Bugzilla – Bug 952189
VUL-0: CVE-2015-2696: krb5: IAKERB context aliasing bugs
Last modified: 2016-04-27 19:06:23 UTC
https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a Fix IAKERB context aliasing bugs [CVE-2015-2696] The IAKERB mechanism currently replaces its context handle with the krb5 mechanism handle upon establishment, under the assumption that most GSS functions are only called after context establishment. This assumption is incorrect, and can lead to aliasing violations for some programs. Maintain the IAKERB context structure after context establishment and add new IAKERB entry points to refer to it with that type. Add initiate and established flags to the IAKERB context structure for use in gss_inquire_context() prior to context establishment. CVE-2015-2696: In MIT krb5 1.9 and later, applications which call gss_inquire_context() on a partially-established IAKERB context can cause the GSS-API library to read from a pointer using the wrong type, generally causing a process crash. Java server applications using the native JGSS provider are vulnerable to this bug. A carefully crafted IAKERB packet might allow the gss_inquire_context() call to succeed with attacker-determined results, but applications should not make access control decisions based on gss_inquire_context() results prior to context establishment. CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C [ghudson@mit.edu: several bugfixes, style changes, and edge-case behavior changes; commit message and CVE description] SLE 12 and up. openSUSE 13.1, 13.2, Leap 42.1 and Tumbleweed. https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a More tests: https://github.com/krb5/krb5/commit/a705b1160ce7f0c5f23b9859c4c6c707503fbfdc References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2696 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2696.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2696 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803084
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (952189) was mentioned in https://build.opensuse.org/request/show/341522 13.1 / krb5 https://build.opensuse.org/request/show/341525 13.2 / krb5
SUSE-SU-2015:1897-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 948011,952188,952189,952190 CVE References: CVE-2015-2695,CVE-2015-2696,CVE-2015-2697 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): krb5-1.12.1-19.1 SUSE Linux Enterprise Server 12 (src): krb5-1.12.1-19.1 SUSE Linux Enterprise Desktop 12 (src): krb5-1.12.1-19.1
openSUSE-SU-2015:1928-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 952188,952189,952190 CVE References: CVE-2015-2695,CVE-2015-2696,CVE-2015-2697 Sources used: openSUSE 13.2 (src): krb5-1.12.2-15.1, krb5-mini-1.12.2-15.1 openSUSE 13.1 (src): krb5-1.11.3-3.21.1, krb5-mini-1.11.3-3.21.1
openSUSE-SU-2015:1997-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 948011,952188,952189,952190 CVE References: CVE-2015-2695,CVE-2015-2696,CVE-2015-2697 Sources used: openSUSE Leap 42.1 (src): krb5-1.12.1-21.1, krb5-mini-1.12.1-21.1
The update has been released, thus closing the bug report.