Debian Bug report logs - #704775
krb5: KDC TGS-REQ null deref (CVE-2013-1416)

version graph

Package: krb5-kdc; Maintainer for krb5-kdc is Sam Hartman <hartmans@debian.org>; Source for krb5-kdc is src:krb5.

Reported by: Benjamin Kaduk <kaduk@MIT.EDU>

Date: Fri, 5 Apr 2013 18:36:01 UTC

Severity: serious

Tags: pending, security

Found in versions krb5/1.10.1+dfsg-4+nmu1, krb5/1.8.3+dfsg-4squeeze6

Fixed in version krb5/1.10.1+dfsg-5

Done: Benjamin Kaduk <kaduk@mit.edu>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#704775; Package krb5-kdc. (Fri, 05 Apr 2013 18:36:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Benjamin Kaduk <kaduk@MIT.EDU>:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>. (Fri, 05 Apr 2013 18:36:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Benjamin Kaduk <kaduk@MIT.EDU>
To: submit@bugs.debian.org
Subject: krb5: KDC TGS-REQ null deref (CVE-2013-1416)
Date: Fri, 5 Apr 2013 14:32:28 -0400 (EDT)
Package: krb5-kdc
Version: 1.10.1+dfsg-4+nmu1
Severity: serious

Upstream has patched against CVE-2013-1416; Debian should as well.

By sending an unusual but valid TGS-REQ, an authenticated remote attacker 
can cause the KDC process to crash by dereferencing a null pointer.

Only krb5 releases 1.7 to 1.10 are affected; the code in question was 
rewritten for 1.11.



Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#704775; Package krb5-kdc. (Fri, 05 Apr 2013 18:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Benjamin Kaduk <kaduk@MIT.EDU>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Fri, 05 Apr 2013 18:42:04 GMT) Full text and rfc822 format available.

Message #10 received at 704775@bugs.debian.org (full text, mbox):

From: Benjamin Kaduk <kaduk@MIT.EDU>
To: 704775@bugs.debian.org
Subject: Re: Bug#704775: Acknowledgement (krb5: KDC TGS-REQ null deref (CVE-2013-1416))
Date: Fri, 5 Apr 2013 14:40:01 -0400 (EDT)
The patch is now available in the pkg-k5-afs/debian.git repository on 
alioth.



Added tag(s) security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 05 Apr 2013 19:12:12 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#704775; Package krb5-kdc. (Sat, 06 Apr 2013 19:09:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Sat, 06 Apr 2013 19:09:07 GMT) Full text and rfc822 format available.

Message #17 received at 704775@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 704775@bugs.debian.org, 704775-submitter@bugs.debian.org
Subject: re: krb5: KDC TGS-REQ null deref (CVE-2013-1416)
Date: Sat, 6 Apr 2013 15:07:29 -0400
I'm not seeing any new kerberos releases:
http://web.mit.edu/kerberos/krb5-1.10

Is this perhaps not meant to be public knowledge yet?

Best wishes,
Mike



Message sent on to Benjamin Kaduk <kaduk@MIT.EDU>:
Bug#704775. (Sat, 06 Apr 2013 19:09:16 GMT) Full text and rfc822 format available.

Reply sent to Benjamin Kaduk <kaduk@mit.edu>:
You have taken responsibility. (Sun, 07 Apr 2013 17:06:27 GMT) Full text and rfc822 format available.

Notification sent to Benjamin Kaduk <kaduk@MIT.EDU>:
Bug acknowledged by developer. (Sun, 07 Apr 2013 17:06:27 GMT) Full text and rfc822 format available.

Message #25 received at 704775-close@bugs.debian.org (full text, mbox):

From: Benjamin Kaduk <kaduk@mit.edu>
To: 704775-close@bugs.debian.org
Subject: Bug#704775: fixed in krb5 1.10.1+dfsg-5
Date: Sun, 07 Apr 2013 17:03:14 +0000
Source: krb5
Source-Version: 1.10.1+dfsg-5

