Debian Bug report logs - #577490
CVE-2010-1320 double free in KDC caused by ticket renewal

version graph

Package: krb5-kdc; Maintainer for krb5-kdc is Sam Hartman <hartmans@debian.org>; Source for krb5-kdc is src:krb5.

Reported by: Joel Johnson <mrjoel@lixil.net>

Date: Mon, 12 Apr 2010 05:39:01 UTC

Severity: serious

Tags: confirmed, fixed-upstream, security, upstream

Found in version krb5/1.8.1+dfsg-1

Fixed in version krb5/1.8.1+dfsg-2

Done: Sam Hartman <hartmans@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://krbdev.mit.edu/rt/Ticket/Display.html?id=6702

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#577490; Package krb5-kdc. (Mon, 12 Apr 2010 05:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joel Johnson <mrjoel@lixil.net>:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>. (Mon, 12 Apr 2010 05:39:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joel Johnson <mrjoel@lixil.net>
To: <submit@bugs.debian.org>
Subject: TGT renewal causes krb5kdc to crash on armel
Date: Sun, 11 Apr 2010 23:29:30 -0600
Package: krb5-kdc
Version: 1.8.1+dfsg-1
Severity: serious

I have a Sheevaplug (armv5tel) to which I am migrating Kerberos services.
I've imported an existing database and listing principals with kadmin
works, ticket issuing works, kpasswd works. However, when doing a ticket
renewal with `kinit -R` (remotely on or same machine), it causes krb5kdc to
crash immediately.

I previously tested with 1.8+dfsg-1.1 and the krb5-dbg package installed,
and got a very short stacktrace from krb5_free_authdata into free() in
libc. Now with 1.8.1+dfsg-1 installed, all I get is the following:

Program received signal SIGSEGV, Segmentation fault.
0x4023ebac in free () from /lib/libc.so.6
(gdb) 

Kernel: 2.6.32-3-kirkwood
libc6: 2.10.2-6




Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#577490; Package krb5-kdc. (Mon, 12 Apr 2010 05:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Mon, 12 Apr 2010 05:45:03 GMT) Full text and rfc822 format available.

Message #10 received at 577490@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Joel Johnson <mrjoel@lixil.net>
Cc: 577490@bugs.debian.org
Subject: Re: Bug#577490: TGT renewal causes krb5kdc to crash on armel
Date: Sun, 11 Apr 2010 22:42:16 -0700
Joel Johnson <mrjoel@lixil.net> writes:

> I have a Sheevaplug (armv5tel) to which I am migrating Kerberos
> services.  I've imported an existing database and listing principals
> with kadmin works, ticket issuing works, kpasswd works. However, when
> doing a ticket renewal with `kinit -R` (remotely on or same machine), it
> causes krb5kdc to crash immediately.

Is this with a TGT that's issued by an earlier version of an MIT Kerberos
server, or one handed out by the current server?

> I previously tested with 1.8+dfsg-1.1 and the krb5-dbg package installed,
> and got a very short stacktrace from krb5_free_authdata into free() in
> libc. Now with 1.8.1+dfsg-1 installed, all I get is the following:

> Program received signal SIGSEGV, Segmentation fault.
> 0x4023ebac in free () from /lib/libc.so.6
> (gdb) 

What do you get when you run bt at this prompt?

Although if it's heap corruption, running krb5kdc under valgrind is
usually the fastest way to identify exactly where the problem is.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#577490; Package krb5-kdc. (Mon, 12 Apr 2010 05:57:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Mon, 12 Apr 2010 05:57:07 GMT) Full text and rfc822 format available.

Message #15 received at 577490@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Joel Johnson <mrjoel@lixil.net>
Cc: <577490@bugs.debian.org>
Subject: Re: Bug#577490: TGT renewal causes krb5kdc to crash on armel
Date: Sun, 11 Apr 2010 22:54:39 -0700
Joel Johnson <mrjoel@lixil.net> writes:

> Yeah, it's getting late - here's the actually useful bt output:

> (gdb) continue
> Continuing.

