[3.4] Krb5: Mutiple vulnerabilities (CVE-2015-8629, CVE-2015-8630, CVE-2015-8631)
CVE-2015-8629: Verify decoded kadmin C strings
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to read beyond the end of allocated memory by sending a string
without a terminating zero byte. Information leakage may be possible
for an attacker with permission to modify the database.
Fixed in version:
1.14.1, 1.13.4
References:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8341
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8629
https://github.com/krb5/krb5/commit/df17a1224a3406f57477bcd372c61e04c0e5a5bb
CVE-2015-8630: Check for null kadm5 policy name
In MIT krb5 1.12 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying a null policy value but including KADM5_POLICY
in
the mask.
Fixed in version:
1.14.1, 1.13.4
References:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8342
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8630
https://github.com/krb5/krb5/commit/b863de7fbf080b15e347a736fdda0a82d42f4f6b
CVE-2015-8631: Fix leaks in kadmin server stubs
In all versions of MIT krb5, an authenticated attacker can cause kadmind
to leak memory
by supplying a null principal name in a request which uses one.
Repeating these requests will eventually cause kadmind to exhaust all
available memory.
Fixed in version:
1.14.1, 1.13.4
References:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8343
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8631
https://github.com/krb5/krb5/commit/83ed75feba32e46f736fcce0d96a0445f29b96c2
(from redmine: issue id 5125, created on 2016-02-16, closed on 2016-02-23)
- Relations:
- parent #5124 (closed)
- Changesets:
- Revision eab4343d on 2016-02-22T14:42:26Z:
main/krb5: security fixes (CVE-2015-8629, CVE-2015-8630, CVE-2015-8631). Fixes #5125