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 704775@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Benjamin Kaduk <kaduk@mit.edu> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 05 Apr 2013 14:36:50 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit8 libkadm5clnt-mit8 libk5crypto3 libkdb5-6 libkrb5support0 krb5-gss-samples krb5-locales
Architecture: source all amd64
Version: 1.10.1+dfsg-5
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Benjamin Kaduk <kaduk@mit.edu>
Description: 
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - Documentation for MIT Kerberos
 krb5-gss-samples - MIT Kerberos GSS Sample applications
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-locales - Internationalization support for MIT Kerberos
 krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit8 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit8 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-6  - MIT Kerberos runtime libraries - Kerberos database
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 703457 704647 704775
Changes: 
 krb5 (1.10.1+dfsg-5) unstable; urgency=high
 .
   * Import workaround for getaddrinfo bug from upstream.  Described in
     upstream's RT 7124, Closes: #704647
   * Correct CVE number for CVE-2012-1016 in changelog and patches, Closes:
     #703457
   * Import upstream's fix for CVE-2013-1416, Closes: #704775
Checksums-Sha1: 
 96c8b1bae8895213219f4ba35f71c601b4369e92 2287 krb5_1.10.1+dfsg-5.dsc
 c4c35fd67f163ed82cb1426e05854eb2bbbcbadb 135076 krb5_1.10.1+dfsg-5.debian.tar.gz
 5140d04910eb7903a07f6409214cdf53dec4337f 2668656 krb5-doc_1.10.1+dfsg-5_all.deb
 a5fe28590d87acc3b6cc1f95714ac828c9f165d4 1502290 krb5-locales_1.10.1+dfsg-5_all.deb
 7f788cdebfc288a6fa6bba1602d8bb9046fc379f 153590 krb5-user_1.10.1+dfsg-5_amd64.deb
 bc79a3ae0868e8ea8e6ff773c53cefafe167bb55 224496 krb5-kdc_1.10.1+dfsg-5_amd64.deb
 3949c4adff4140439a3d237e07e12e0a402a05d5 119982 krb5-kdc-ldap_1.10.1+dfsg-5_amd64.deb
 9dff1602d65cb2a8804bad82ac0c9e23a3e97926 121756 krb5-admin-server_1.10.1+dfsg-5_amd64.deb
 6825190576a7d7c8478f6d4c003a9b6b3173485a 153444 krb5-multidev_1.10.1+dfsg-5_amd64.deb
 91eff6975c7e88c791952e9996ef2efa2e7c2d37 39762 libkrb5-dev_1.10.1+dfsg-5_amd64.deb
 8249b60cae4400b5317a02ceec55b46fe031e5b7 2203582 libkrb5-dbg_1.10.1+dfsg-5_amd64.deb
 620c8bf1abb2c3534601103dca9411199892e258 82040 krb5-pkinit_1.10.1+dfsg-5_amd64.deb
 445a7a74e619c46aa01c1fb5f5c262a6e28385f4 393822 libkrb5-3_1.10.1+dfsg-5_amd64.deb
 cf1998eacceb08129949b7699fe0f52c2865f66c 147922 libgssapi-krb5-2_1.10.1+dfsg-5_amd64.deb
 6c5b2b9401f428d22fd49690181c97a1247fcf2f 87688 libgssrpc4_1.10.1+dfsg-5_amd64.deb
 f2f35c475ff3861653b27d967157e20a9a2d69cb 84860 libkadm5srv-mit8_1.10.1+dfsg-5_amd64.deb
 11d472509634e7f13b6ef6e1597bf070a4bbf7ee 67854 libkadm5clnt-mit8_1.10.1+dfsg-5_amd64.deb
 a25e7004e5133fe9555cfa19f181c9a2b40d223d 112238 libk5crypto3_1.10.1+dfsg-5_amd64.deb
 3f4c1fcf42069a6f33209320297c29768d8825cd 66756 libkdb5-6_1.10.1+dfsg-5_amd64.deb
 d6cee793d8a0e75d3d4451bb0412d4e6f20c944c 49490 libkrb5support0_1.10.1+dfsg-5_amd64.deb
 1ed36cf517209bdefa4b61953763243cd2420c74 51782 krb5-gss-samples_1.10.1+dfsg-5_amd64.deb
Checksums-Sha256: 
 885064c3989102193a53ef38f0bd782cd46a6ad1454ba95e1dc321dbf21db7ac 2287 krb5_1.10.1+dfsg-5.dsc
 54dbbae474c56777b287a6349e7aa2242d49f7732ecb7db5e3f5df3d8602ac8c 135076 krb5_1.10.1+dfsg-5.debian.tar.gz
 776148edc355dce10011ccafd325facee4427dfa29fea982a97f1a49e21a42a4 2668656 krb5-doc_1.10.1+dfsg-5_all.deb
 bc471183ede079e5ca004a5cf1a526a9e215950d18206b698c59d8513b28d55c 1502290 krb5-locales_1.10.1+dfsg-5_all.deb
 bd9c17dafce31145452162745a9e89132600568f72fed8f68352689349ff1e12 153590 krb5-user_1.10.1+dfsg-5_amd64.deb
 587ae9e0db077d752bb7ae65fe70cc6bc0a264b29eac94159da6ec1305929cb6 224496 krb5-kdc_1.10.1+dfsg-5_amd64.deb