> Program received signal SIGSEGV, Segmentation fault.
> 0x4023ebac in free () from /lib/libc.so.6
> (gdb) bt
> #0  0x4023ebac in free () from /lib/libc.so.6
> #1  0x400f8cf0 in krb5_free_authdata (context=<value optimized out>,
> val=0x2f720) at ../../../../src/lib/krb5/krb/kfree.c:144
> #2  0x0000e18c in ?? ()
> Cannot access memory at address 0x0
> #3  0x0000e18c in ?? ()
> Cannot access memory at address 0x0
> Backtrace stopped: previous frame identical to this frame (corrupt stack?)
> (gdb)

Could you try:

    frame 1
    print *temp
    print **temp

Although from the code and that segfault, I suspect there's heap
corruption somewhere, since it's already checking that *temp isn't NULL.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#577490; Package krb5-kdc. (Mon, 12 Apr 2010 05:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joel Johnson <mrjoel@lixil.net>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Mon, 12 Apr 2010 05:57:08 GMT) Full text and rfc822 format available.

Message #20 received at 577490@bugs.debian.org (full text, mbox):

From: Joel Johnson <mrjoel@lixil.net>
To: Russ Allbery <rra@debian.org>
Cc: <577490@bugs.debian.org>
Subject: Re: Bug#577490: TGT renewal causes krb5kdc to crash on armel
Date: Sun, 11 Apr 2010 23:48:51 -0600
On Sun, 11 Apr 2010 22:42:16 -0700, Russ Allbery <rra@debian.org> wrote:
> Joel Johnson <mrjoel@lixil.net> writes:
> 
>> I have a Sheevaplug (armv5tel) to which I am migrating Kerberos
>> services.  I've imported an existing database and listing principals
>> with kadmin works, ticket issuing works, kpasswd works. However, when
>> doing a ticket renewal with `kinit -R` (remotely on or same machine),
it
>> causes krb5kdc to crash immediately.
> 
> Is this with a TGT that's issued by an earlier version of an MIT
Kerberos
> server, or one handed out by the current server?

One handed out by the current server, I am running a kdestroy; kinit;
kinit -R cycle to test it. For completeness I wait until I have the KDC
running under gdb and get the ticket from the same instance.
 
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x4023ebac in free () from /lib/libc.so.6
>> (gdb) 
> 
> What do you get when you run bt at this prompt?
> 
> Although if it's heap corruption, running krb5kdc under valgrind is
> usually the fastest way to identify exactly where the problem is.

Yeah, it's getting late - here's the actually useful bt output:

(gdb) continue
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x4023ebac in free () from /lib/libc.so.6
(gdb) bt
#0  0x4023ebac in free () from /lib/libc.so.6
#1  0x400f8cf0 in krb5_free_authdata (context=<value optimized out>,
val=0x2f720) at ../../../../src/lib/krb5/krb/kfree.c:144
#2  0x0000e18c in ?? ()
Cannot access memory at address 0x0
#3  0x0000e18c in ?? ()
Cannot access memory at address 0x0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)

Joel




Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#577490; Package krb5-kdc. (Mon, 12 Apr 2010 05:57:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joel Johnson <mrjoel@lixil.net>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Mon, 12 Apr 2010 05:57:10 GMT) Full text and rfc822 format available.

Message #25 received at 577490@bugs.debian.org (full text, mbox):

From: Joel Johnson <mrjoel@lixil.net>
To: Joel Johnson <mrjoel@lixil.net>
Cc: Russ Allbery <rra@debian.org>, <577490@bugs.debian.org>
Subject: Re: Bug#577490: TGT renewal causes krb5kdc to crash on armel
Date: Sun, 11 Apr 2010 23:56:33 -0600
On Sun, 11 Apr 2010 23:48:51 -0600, Joel Johnson <mrjoel@lixil.net> wrote:
> Yeah, it's getting late - here's the actually useful bt output:
> 
> (gdb) continue
> Continuing.
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x4023ebac in free () from /lib/libc.so.6
> (gdb) bt
> #0  0x4023ebac in free () from /lib/libc.so.6
> #1  0x400f8cf0 in krb5_free_authdata (context=<value optimized out>,
> val=0x2f720) at ../../../../src/lib/krb5/krb/kfree.c:144
> #2  0x0000e18c in ?? ()
> Cannot access memory at address 0x0
> #3  0x0000e18c in ?? ()
> Cannot access memory at address 0x0
> Backtrace stopped: previous frame identical to this frame (corrupt
stack?)
> (gdb)

Also forgot to add that I took the same database and /etc/krb5kdc/kdc.conf
onto an amd64 box and didn't have the issue (could renew just fine)... of
course the backtrace goes winding into nowhere and there is no valgrind
support currently present for arm.

