Ubuntu
heimdal package

[heimdal] [CVE-2007-5939] possible remote vulnerability of unknown impact via an invalid username

Bug #174615 reported by disabled.user
260
Affects Status Importance Assigned to Milestone
heimdal (Ubuntu)
Fix Released
Undecided
Unassigned
Nominated for Dapper by Scott Kitterman
Edgy
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: heimdal-dev

References:
[1] MDKSA-2007:239 (http://www.mandriva.com/en/security/advisories?name=MDKSA-2007:239)
[2] CVE-2007-5939 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5939)

Quoting [1]:
"It was found that the gss_userok() function in Heimdal 0.7.2 did not allocate memory for the ticketfile pointer before calling free(), which could possibly allow remote attackers to have an unknown impact via an invalid username. It is uncertain whether or not this is exploitable, however packages are being provided regardless."

Quoting [2]:
"The gss_userok function in appl/ftp/ftpd/gss_userok.c in Heimdal 0.7.2 does not allocate memory for the ticketfile pointer before calling free, which allows remote attackers to have an unknown impact via an invalid username. NOTE: the vulnerability was originally reported for ftpd.c, but this is incorrect."

CVE References

Revision history for this message
Scott Kitterman (kitterman) wrote :

Version in Hardy not affected.

Changed in heimdal:
status: New → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in heimdal:
status: New → Won't Fix
Revision history for this message
LumpyCustard (orangelumpycustard) wrote :

Please close for Feisty as Won't Fix? This goes for all the other Feisty bugs.

Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in heimdal:
status: New → Won't Fix
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in heimdal (Ubuntu Gutsy):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.