 957132c6e599d7a46a962dee0137770aac7b2c7322a461713981569f98b3e3d9 119982 krb5-kdc-ldap_1.10.1+dfsg-5_amd64.deb
 0aaef30008b63b6b723ebbade1a4e1c0f0ebda84524c53f0b7678234c9bce216 121756 krb5-admin-server_1.10.1+dfsg-5_amd64.deb
 b2ed8395931458689193c5245e120fc5d1c70360dd34def3cb971a0e98be7933 153444 krb5-multidev_1.10.1+dfsg-5_amd64.deb
 dcd46766e1e3a1d247091a1bfe6720174e94575a0372555b6637a491750cae97 39762 libkrb5-dev_1.10.1+dfsg-5_amd64.deb
 2ba351e401e4dead01eea6622fc9cff2144f51783bf77232cb40448f71bb3a1d 2203582 libkrb5-dbg_1.10.1+dfsg-5_amd64.deb
 188ab7969403a1f151c7da7343b7fcf686082b71042712c60779d968fed82f11 82040 krb5-pkinit_1.10.1+dfsg-5_amd64.deb
 2a1368aa9e08a6810933c14a608449ad12e559927c596ca7b5cacc6346df88d9 393822 libkrb5-3_1.10.1+dfsg-5_amd64.deb
 4adacef2ccd1cf7e956afb3e6d7cfd5e109919dc06693e13a20f102a355752f8 147922 libgssapi-krb5-2_1.10.1+dfsg-5_amd64.deb
 998fec6ddd85b05843168e07b642d99c31d0d32c0860321eb90fb20a91c1ecd5 87688 libgssrpc4_1.10.1+dfsg-5_amd64.deb
 00fb6d46e622f7c64a6c386bbd64a4fa7c0136e948cee9a7b1c57d4c3d946a45 84860 libkadm5srv-mit8_1.10.1+dfsg-5_amd64.deb
 b0b4d2e09e3d2220e7cd9765661894e9939883bb7dc324b4ac63617d221207e0 67854 libkadm5clnt-mit8_1.10.1+dfsg-5_amd64.deb
 289a4f9be690ec0cc20c3e912c97eff42eb644dc9c6f94950aa5dca0d101f918 112238 libk5crypto3_1.10.1+dfsg-5_amd64.deb
 db1347346ea8260fa64dc6f9e3a4db6fe2753a7f86637ea8a78847cc5d71d915 66756 libkdb5-6_1.10.1+dfsg-5_amd64.deb
 6edd8a0a647b4bf277673617a0dd5a367e3448251cd80dee634758c30bae757c 49490 libkrb5support0_1.10.1+dfsg-5_amd64.deb
 ef34197fd2b22b193a644f967b29477cc01d6b806f4c64f17a6b6c15f10ffc6e 51782 krb5-gss-samples_1.10.1+dfsg-5_amd64.deb
Files: 
 a6fea8d10d5f4abf960be1901642f65d 2287 net standard krb5_1.10.1+dfsg-5.dsc
 8eeee71526d7388c2d6410c968d717f8 135076 net standard krb5_1.10.1+dfsg-5.debian.tar.gz
 4ee35df987654ad27c99580bceb23ed9 2668656 doc optional krb5-doc_1.10.1+dfsg-5_all.deb
 e3e59a08a086a2d7932177f20e76101e 1502290 localization standard krb5-locales_1.10.1+dfsg-5_all.deb
 64d267d7388df665a2d67650bfd5c690 153590 net optional krb5-user_1.10.1+dfsg-5_amd64.deb
 0298e6fdbd6bb585a65ad99be79c25d5 224496 net optional krb5-kdc_1.10.1+dfsg-5_amd64.deb
 827364a7fa3bfdc44c79418ba1c2ed4e 119982 net extra krb5-kdc-ldap_1.10.1+dfsg-5_amd64.deb
 394471f0a7c2b604c70bf7278452dd17 121756 net optional krb5-admin-server_1.10.1+dfsg-5_amd64.deb
 2d269bef2cd57892c553738d20300197 153444 libdevel optional krb5-multidev_1.10.1+dfsg-5_amd64.deb
 2d5a9f106521f806a1432155989da8d5 39762 libdevel extra libkrb5-dev_1.10.1+dfsg-5_amd64.deb
 9128f8605cac84c1e4f5bdbac592ba4d 2203582 debug extra libkrb5-dbg_1.10.1+dfsg-5_amd64.deb
 f8e39f0303a891ee2be34ce7e596a821 82040 net extra krb5-pkinit_1.10.1+dfsg-5_amd64.deb
 a84f9bb43039381651871598014e940b 393822 libs standard libkrb5-3_1.10.1+dfsg-5_amd64.deb
 ff326a69f4ea7c43822a1d54f81a1c18 147922 libs standard libgssapi-krb5-2_1.10.1+dfsg-5_amd64.deb
 24bf468eb3e16a74233cea0947e6c1e8 87688 libs standard libgssrpc4_1.10.1+dfsg-5_amd64.deb
 2b507930665af6db4c61e785c113a70e 84860 libs standard libkadm5srv-mit8_1.10.1+dfsg-5_amd64.deb
 3bd465d142d9c71e62bdc5ce9da3dd6e 67854 libs standard libkadm5clnt-mit8_1.10.1+dfsg-5_amd64.deb
 d420f07f97d2b799566b0df82e1cac6d 112238 libs standard libk5crypto3_1.10.1+dfsg-5_amd64.deb
 4bd9a2b87bb8d6dd8b2edf30d34aa885 66756 libs standard libkdb5-6_1.10.1+dfsg-5_amd64.deb
 21b0a17aa127efbe6d4212853bc10edf 49490 libs standard libkrb5support0_1.10.1+dfsg-5_amd64.deb
 7a3254e85a2e4b56dfd2587a66b8919f 51782 net extra krb5-gss-samples_1.10.1+dfsg-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlFhpSIACgkQ/I12czyGJg/5wgCeOCvcwm9JDz5dkFKsZyxr0FIh
EZoAn37Qh6//z8sKYMb1MG2XqKwr2dU6
=gMEB
-----END PGP SIGNATURE-----




