CVE-2008-0063

Description

The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not properly clear the unused portion of a buffer when generating an error message, which might allow remote attackers to obtain sensitive information, aka "Uninitialized stack values."

CVSS breakdown

Affected products

• Apple / mac_os_x10.4.11
• Apple / mac_os_x_server10.4.11
• Canonical / Ubuntu Linux7.04 – 7.04
• Canonical / Ubuntu Linux6.06 – 6.06
• Canonical / Ubuntu Linux6.10 – 6.10
• Canonical / Ubuntu Linux7.10 – 7.10
• Debian / debian_linux3.1 – 3.1
• Debian / debian_linux4.0 – 4.0
• fedoraproject / fedora8 – 8
• fedoraproject / fedora7 – 7
• MIT / Kerberos 51.6.3
• openSUSE / opensuse10.3 – 10.3
• openSUSE / opensuse10.2 – 10.2
• SUSE / linux10.1 – 10.1
• SUSE / linux_enterprise_desktop10 – 10
• SUSE / linux_enterprise_server10 – 10
• SUSE / linux_enterprise_software_development_kit10 – 10

References

• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2008/1744
• VENDOR_ADVISORYhttp://secunia.com/advisories/29457
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2008:069
• VENDOR_ADVISORYhttp://secunia.com/advisories/29464
• MISChttp://www.gentoo.org/security/en/glsa/glsa-200803-31.xml
• MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/41277
• MISChttps://www.redhat.com/archives/fedora-package-announce/2008-March/msg00537.html
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2008:071
• VENDOR_ADVISORYhttp://wiki.rpath.com/Advisories:rPSA-2008-0112
• MISChttp://www.securitytracker.com/id?1019627
• MISChttp://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5022542.html
• VENDOR_ADVISORYhttp://secunia.com/advisories/29451
• VENDOR_ADVISORYhttp://secunia.com/advisories/29663
• MISChttps://www.redhat.com/archives/fedora-package-announce/2008-March/msg00544.html
• VENDOR_ADVISORYhttp://wiki.rpath.com/wiki/Advisories:rPSA-2008-0112
• VENDOR_ADVISORYhttp://secunia.com/advisories/29438
• VENDOR_ADVISORYhttp://www.vmware.com/security/advisories/VMSA-2008-0009.html
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2008/0924/references
• MISChttp://www.redhat.com/support/errata/RHSA-2008-0164.html
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2008:070
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2008/0922/references
• VENDOR_ADVISORYhttp://secunia.com/advisories/29450
• VENDOR_ADVISORYhttp://secunia.com/advisories/29435
• MISChttp://www.securityfocus.com/archive/1/489883/100/0/threaded
• VENDOR_ADVISORYhttp://secunia.com/advisories/29428
• VENDOR_ADVISORYhttp://secunia.com/advisories/29420
• VENDOR_ADVISORYhttp://www.debian.org/security/2008/dsa-1524
• VENDOR_ADVISORYhttp://secunia.com/advisories/30535
• MAILING_LISThttp://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
• MISChttp://www.redhat.com/support/errata/RHSA-2008-0182.html
• MISChttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8916
• MISChttp://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5022520.html
• MISChttp://www.securityfocus.com/archive/1/493080/100/0/threaded
• MISChttp://www.redhat.com/support/errata/RHSA-2008-0180.html
• MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2008-03/msg00006.html
• VENDOR_ADVISORYhttp://secunia.com/advisories/29516
• VENDOR_ADVISORYhttp://secunia.com/advisories/29462
• VENDOR_ADVISORYhttp://secunia.com/advisories/29424
• VENDOR_ADVISORYhttp://docs.info.apple.com/article.html?artnum=307562
• MISChttp://www.redhat.com/support/errata/RHSA-2008-0181.html
• VENDOR_ADVISORYhttp://secunia.com/advisories/29423
• VENDOR_ADVISORYhttp://www.ubuntu.com/usn/usn-587-1
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2008/1102/references
• MISChttp://www.securityfocus.com/bid/28303
• VENDOR_ADVISORYhttp://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-001.txt
• MISChttp://www.securityfocus.com/archive/1/489761