PublicDateAtUSN: 2020-03-31 03:00:00 UTC
Candidate: CVE-2020-10595
CRD: 2020-03-31 03:00:00 UTC
PublicDate: 2020-03-31 13:15:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10595
 https://ubuntu.com/security/notices/USN-4314-1
Description:
 pam-krb5 before 4.9 has a buffer overflow that might cause remote code
 execution in situations involving supplemental prompting by a Kerberos
 library. It may overflow a buffer provided by the underlying Kerberos
 library by a single '\0' byte if an attacker responds to a prompt with an
 answer of a carefully chosen length. The effect may range from heap
 corruption to stack corruption depending on the structure of the underlying
 Kerberos library, with unknown effects but possibly including code
 execution. This code path is not used for normal authentication, but only
 when the Kerberos library does supplemental prompting, such as with PKINIT
 or when using the non-standard no_prompt PAM configuration option.
Ubuntu-Description: 
Notes: 
Mitigation: 
Bugs: 
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_libpam-krb5:
upstream_libpam-krb5: needs-triage
precise/esm_libpam-krb5: released (4.5-3ubuntu0.1)
trusty_libpam-krb5: ignored (out of standard support)
trusty/esm_libpam-krb5: released (4.6-2ubuntu0.1~esm1)
xenial_libpam-krb5: released (4.7-2ubuntu0.1)
esm-infra/xenial_libpam-krb5: released (4.7-2ubuntu0.1)
bionic_libpam-krb5: released (4.8-1ubuntu0.1)
eoan_libpam-krb5: released (4.8-2ubuntu0.1)
devel_libpam-krb5: released (4.8-2ubuntu1)