Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201202-05 ] Heimdal: Arbitrary code execution
Date: Wed, 22 Feb 2012 21:20:00
Message-Id: 4F454F0B.4080206@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201202-05
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Heimdal: Arbitrary code execution
9 Date: February 22, 2012
10 Bugs: #396105
11 ID: 201202-05
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A boundary error in Heimdal could result in execution of arbitrary
19 code.
20
21 Background
22 ==========
23
24 Heimdal is a free implementation of Kerberos 5.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 app-crypt/heimdal < 1.5.1-r1 >= 1.5.1-r1
33
34 Description
35 ===========
36
37 A boundary error in the "encrypt_keyid()" function in
38 appl/telnet/libtelnet/encrypt.c of the telnet daemon and client could
39 cause a buffer overflow.
40
41 Impact
42 ======
43
44 An unauthenticated remote attacker may be able to execute arbitrary
45 code with the privileges of the user running the telnet daemon or
46 client, or cause Denial of Service.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All Heimdal users should upgrade to the latest version:
57
58 # emerge --sync
59 # emerge --ask --oneshot --verbose ">=app-crypt/heimdal-1.5.1-r1"
60
61 References
62 ==========
63
64 [ 1 ] CVE-2011-4862
65 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4862
66
67 Availability
68 ============
69
70 This GLSA and any updates to it are available for viewing at
71 the Gentoo Security Website:
72
73 http://security.gentoo.org/glsa/glsa-201202-05.xml
74
75 Concerns?
76 =========
77
78 Security is a primary focus of Gentoo Linux and ensuring the
79 confidentiality and security of our users' machines is of utmost
80 importance to us. Any security concerns should be addressed to
81 security@g.o or alternatively, you may file a bug at
82 https://bugs.gentoo.org.
83
84 License
85 =======
86
87 Copyright 2012 Gentoo Foundation, Inc; referenced text
88 belongs to its owner(s).
89
90 The contents of this document are licensed under the
91 Creative Commons - Attribution / Share Alike license.
92
93 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature