CVE-2015-8629

Published: 13 February 2016

The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string.

From the Ubuntu security team

It was discovered that Kerberos incorrectly handled input strings. A remote authenticated attacker could possibly use this issue to obtain sensitive information or cause a denial of service.

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
krb5
Launchpad, Ubuntu, Debian
Upstream
Released (1.14+dfsg-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1.14.3+dfsg-2ubuntu1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(1.14.3+dfsg-2ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1.14.3+dfsg-2ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.14.3+dfsg-2ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(1.13.2+dfsg-5)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.12+dfsg-2ubuntu5.4)
Patches:
Upstream: https://github.com/krb5/krb5/commit/df17a1224a3406f57477bcd372c61e04c0e5a5bb
Binaries built from this source package are in Universe and so are supported by the community.