Comment 4 Swamp Workflow Management 2015-11-06 17:12:56 UTC
openSUSE-SU-2015:1928-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 952188,952189,952190
CVE References: CVE-2015-2695,CVE-2015-2696,CVE-2015-2697
Sources used:
openSUSE 13.2 (src):    krb5-1.12.2-15.1, krb5-mini-1.12.2-15.1
openSUSE 13.1 (src):    krb5-1.11.3-3.21.1, krb5-mini-1.11.3-3.21.1
Comment 5 Swamp Workflow Management 2015-11-16 10:13:12 UTC
openSUSE-SU-2015:1997-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 948011,952188,952189,952190
CVE References: CVE-2015-2695,CVE-2015-2696,CVE-2015-2697
Sources used:
openSUSE Leap 42.1 (src):    krb5-1.12.1-21.1, krb5-mini-1.12.1-21.1
Comment 6 Howard Guo 2015-11-20 09:07:38 UTC
The update has been released, thus closing the bug report.