Joel




Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#577490; Package krb5-kdc. (Mon, 12 Apr 2010 06:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Mon, 12 Apr 2010 06:03:04 GMT) Full text and rfc822 format available.

Message #30 received at 577490@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Joel Johnson <mrjoel@lixil.net>
Cc: <577490@bugs.debian.org>
Subject: Re: Bug#577490: TGT renewal causes krb5kdc to crash on armel
Date: Sun, 11 Apr 2010 23:01:22 -0700
Joel Johnson <mrjoel@lixil.net> writes:

> Also forgot to add that I took the same database and
> /etc/krb5kdc/kdc.conf onto an amd64 box and didn't have the issue (could
> renew just fine)... of course the backtrace goes winding into nowhere
> and there is no valgrind support currently present for arm.

Oh, right, arm.  Yes.  That rules out valgrind.

However, if it is a heap clobber somewhere, valgrind might show it on
other platforms.  Whether or not that causes a crash can depend on
platform as well as lots of other subtle code layout issues.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#577490; Package krb5-kdc. (Mon, 12 Apr 2010 11:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list. (Mon, 12 Apr 2010 11:27:05 GMT) Full text and rfc822 format available.

Message #35 received at 577490@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: Joel Johnson <mrjoel@lixil.net>
Cc: 577490@bugs.debian.org, Russ Allbery <rra@debian.org>
Subject: Re: Bug#577490: TGT renewal causes krb5kdc to crash on armel
Date: Mon, 12 Apr 2010 07:17:53 -0400
It would be very interesting to see whether this happens with the kdc in
testing (1.8~alpha1-7).  There is a particular change introduced in
1.8+dfsg-1.1 that might be the problem (although I doubt it).




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#577490; Package krb5-kdc. (Mon, 12 Apr 2010 17:00:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list. (Mon, 12 Apr 2010 17:00:10 GMT) Full text and rfc822 format available.

Message #40 received at 577490@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: Russ Allbery <rra@debian.org>
Cc: 577490@bugs.debian.org, Joel Johnson <mrjoel@lixil.net>, control@bugs.debian.org
Subject: Re: Bug#577490: TGT renewal causes krb5kdc to crash on armel
Date: Mon, 12 Apr 2010 12:58:13 -0400
tags 577490 confirmed, upstream
thanks

I've confirmed this happens on i386 and basically understand what's
going on.  I'm not sure I have the right fix at this point.

For renewal and validation, do_tgs_req.c sets enc_tkt_reply to
*header_ticket->enc_part2.  later, handle_tgt_authdata copies the
TGT_authdata (from header_tkt) to the reply authdata.  I have not
confirmed exactly why krb5_copy_authdata fails when its input and output
are the same, but I'm quite certain that routine is not designed to work
in that case.




Added tag(s) upstream and confirmed. Request was from Sam Hartman <hartmans@debian.org> to control@bugs.debian.org. (Mon, 12 Apr 2010 17:09:13 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Sam Hartman <hartmans@debian.org> to control@bugs.debian.org. (Mon, 12 Apr 2010 17:54:06 GMT) Full text and rfc822 format available.

Reply sent to Sam Hartman <hartmans@debian.org>:
You have taken responsibility. (Mon, 12 Apr 2010 18:51:08 GMT) Full text and rfc822 format available.

Notification sent to Joel Johnson <mrjoel@lixil.net>:
Bug acknowledged by developer. (Mon, 12 Apr 2010 18:51:08 GMT) Full text and rfc822 format available.

