2006:002 Patch question

Tom Yu tlyu at MIT.EDU
Wed Jan 10 13:31:20 EST 2007

>>>>> "ss488" == Shivakeshav Santi <ss488 at cornell.edu> writes:

ss488> HI,
ss488>      We are running version 1.3.6 with patches (2005:002,2005:003). We 
ss488> cannot upgrade to 1.4 or above as we need kadmind4 (which is removed from 
ss488> 1.4 onwards) .
ss488> The code in the function svc_do_xprt , in /lib/rpc/svc.c of 1.4 version is 
ss488> also present in svc_getreqset in /lib/rpc/svc.c of version 1.3.6. So I was 
ss488> wondering if this fix should apply to 1.3.6 and previous versions too.

ss488> Can you please confirm this.

As described in MITKRB5-SA-2006-002, releases prior to krb5-1.4 did
not contain the vulnerable code.  In the krb5-1.4 release, we added
support for the RPCSEC_GSS authentication flavor.  The integration of
this support introduced the vulnerability.

While lib/rpc/svc.c may be substantially similar between krb5-1.3.6
and krb5-1.4, the process of integrating RPCSEC_GSS support changed
code in other files, such as lib/rpc/svc_tcp.c, to perform the actual
vulnerable function pointer call (via the SVCAUTH_DESTROY() macro; the
RPC library in krb5-1.3.6 did not contain the SVCAUTH_DESTROY()

The fix for the vulnerability patches lib/rpc/svc.c, even though svc.c
does not contain the actual vulnerability as such.  The information
required to determine whether the function pointer call is safe is not
readily available in the files containing the actual vulnerable call.

You may find that you get link failures when you attempt to build
krb5-1.3.6 with the patch for SA-2006-002, because krb5-1.3.6 lacks
RPCSEC_GSS support, and the patch references a symbol that is provided
by the RPCSEC_GSS support.


More information about the krbdev mailing list