An integer underflow vulnerability was found in MIT krb5 in the berval2tldata() function in plugins/kdb/ldap/libkdbldap/ldapprincipal2.c. The function performs an unsigned subtraction (bvlen - 2) without a prior bounds check. When bvlen is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.
{
"binaries": [
{
"binary_name": "krb5-admin-server",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "krb5-gss-samples",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "krb5-k5tls",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "krb5-kdc",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "krb5-kdc-ldap",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "krb5-kpropd",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "krb5-locales",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "krb5-multidev",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "krb5-otp",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "krb5-pkinit",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "krb5-user",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "libgssapi-krb5-2",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "libgssrpc4",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "libk5crypto3",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "libkadm5clnt-mit11",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "libkadm5srv-mit11",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "libkdb5-9",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "libkrad0",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "libkrb5-3",
"binary_version": "1.17-6ubuntu4.11"
},
{
"binary_name": "libkrb5support0",
"binary_version": "1.17-6ubuntu4.11"
}
]
}{
"binaries": [
{
"binary_name": "krb5-admin-server",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "krb5-gss-samples",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "krb5-k5tls",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "krb5-kdc",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "krb5-kdc-ldap",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "krb5-kpropd",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "krb5-locales",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "krb5-multidev",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "krb5-otp",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "krb5-pkinit",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "krb5-user",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "libgssapi-krb5-2",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "libgssrpc4",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "libk5crypto3",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "libkadm5clnt-mit12",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "libkadm5srv-mit12",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "libkdb5-10",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "libkrad0",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "libkrb5-3",
"binary_version": "1.19.2-2ubuntu0.7"
},
{
"binary_name": "libkrb5support0",
"binary_version": "1.19.2-2ubuntu0.7"
}
]
}{
"binaries": [
{
"binary_name": "krb5-admin-server",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "krb5-gss-samples",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "krb5-k5tls",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "krb5-kdc",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "krb5-kdc-ldap",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "krb5-kpropd",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "krb5-locales",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "krb5-multidev",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "krb5-otp",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "krb5-pkinit",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "krb5-user",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "libgssapi-krb5-2",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "libgssrpc4t64",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "libk5crypto3",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "libkadm5clnt-mit12",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "libkadm5srv-mit12",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "libkdb5-10t64",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "libkrad0",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "libkrb5-3",
"binary_version": "1.20.1-6ubuntu2.6"
},
{
"binary_name": "libkrb5support0",
"binary_version": "1.20.1-6ubuntu2.6"
}
]
}{
"binaries": [
{
"binary_name": "krb5-admin-server",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "krb5-gss-samples",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "krb5-k5tls",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "krb5-kdc",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "krb5-kdc-ldap",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "krb5-kpropd",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "krb5-locales",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "krb5-multidev",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "krb5-otp",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "krb5-pkinit",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "krb5-user",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "libgssapi-krb5-2",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "libgssrpc4t64",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "libk5crypto3",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "libkadm5clnt-mit12",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "libkadm5srv-mit12",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "libkdb5-10t64",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "libkrad0",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "libkrb5-3",
"binary_version": "1.21.3-5ubuntu2"
},
{
"binary_name": "libkrb5support0",
"binary_version": "1.21.3-5ubuntu2"
}
]
}{
"binaries": [
{
"binary_name": "krb5-admin-server",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "krb5-gss-samples",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "krb5-k5tls",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "krb5-kdc",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "krb5-kdc-ldap",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "krb5-kpropd",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "krb5-locales",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "krb5-multidev",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "krb5-otp",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "krb5-pkinit",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "krb5-user",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "libgssapi-krb5-2",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "libgssrpc4t64",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "libk5crypto3",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "libkadm5clnt-mit12",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "libkadm5srv-mit12",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "libkdb5-10t64",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "libkrad0",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "libkrb5-3",
"binary_version": "1.22.1-2ubuntu4"
},
{
"binary_name": "libkrb5support0",
"binary_version": "1.22.1-2ubuntu4"
}
]
}{
"binaries": [
{
"binary_name": "krb5-admin-server",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "krb5-gss-samples",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "krb5-kdc",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "krb5-kdc-ldap",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "krb5-locales",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "krb5-multidev",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "krb5-otp",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "krb5-pkinit",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "krb5-user",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "libgssapi-krb5-2",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "libgssrpc4",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "libk5crypto3",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "libkadm5clnt-mit9",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "libkadm5srv-mit8",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "libkadm5srv-mit9",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "libkdb5-7",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "libkrad0",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "libkrb5-3",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
},
{
"binary_name": "libkrb5support0",
"binary_version": "1.12+dfsg-2ubuntu5.4+esm7"
}
]
}{
"binaries": [
{
"binary_name": "krb5-admin-server",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "krb5-gss-samples",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "krb5-k5tls",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "krb5-kdc",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "krb5-kdc-ldap",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "krb5-locales",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "krb5-multidev",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "krb5-otp",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "krb5-pkinit",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "krb5-user",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "libgssapi-krb5-2",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "libgssrpc4",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "libk5crypto3",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "libkadm5clnt-mit9",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "libkadm5srv-mit9",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "libkdb5-8",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "libkrad0",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "libkrb5-3",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
},
{
"binary_name": "libkrb5support0",
"binary_version": "1.13.2+dfsg-5ubuntu2.2+esm7"
}
]
}{
"binaries": [
{
"binary_name": "krb5-admin-server",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "krb5-gss-samples",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "krb5-k5tls",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "krb5-kdc",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "krb5-kdc-ldap",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "krb5-kpropd",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "krb5-locales",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "krb5-multidev",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "krb5-otp",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "krb5-pkinit",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "krb5-user",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "libgssapi-krb5-2",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "libgssrpc4",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "libk5crypto3",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "libkadm5clnt-mit11",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "libkadm5srv-mit11",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "libkdb5-9",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "libkrad0",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "libkrb5-3",
"binary_version": "1.16-2ubuntu0.4+esm5"
},
{
"binary_name": "libkrb5support0",
"binary_version": "1.16-2ubuntu0.4+esm5"
}
]
}