Message #49 received at 577490-close@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: 577490-close@bugs.debian.org
Subject: Bug#577490: fixed in krb5 1.8.1+dfsg-2
Date: Mon, 12 Apr 2010 18:48:08 +0000
Source: krb5
Source-Version: 1.8.1+dfsg-2

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive:

krb5-admin-server_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/krb5-admin-server_1.8.1+dfsg-2_i386.deb
krb5-doc_1.8.1+dfsg-2_all.deb
  to main/k/krb5/krb5-doc_1.8.1+dfsg-2_all.deb
krb5-kdc-ldap_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/krb5-kdc-ldap_1.8.1+dfsg-2_i386.deb
krb5-kdc_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/krb5-kdc_1.8.1+dfsg-2_i386.deb
krb5-multidev_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/krb5-multidev_1.8.1+dfsg-2_i386.deb
krb5-pkinit_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/krb5-pkinit_1.8.1+dfsg-2_i386.deb
krb5-user_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/krb5-user_1.8.1+dfsg-2_i386.deb
krb5_1.8.1+dfsg-2.diff.gz
  to main/k/krb5/krb5_1.8.1+dfsg-2.diff.gz
krb5_1.8.1+dfsg-2.dsc
  to main/k/krb5/krb5_1.8.1+dfsg-2.dsc
libgssapi-krb5-2_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/libgssapi-krb5-2_1.8.1+dfsg-2_i386.deb
libgssrpc4_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/libgssrpc4_1.8.1+dfsg-2_i386.deb
libk5crypto3_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/libk5crypto3_1.8.1+dfsg-2_i386.deb
libkadm5clnt-mit7_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/libkadm5clnt-mit7_1.8.1+dfsg-2_i386.deb
libkadm5srv-mit7_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/libkadm5srv-mit7_1.8.1+dfsg-2_i386.deb
libkdb5-4_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/libkdb5-4_1.8.1+dfsg-2_i386.deb
libkrb5-3_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/libkrb5-3_1.8.1+dfsg-2_i386.deb
libkrb5-dbg_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/libkrb5-dbg_1.8.1+dfsg-2_i386.deb
libkrb5-dev_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/libkrb5-dev_1.8.1+dfsg-2_i386.deb
libkrb5support0_1.8.1+dfsg-2_i386.deb
  to main/k/krb5/libkrb5support0_1.8.1+dfsg-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 577490@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 12 Apr 2010 13:08:35 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit7 libkadm5clnt-mit7 libk5crypto3 libkdb5-4 libkrb5support0
Architecture: source all i386
Version: 1.8.1+dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description: 
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - Documentation for MIT Kerberos
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit7 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit7 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-4  - MIT Kerberos runtime libraries - Kerberos database
