CVE-2018-5709

Priority
Description
An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is
a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store
16-bit data but unknowingly the developer has assigned a "u4" variable to
it, which is for 32-bit data. An attacker can use this vulnerability to
affect other artifacts of the database as we know that a Kerberos database
dump file contains trusted data.
Notes
ebarrettoaccording to debian security tracker: non-issue, codepath is
only run on trusted input, potential integer overflow is
non-issue
Package
Source: krb5 (LP Ubuntu Debian)
Upstream:deferred
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):ignored (reached end-of-life)
Ubuntu 19.10 (Eoan Ermine):needed
Ubuntu 20.04 (Focal Fossa):needed
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
More Information

Updated: 2020-01-23 20:42:04 UTC (commit b4629892d998f2ede31f59bb7508dc50a92ac664)