Added tag(s) pending. Request was from Sam Hartman <hartmans@debian.org> to control@bugs.debian.org. (Sun, 07 Apr 2013 17:09:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#704775; Package krb5-kdc. (Mon, 08 Apr 2013 02:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Benjamin Kaduk <kaduk@MIT.EDU>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Mon, 08 Apr 2013 02:48:04 GMT) Full text and rfc822 format available.

Message #32 received at 704775@bugs.debian.org (full text, mbox):

From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Michael Gilbert <mgilbert@debian.org>, 704775@bugs.debian.org
Subject: Re: Bug#704775: krb5: KDC TGS-REQ null deref (CVE-2013-1416)
Date: Sun, 7 Apr 2013 22:45:36 -0400 (EDT)
On Sat, 6 Apr 2013, Michael Gilbert wrote:

> I'm not seeing any new kerberos releases:
> http://web.mit.edu/kerberos/krb5-1.10

Current Kerberos Security Team policy is to not issue security advisories 
for null pointer dereference crashes.  We assign CVE numbers for tracking, 
but do not delay publishing a fix until a new point release is available.

> Is this perhaps not meant to be public knowledge yet?

The patch is intentionally public.  Note that a user must be authenticated 
in order to trigger the crash.

-Ben



Marked as found in versions krb5/1.8.3+dfsg-4squeeze6. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Fri, 12 Apr 2013 15:24:17 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#704775; Package krb5-kdc. (Mon, 15 Apr 2013 17:57:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list. (Mon, 15 Apr 2013 17:57:14 GMT) Full text and rfc822 format available.

Message #39 received at 704775@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: Dominic Hargreaves <dom@earth.li>
Cc: 704775@bugs.debian.org
Subject: Re: Processed: found 704775 in 1.8.3+dfsg-4squeeze6
Date: Mon, 15 Apr 2013 13:47:04 -0400
My recommendation is that this is not worth a DSA or stable fix for
squeeze unless some Debian user comes forward and says that they're
seeing crashes in the wild related to this.

--Sam



Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#704775; Package krb5-kdc. (Mon, 15 Apr 2013 22:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tom Yu <tlyu@MIT.EDU>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Mon, 15 Apr 2013 22:42:04 GMT) Full text and rfc822 format available.