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 577490
Changes: 
 krb5 (1.8.1+dfsg-2) unstable; urgency=high
 .
   * Fix crash in renewal and validation, Thanks Joel Johnson for such a
     prompt bug report, Closes: #577490
Checksums-Sha1: 
 c5f7be8cd94f3cdfbda5673fee8a49cb1d88aa92 1568 krb5_1.8.1+dfsg-2.dsc
 f5906b89a754748fc7424f94918d4629e7674044 119308 krb5_1.8.1+dfsg-2.diff.gz
 1e3bbe1f84c3d4dfe8798c2135360c614d86cee0 2248654 krb5-doc_1.8.1+dfsg-2_all.deb
 1a16311b2a144a6dc9fdafa9b27fc1615fabfe5d 127242 krb5-user_1.8.1+dfsg-2_i386.deb
 17891603b93f276d702640801fc7362f555f520e 200674 krb5-kdc_1.8.1+dfsg-2_i386.deb
 b0c632d8bfa0bd3a4b6610ade3dfa3fe4fc62c82 110442 krb5-kdc-ldap_1.8.1+dfsg-2_i386.deb
 9eedffc33a0936e6baf1c8a2c3412248c8e38e27 104216 krb5-admin-server_1.8.1+dfsg-2_i386.deb
 51ae3958ef7ef80a01f5b13f1d7eedd3584a3d9b 102148 krb5-multidev_1.8.1+dfsg-2_i386.deb
 815463023a2400258e2ed027cac92c4a38350084 35564 libkrb5-dev_1.8.1+dfsg-2_i386.deb
 6581895a1ba717659444cc32022177e49297d953 1607382 libkrb5-dbg_1.8.1+dfsg-2_i386.deb
 69e993f00401e80fac9823994f5525d0bff56d31 73102 krb5-pkinit_1.8.1+dfsg-2_i386.deb
 111141c1686665e4b2ed5dbede88880c2d20e52b 353168 libkrb5-3_1.8.1+dfsg-2_i386.deb
 235e22c1cc1ea4e78e83afb7f0114092a7f66f5d 120810 libgssapi-krb5-2_1.8.1+dfsg-2_i386.deb
 37af1752aa5ff5cbf4ca885b19605014de1f7f8e 75712 libgssrpc4_1.8.1+dfsg-2_i386.deb
 6ba75a548c368224c810120b645bf3391e118ac4 72366 libkadm5srv-mit7_1.8.1+dfsg-2_i386.deb
 e5b9873cd3349a6e221aa3be7dfea015a9ef256e 58904 libkadm5clnt-mit7_1.8.1+dfsg-2_i386.deb
 3bc89ef3d587f09ad91dd49f854d25a859cbf549 96586 libk5crypto3_1.8.1+dfsg-2_i386.deb
 e0686e767f6a8017f0ecc634cce621ba2dd94568 59042 libkdb5-4_1.8.1+dfsg-2_i386.deb
 b62a99e3da399c1da3e0ce5c5ec8436ad6215c4c 42140 libkrb5support0_1.8.1+dfsg-2_i386.deb
Checksums-Sha256: 
 75b4ef30b061ed13a21f0924bc31c7b187297ba408a86482ce868a3386c0926e 1568 krb5_1.8.1+dfsg-2.dsc
 b3cec25419a326d849bc2e61cc0ee32f5b9cf6f4f5140f6bb90c46ca379fd713 119308 krb5_1.8.1+dfsg-2.diff.gz
 3b442fc502126ff8be6f34274106c8a79e62312f17350b03ded3dda0b8f89833 2248654 krb5-doc_1.8.1+dfsg-2_all.deb
 82f749c74c0ceff08afe737487c7c0b10d1d2107d5111142d265702096a64580 127242 krb5-user_1.8.1+dfsg-2_i386.deb
 8ba6c4bdb70a745c8f0128261e9e1c36903605df60b039004e95f591c104bd2a 200674 krb5-kdc_1.8.1+dfsg-2_i386.deb
 4bab1e557386f0312d5291e6ed8c9b716f990302bbf5bf5a44a6c1ddb78db330 110442 krb5-kdc-ldap_1.8.1+dfsg-2_i386.deb
 0cade834dfd4cecef1735a81b4d988e10313497d8bb38cc5916c8361559fd55d 104216 krb5-admin-server_1.8.1+dfsg-2_i386.deb
 6b713bfd9556b809d4dc0776e58f32b224c45d62ccf3d377ed73ee4bee330830 102148 krb5-multidev_1.8.1+dfsg-2_i386.deb
 ddb75894603f74ed9e2c7e48933672f522fdf31b7c02a53d0a8a3c57bf8b78dd 35564 libkrb5-dev_1.8.1+dfsg-2_i386.deb
 56f7fc5141b8972932c649e5d2b537a8286ff88cd859f35c4bc52e2b4157d8bf 1607382 libkrb5-dbg_1.8.1+dfsg-2_i386.deb
