漏洞信息详情

MIT Kerberos 5多个Double-Free漏洞

• CNNVD编号：CNNVD-200409-062
• 危害等级： 高危
  
• CVE编号： CVE-2004-0642
• 漏洞类型： 缓冲区溢出
• 发布时间： 2004-09-28
• 威胁类型： 远程
• 更新时间： 2005-10-20
• 厂        商： mit
• 漏洞来源： Will Fiveash and N...

漏洞简介

（1）Key Distribution Center (KDC)库文件和（2）用于MIT Kerberos 5 (krb5) 1.3.4及早期版本的客户端库文件ASN.1解码器的错误处理代码存在Double-free漏洞。远程攻击者可以利用该漏洞执行任意代码。

漏洞公告

The vendor has released an advisory (MITKRB5-SA-2004-002) along with patches to resolve these issues. Please see the referenced advisory for further information. Debian GNU/Linux has released an advisory (DSA 543-1) along with fixes to address these and other issues. Please see the referenced advisory for further information. RedHat Linux has released advisory RHSA-2004:350-12 along with fixes to address these and other issues in RedHat Enterprise Linux operating systems. Please see the referenced advisory for further information. RedHat Linux has released advisories (FEDORA-2004-276, and FEDORA-2004-277) to address these and other issues for RedHat Fedora Core 1 and 2 respectively. Please see the referenced advisories for further information. Cisco has released an advisory (cisco-sa-20040831-krb5) to address these and other issues for Cisco VPN 3000 series products. Please see the referenced advisory for further information on obtaining fixes. Mandrake has released an advisory (MDKSA-2004:088) and fixes to address these issues. Please see the referenced advisory for further information on obtaining fixes. Trustix has released an advisory (TSL-2004-0045) to address various issues in kerberos5. Please see the referenced advisory for more information. Gentoo advisory available. Users are advised to upgrade by performing the following steps: emerge sync emerge -pv ">=app-crypt/mit-krb5-1.3.4" emerge ">=app-crypt/mit-krb5-1.3.4" Conectiva has made advisory CLSA-2004:860 along with fixes available resolving these and other issues. Please see the referenced advisory for more information. Avaya has released advisory ASA-2004-039 dealing with these issues. Please see the referenced web advisory for more information. OpenPKG has released advisory OpenPKG-SA-2004.039 to address these, and other issues. Please see the referenced advisory for further information. Turbolinux has released advisory TLSA-2004-22 to address these, and other issues. Please see the referenced advisory for further information. Sun has released Security Alert ID 57631 along with fixes for these issues. Please see the web reference for more information. On 24 Sept 2004, Sun withdrew patch 112908-15. On 28 Sept 2004, the patch has become available again with an updated Security Alert. IBM has released an advisory (2004-09-30-ASN.1) to address these issues in AIX. Please see the referenced advisory for more information about obtaining fixes. IBM has released information about some of these issues affecting IBM Tivoli Access Manager for e-business version 5.1. Please see the IBM 'MIT Kerberos 5 Vulnerabilities' reference in Web references for more information about obtaining fixes. CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple has released an advisory (CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple-SA-2004-12-02) dealing with this and other issues. Please see the referenced advisory for more information. Fedora Legacy has released security advisory FLSA:154276 addressing this issue for RedHat Linux 7.3 and 9, and for Fedora Core 1. Please see the referenced advisory for details on obtaining and applying the appropriate updates. Sun SEAM 1.0.2

• Sun 115168-05Solaris 9 x86 Platform. http://sunsolve.sun.com/search/document.do?assetkey=1-21-115168-05-1

• Debian krb5-admin-server_1.2.4-5woody6_alpha.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_ 1.2.4-5woody6_alpha.deb
• Debian krb5-admin-server_1.2.4-5woody6_arm.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_ 1.2.4-5woody6_arm.deb
• Debian krb5-admin-server_1.2.4-5woody6_hppa.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_ 1.2.4-5woody6_hppa.deb
• Debian krb5-admin-server_1.2.4-5woody6_i386.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_ 1.2.4-5woody6_i386.deb
• Debian krb5-admin-server_1.2.4-5woody6_ia64.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_ 1.2.4-5woody6_ia64.deb
• Debian krb5-admin-server_1.2.4-5woody6_m68k.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_ 1.2.4-5woody6_m68k.deb
• Debian krb5-admin-server_1.2.4-5woody6_mips.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_ 1.2.4-5woody6_mips.deb
• Debian krb5-admin-server_1.2.4-5woody6_mipsel.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_ 1.2.4-5woody6_mipsel.deb
• Debian krb5-admin-server_1.2.4-5woody6_powerpc.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_ 1.2.4-5woody6_powerpc.deb
• Debian krb5-admin-server_1.2.4-5woody6_s390.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_ 1.2.4-5woody6_s390.deb
• Debian krb5-admin-server_1.2.4-5woody6_sparc.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_ 1.2.4-5woody6_sparc.deb
• Debian krb5-clients_1.2.4-5woody6_alpha.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4 -5woody6_alpha.deb
• Debian krb5-clients_1.2.4-5woody6_arm.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4 -5woody6_arm.deb
• Debian krb5-clients_1.2.4-5woody6_hppa.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4 -5woody6_hppa.deb
• Debian krb5-clients_1.2.4-5woody6_i386.debDebian GNU/Linux 3.0 (woody) http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4 -5woody6_i386.deb
• Deb

参考网址

来源:US-CERT Technical Alert: TA04-247A 名称: TA04-247A 链接:http://www.us-cert.gov/cas/techalerts/TA04-247A.HTML 来源:US-CERT Vulnerability Note: VU#795632 名称: VU#795632 链接:http://www.kb.cert.org/vuls/id/795632 来源: XF 名称: kerberos-kdc-double-free(17157) 链接:http://xforce.iss.net/xforce/xfdb/17157 来源: TRUSTIX 名称: 2004-0045 链接:http://www.trustix.net/errata/2004/0045/ 来源: BID 名称: 11078 链接:http://www.securityfocus.com/bid/11078 来源: GENTOO 名称: GLSA-200409-09 链接:http://www.gentoo.org/security/en/glsa/glsa-200409-09.xml 来源: DEBIAN 名称: DSA-543 链接:http://www.debian.org/security/2004/dsa-543 来源: web.mit.edu 链接:http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt 来源: REDHAT 名称: RHSA-2004:350 链接:http://rhn.redhat.com/errata/RHSA-2004-350.HTML 来源: OVAL 名称: oval:org.mitre.oval:def:10709 链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10709 来源: BUGTRAQ 名称: 20040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos) 链接:http://marc.theaimsgroup.com/?l=bugtraq&m=109508872524753&w=2 来源: CONECTIVA 名称: CLA-2004:860 链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000860 来源: US Government Resource: oval:org.mitre.oval:def:4936 名称: oval:org.mitre.oval:def:4936 链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4936

受影响实体

• Mit Kerberos:5-1.3.4  

补丁

暂无