[krbdev.mit.edu #8108] git commit
Tom Yu via RT
rt-comment at krbdev.mit.edu
Fri Feb 6 18:11:52 EST 2015
Handle invalid RFC 1964 tokens [CVE-2014-4341...]
Detect the following cases which would otherwise cause invalid memory
accesses and/or integer underflow:
* An RFC 1964 token being processed by an RFC 4121-only context
[CVE-2014-4342]
* A header with fewer than 22 bytes after the token ID or an
incomplete checksum [CVE-2014-4341 CVE-2014-4342]
* A ciphertext shorter than the confounder [CVE-2014-4341]
* A declared padding length longer than the plaintext [CVE-2014-4341]
If we detect a bad pad byte, continue on to compute the checksum to
avoid creating a padding oracle, but treat the checksum as invalid
even if it compares equal.
CVE-2014-4341:
In MIT krb5, an unauthenticated remote attacker with the ability to
inject packets into a legitimately established GSSAPI application
session can cause a program crash due to invalid memory references
when attempting to read beyond the end of a buffer.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
CVE-2014-4342:
In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
attacker with the ability to inject packets into a legitimately
established GSSAPI application session can cause a program crash due
to invalid memory references when reading beyond the end of a buffer
or by causing a null pointer dereference.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
[tlyu at mit.edu: CVE summaries, CVSS]
(cherry picked from commit fb99962cbd063ac04c9a9d2cc7c75eab73f3533d)
https://github.com/krb5/krb5/commit/8a9a2d09c93b55ad0dbdd16ae36e952a04f27466
Author: Greg Hudson <ghudson at mit.edu>
Committer: Tom Yu <tlyu at mit.edu>
Commit: 8a9a2d09c93b55ad0dbdd16ae36e952a04f27466
Branch: krb5-1.11
src/lib/gssapi/krb5/k5unseal.c | 41 +++++++++++++++++++++++++++++-------
src/lib/gssapi/krb5/k5unsealiov.c | 9 +++++++-
2 files changed, 41 insertions(+), 9 deletions(-)
More information about the krb5-bugs
mailing list