 a09a99102cf9eca4c9aa0dd19a394872d82c7555f43428903f664cc67f5ea082 73102 krb5-pkinit_1.8.1+dfsg-2_i386.deb
 8bc551d575f2f9a4a5f416b9e99f316e1f471f3000d4bcac3c335fc25fb74ffd 353168 libkrb5-3_1.8.1+dfsg-2_i386.deb
 65e92854bb35a4f3f0870b3f849b50a8081f6cbfa7c81f273e62d112dd44ff6b 120810 libgssapi-krb5-2_1.8.1+dfsg-2_i386.deb
 b05d3f6f5c4b118e5f9ea4b16580ac63652f8f5b2c7ef6c952c6485549c3a58b 75712 libgssrpc4_1.8.1+dfsg-2_i386.deb
 f3e4eecdb4ff2942e9c1dab10d975477354ab1b3a2535d5c4d0a88c6c9a10a1e 72366 libkadm5srv-mit7_1.8.1+dfsg-2_i386.deb
 c40a17b5cb1ae3f8aabb3734de82c00028a05b2e1339cd9f77c5c446ef309b6b 58904 libkadm5clnt-mit7_1.8.1+dfsg-2_i386.deb
 d623797844d11455af5f9dc02c54e1e44a7da52f0e7be4b556b5c53b241f5894 96586 libk5crypto3_1.8.1+dfsg-2_i386.deb
 7020ad471092fcec8e81b15be7c85f907ca5b39a4bf35f88df62bc53067e84f5 59042 libkdb5-4_1.8.1+dfsg-2_i386.deb
 28bd7e744cb3a39700f35d826eb64ee0ec148de30c263c99d30e79c97d4a74c1 42140 libkrb5support0_1.8.1+dfsg-2_i386.deb
Files: 
 9b321ed44f4ce27823168cf975921828 1568 net standard krb5_1.8.1+dfsg-2.dsc
 e10f3e12dcb5265895392f2517a2644b 119308 net standard krb5_1.8.1+dfsg-2.diff.gz
 275f92ef351074542ed0f519c6a09d8c 2248654 doc optional krb5-doc_1.8.1+dfsg-2_all.deb
 0b4408452027784315b2e9c731800ae2 127242 net optional krb5-user_1.8.1+dfsg-2_i386.deb
 df4f8d4161a2194ed62a3b48ce1339b5 200674 net optional krb5-kdc_1.8.1+dfsg-2_i386.deb
 c56a19fd89471d3c2991b7ef5153110f 110442 net extra krb5-kdc-ldap_1.8.1+dfsg-2_i386.deb
 01b6dfa2e95e319ce6d25834ad2d13a3 104216 net optional krb5-admin-server_1.8.1+dfsg-2_i386.deb
 0631115609a6de31617594b8bfa1f8f6 102148 libdevel optional krb5-multidev_1.8.1+dfsg-2_i386.deb
 d512cef3edd3792f3dc35291884ac88b 35564 libdevel extra libkrb5-dev_1.8.1+dfsg-2_i386.deb
 3129372f72ef66aa349efc0c263fde0d 1607382 debug extra libkrb5-dbg_1.8.1+dfsg-2_i386.deb
 667e915e208b12abeb6d06d75612d38d 73102 net extra krb5-pkinit_1.8.1+dfsg-2_i386.deb
 ab5b8e1cc3fa78cb4cabfac1c452d15b 353168 libs standard libkrb5-3_1.8.1+dfsg-2_i386.deb
 3ba56b43b0afef4d8bd1104a79b6cb94 120810 libs standard libgssapi-krb5-2_1.8.1+dfsg-2_i386.deb
 35406663d14ab2603783597022b70a8d 75712 libs standard libgssrpc4_1.8.1+dfsg-2_i386.deb
 019d40f52737bbb7807ff3444b93b430 72366 libs standard libkadm5srv-mit7_1.8.1+dfsg-2_i386.deb
 e0401ed598b6f0382bacb63754bc1da2 58904 libs standard libkadm5clnt-mit7_1.8.1+dfsg-2_i386.deb
 09c9da94a86728ced0795998eb77749d 96586 libs standard libk5crypto3_1.8.1+dfsg-2_i386.deb
 01779bd4d6942704356e6922a466401d 59042 libs standard libkdb5-4_1.8.1+dfsg-2_i386.deb
 a6bc3d565c576682ad680c7935c031ff 42140 libs standard libkrb5support0_1.8.1+dfsg-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkvDWDwACgkQ/I12czyGJg/tHQCaA2k0WsRnkVnVZz4rZ58UhKy3
46gAoO8lJLNm3RXsmMiQTxjDC8V9yLo7
=/9B3
-----END PGP SIGNATURE-----





