SB2015120204 - Buffer overflow in krb5 (Alpine package)
Published: December 2, 2015
Security Bulletin ID
SB2015120204
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Buffer overflow (CVE-ID: CVE-2015-2698)
The vulnerability allows a remote #AU# to execute arbitrary code.
The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) 1.14 pre-release 2015-09-14 improperly accesses a certain pointer, which allows remote authenticated users to cause a denial of service (memory corruption) or possibly have unspecified other impact by interacting with an application that calls the gss_export_sec_context function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-2696.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=5e3bdd5e3d1bbd6ec59d091da48d09abd09989bc
- https://git.alpinelinux.org/aports/commit/?id=f25b0174e74aafc80cd9666132c2dcfc4464ecab
- https://git.alpinelinux.org/aports/commit/?id=9049785e3e52d85b775fbeac2c59dc745022e439
- https://git.alpinelinux.org/aports/commit/?id=b580785e3e3ba884c4407b0e8d89f6ec96cbab53