MGASA-2017-0420

An authentication bypass flaw was found in the way krb5's certauth interface handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances (CVE-2017-7562). Note that this issue only affects Mageia 6.

RFC 2744 permits a GSS-API implementation to delete an existing security context on a second or subsequent call to gssinitseccontext() or gssacceptseccontext() if the call results in an error. This API behavior has been found to be dangerous, leading to the possibility of memory errors in some callers. For safety, GSS-API implementations should instead preserve existing security contexts on error until the caller deletes them (CVE-2017-11462).

A buffer overflow vulnerability was found in getmatchingdata() function when both the CA cert and the user cert have a long subject affecting krb5 that includes certauth plugin. Attack requires a validated certificate with a long subject and issuer, and a "pkinitcertmatch" string attribute on some principal in the database. A remote code execution exploit might also require that the attacker gets to choose the contents of the issuer in the validated cert (CVE-2017-15088).