Bug No longer marked as fixed in versions krb5/1.8.1+dfsg-2 and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 13 Apr 2010 17:09:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#577490; Package krb5-kdc. (Tue, 13 Apr 2010 19:33:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list. (Tue, 13 Apr 2010 19:33:12 GMT) Full text and rfc822 format available.

Message #56 received at 577490@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: Brian Almeida <bma@thunderkeys.net>
Cc: 577490@bugs.debian.org
Subject: Re: Processed (with 5 errors): Re: Bug#577490: TGT renewal causes krb5kdc to crash on armel
Date: Tue, 13 Apr 2010 15:32:12 -0400
It's not at all surprising that you're seeing crashes with 1.8.1+dfsg-1
given that the problem is fixed in 1.8.1+dfsg-2.




Reply sent to Sam Hartman <hartmans@debian.org>:
You have taken responsibility. (Tue, 13 Apr 2010 19:45:16 GMT) Full text and rfc822 format available.

Notification sent to Joel Johnson <mrjoel@lixil.net>:
Bug acknowledged by developer. (Tue, 13 Apr 2010 19:45:16 GMT) Full text and rfc822 format available.

Message #61 received at 577490-done@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: 577490-done@bugs.debian.org
Subject: Record as fixed
Date: Tue, 13 Apr 2010 15:35:09 -0400 (EDT)
source: krb5
source-version: 1.8.1+dfsg-2

The reopen was bogus: -1 is expected to crash as -2 is what fixes the
problem.




Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#577490; Package krb5-kdc. (Wed, 14 Apr 2010 03:45:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tom Yu <tlyu@MIT.EDU>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Wed, 14 Apr 2010 03:45:07 GMT) Full text and rfc822 format available.

Message #66 received at 577490@bugs.debian.org (full text, mbox):

From: Tom Yu <tlyu@MIT.EDU>
To: 577490@bugs.debian.org
Cc: control@bugs.debian.org
Subject: CVE-2010-1320
Date: Tue, 13 Apr 2010 23:35:36 -0400
tags 577490 security
thanks


upstream advisory is pending

CVE-2010-1320

CVSSv2 vector  AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C




Added tag(s) security. Request was from Tom Yu <tlyu@MIT.EDU> to control@bugs.debian.org. (Wed, 14 Apr 2010 03:45:09 GMT) Full text and rfc822 format available.

Changed Bug title to 'CVE-2010-1320 double free in KDC caused by ticket renewal' from 'TGT renewal causes krb5kdc to crash on armel' Request was from Tom Yu <tlyu@MIT.EDU> to control@bugs.debian.org. (Tue, 20 Apr 2010 21:24:03 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'http://krbdev.mit.edu/rt/Ticket/Display.html?id=6702'. Request was from Tom Yu <tlyu@MIT.EDU> to control@bugs.debian.org. (Tue, 20 Apr 2010 21:24:04 GMT) Full text and rfc822 format available.

Added tag(s) fixed-upstream. Request was from Tom Yu <tlyu@MIT.EDU> to control@bugs.debian.org. (Tue, 20 Apr 2010 21:24:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#577490; Package krb5-kdc. (Tue, 20 Apr 2010 21:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tom Yu <tlyu@MIT.EDU>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Tue, 20 Apr 2010 21:30:03 GMT) Full text and rfc822 format available.

Message #79 received at 577490@bugs.debian.org (full text, mbox):

From: Tom Yu <tlyu@MIT.EDU>
To: 577490@bugs.debian.org
Cc: control@bugs.debian.org
Subject: forwarded, fixed upstream
Date: Tue, 20 Apr 2010 17:21:07 -0400
retitle 577490 CVE-2010-1320 double free in KDC caused by ticket renewal
forwarded 577490 http://krbdev.mit.edu/rt/Ticket/Display.html?id=6702
tags 577490 + fixed-upstream
thanks

Upstream bug #6702 CVE-2010-1230 KDC double free caused by ticket
renewal (MITKRB5-SA-2010-004)




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 19 May 2010 07:39:09 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 17:00:47 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.