Dear Greg Hudson$B!$(B

I hope this message finds you well.

I am writing to inquire about the current status and expected timeline for addressing the CVE identified in the krb5 software. Our team needs to understand when a fix for this vulnerability will be available in an upcoming release to plan our security
updates accordingly.

I can see that commit c5f9c816107f70139de11b38aa02db2f1774ee0d <https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d> includes the fix for CVE NVD - CVE-2024-26461<https://nvd.nist.gov/vuln/detail/CVE-2024-26461>. However, these
changes are not yet included in the latest krb5 release, which is 1.21.3 (krb5-1.21.3-final <https://github.com/krb5/krb5/tree/krb5-1.21.3-final> ).

Could you please provide more details on the targeted release version and date for the fix?

Your assistance in this matter is highly appreciated as it will help us ensure the security and stability of our systems. I look forward to your prompt response.
Thank you for your attention and cooperation.

Best regards,

Shawn Zhang (he/him)
Senior Principal Engineer, Protocol
Dell Technologies | Unstructured & Secondary Storage Shawn.Zhang@Dell.com<mailto:Shawn.Zhang@Dell.com>




Internal Use - Confidential

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kerberos@mit.edu (kerberos@mit.edu)

On 11/8/24 01:43, Zhang, Shawn via Kerberos wrote:

I can see that commit c5f9c816107f70139de11b38aa02db2f1774ee0d <https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d> includes the fix for CVE NVD - CVE-2024-26461<https://nvd.nist.gov/vuln/detail/CVE-2024-26461>. However, these

changes are not yet included in the latest krb5 release, which is 1.21.3 (krb5-1.21.3-final <https://github.com/krb5/krb5/tree/krb5-1.21.3-final> ).

In my view as the upstream maintainer, these logic errors have zero
impact and should not have been assigned any CVEs. Therefore I have no
intent to backport the fixes to a stable release branch. This CVE is
part of an unfortunate trend where researchers discover "defects" using
static analysis tools and allocate CVEs with no meaningful analysis of
whether there is an actual vulnerability [1].

The logic error in gss_krb5int_make_seal_token_v3() could only result in
a memory leak if the bounds check "SIZE_MAX - 300 < message->length"
triggers, meaning the application asked to wrap or MIC a message of
almost the entire addressable memory. This is of course impossible;
more than 300 bytes of address space will be used by other parts of a
program.

The other logic error is in xdr_rmtcallres(), which I believe (with high confidence) is unused in this implementation of the RPC library.

[1] https://daniel.haxx.se/blog/2023/09/05/bogus-cve-follow-ups/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)