CVE-2020-10595: 
NixOS vulnerability analysis and mitigation

CVE-2020-10595 affects pam-krb5, a Kerberos PAM module, discovered on March 2, 2020, and publicly announced on March 30, 2020. The vulnerability affects all versions prior to 4.8, with version 4.9 providing the fix. This security issue was discovered by Russ Allbery during a code refactoring of the pam-krb5 Kerberos PAM module (Openwall Advisory).

The vulnerability is a single-byte buffer overflow that occurs during prompting initiated by the Kerberos library. When an attacker enters a response exactly as long as the length of the buffer provided by the underlying Kerberos library, it causes pam-krb5 to write a single nul byte past the end of that buffer. The effect of this buffer overflow depends on the buffer allocation strategy of the underlying Kerberos library, potentially resulting in heap corruption or a single-byte overwrite of another stack variable (Openwall Advisory).

The vulnerability could result in heap corruption or stack corruption depending on the structure of the underlying Kerberos library, with potential consequences including denial of service or possibly remote code execution. However, the impact is limited as this code path is not used for normal authentication, but only when the Kerberos library performs supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM configuration option (Debian Advisory, Ubuntu Notice).

The vulnerability has been fixed in pam-krb5 version 4.9 and later. Various Linux distributions have released patched versions: Debian 9.0 (stretch) fixed in version 4.7-4+deb9u1, Debian 10.0 (buster) fixed in version 4.8-2+deb10u1, Ubuntu 19.10 fixed in version 4.8-2ubuntu0.1, Ubuntu 18.04 fixed in version 4.8-1ubuntu0.1, and Ubuntu 16.04 fixed in version 4.7-2ubuntu0.1 (Debian Advisory, Ubuntu Notice).