SB2015120102 - Out-of-bounds read in krb5 (Alpine package)
Published: December 1, 2015
Security Bulletin ID
SB2015120102
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Out-of-bounds read (CVE-ID: CVE-2015-2697)
The vulnerability allows a remote attacker to gain access to perform denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the lib/krb5/krb/bld_princ.c function in MIT Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users to cause a denial of service (out-of-bounds read and KDC crash) via an initial '' character file. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and crash the affected application.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=5e3bdd5e3d1bbd6ec59d091da48d09abd09989bc
- https://git.alpinelinux.org/aports/commit/?id=fdc57cf10ba6dc021e62e0f666912ce98100b514
- https://git.alpinelinux.org/aports/commit/?id=f9f0307cf4d91055a8dffc51c7082e28f0df3e81
- https://git.alpinelinux.org/aports/commit/?id=4b6e93b289ac9264c1bf81d41628b80f82d8cfe0