krb5 1.4.4-6 fixes mit-sa-2006-2 (see http://web.mit.edu/kerberos/advisories/ ) which is a fairly serious bug found through a mostly unrelated problem. I've attached a diff below; I strongly recommend that this package be accepted into etch. Debian is not vulnerable to mit-sa-2006-3. === debian/changelog ================================================================== --- debian/changelog (/remote/krb5/trunk/krb5) (revision 2663) +++ debian/changelog (/k5-s/krb5) (local) @@ -1,3 +1,12 @@ +krb5 (1.4.4-6) unstable; urgency=emergency + + * mit-sa-2006-2: kadmind and rpc library call through function pointer + to freed memory (CVE-2006-6143) + - null out xp_auth unless it is associated with an rpcsec_gss + connection + + -- Sam Hartman <hartmans@debian.org> Thu, 4 Jan 2007 16:07:02 -0500 + krb5 (1.4.4-5) unstable; urgency=low * Translation updates: === debian/patch.mit-sa-2006-2 ================================================================== --- debian/patch.mit-sa-2006-2 (/remote/krb5/trunk/krb5) (revision 2663) +++ debian/patch.mit-sa-2006-2 (/k5-s/krb5) (local) @@ -0,0 +1,27 @@ +Index: src/lib/rpc/svc.c +=================================================================== +*** src/lib/rpc/svc.c (revision 18864) +--- src/lib/rpc/svc.c (working copy) +*************** +*** 437,442 **** +--- 437,444 ---- + #endif + } + ++ extern struct svc_auth_ops svc_auth_gss_ops; ++ + static void + svc_do_xprt(SVCXPRT *xprt) + { +*************** +*** 518,523 **** +--- 520,528 ---- + if ((stat = SVC_STAT(xprt)) == XPRT_DIED){ + SVC_DESTROY(xprt); + break; ++ } else if ((xprt->xp_auth != NULL) && ++ (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)) { ++ xprt->xp_auth = NULL; + } + } while (stat == XPRT_MOREREQS); + === src/lib/rpc/svc.c ================================================================== --- src/lib/rpc/svc.c (/remote/krb5/trunk/krb5) (revision 2663) +++ src/lib/rpc/svc.c (/k5-s/krb5) (local) @@ -436,6 +436,8 @@ #endif } +extern struct svc_auth_ops svc_auth_gss_ops; + static void svc_do_xprt(SVCXPRT *xprt) { @@ -517,6 +519,9 @@ if ((stat = SVC_STAT(xprt)) == XPRT_DIED){ SVC_DESTROY(xprt); break; + } else if ((xprt->xp_auth != NULL) && + (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)) { + xprt->xp_auth = NULL; } } while (stat == XPRT_MOREREQS);
Attachment:
pgpsOhBwt78X2.pgp
Description: PGP signature