Message #44 received at 704775@bugs.debian.org (full text, mbox):

From: Tom Yu <tlyu@MIT.EDU>
To: Sam Hartman <hartmans@debian.org>
Cc: 704775@bugs.debian.org, Dominic Hargreaves <dom@earth.li>
Subject: Re: Bug#704775: Processed: found 704775 in 1.8.3+dfsg-4squeeze6
Date: Mon, 15 Apr 2013 18:38:44 -0400
Sam Hartman <hartmans@debian.org> writes:

> My recommendation is that this is not worth a DSA or stable fix for
> squeeze unless some Debian user comes forward and says that they're
> seeing crashes in the wild related to this.
>
> --Sam

Keep in mind that unmodified client software can trivially trigger
this vulnerability.  I can do an explicit check of the trigger against
the 1.8 branch if you'd like confirmation.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#704775; Package krb5-kdc. (Mon, 15 Apr 2013 23:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list. (Mon, 15 Apr 2013 23:48:04 GMT) Full text and rfc822 format available.

Message #49 received at 704775@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: Tom Yu <tlyu@MIT.EDU>
Cc: 704775@bugs.debian.org, Dominic Hargreaves <dom@earth.li>
Subject: Re: Bug#704775: Processed: found 704775 in 1.8.3+dfsg-4squeeze6
Date: Mon, 15 Apr 2013 19:44:48 -0400
>>>>> "Tom" == Tom Yu <tlyu@MIT.EDU> writes:

    Tom> Sam Hartman <hartmans@debian.org> writes:
    >> My recommendation is that this is not worth a DSA or stable fix
    >> for squeeze unless some Debian user comes forward and says that
    >> they're seeing crashes in the wild related to this.
    >> 
    >> --Sam

    Tom> Keep in mind that unmodified client software can trivially
    Tom> trigger this vulnerability.  I can do an explicit check of the
    Tom> trigger against the 1.8 branch if you'd like confirmation.

I understand.



Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#704775; Package krb5-kdc. (Wed, 17 Apr 2013 02:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Benjamin Kaduk <kaduk@MIT.EDU>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Wed, 17 Apr 2013 02:03:04 GMT) Full text and rfc822 format available.

Message #54 received at 704775@bugs.debian.org (full text, mbox):

From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Sam Hartman <hartmans@debian.org>, 704775@bugs.debian.org
Subject: Re: Bug#704775: Processed: found 704775 in 1.8.3+dfsg-4squeeze6
Date: Tue, 16 Apr 2013 22:00:38 -0400 (EDT)
On Mon, 15 Apr 2013, Sam Hartman wrote:

>>>>>> "Tom" == Tom Yu <tlyu@MIT.EDU> writes:
>
>    Tom> Sam Hartman <hartmans@debian.org> writes:
>    >> My recommendation is that this is not worth a DSA or stable fix
>    >> for squeeze unless some Debian user comes forward and says that
>    >> they're seeing crashes in the wild related to this.
>    >>
>    >> --Sam
>
>    Tom> Keep in mind that unmodified client software can trivially
>    Tom> trigger this vulnerability.  I can do an explicit check of the
>    Tom> trigger against the 1.8 branch if you'd like confirmation.
>
> I understand.

Having seen the reproducer, I am of the opinion that this bug should get 
fixed in stable.
I am planning to prepare a candidate stable upload (which may include 
another bugfix if it seems appropriate) later this week for consideration.

-Ben



Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#704775; Package krb5-kdc. (Mon, 22 Apr 2013 00:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Benjamin Kaduk <kaduk@MIT.EDU>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Mon, 22 Apr 2013 00:06:05 GMT) Full text and rfc822 format available.

Message #59 received at 704775@bugs.debian.org (full text, mbox):

From: Benjamin Kaduk <kaduk@MIT.EDU>
To: 704775@bugs.debian.org
Subject: Re: Bug#704775: Processed: found 704775 in 1.8.3+dfsg-4squeeze6
Date: Sun, 21 Apr 2013 20:02:54 -0400 (EDT)
[Message part 1 (text/plain, inline)]
On Tue, 16 Apr 2013, Benjamin Kaduk wrote:

> Having seen the reproducer, I am of the opinion that this bug should get 
> fixed in stable.
> I am planning to prepare a candidate stable upload (which may include another 
> bugfix if it seems appropriate) later this week for consideration.

The attached handles cve-2013-1416 (this bug) and cve-2013-1415 (no debian 
bug number? Fixed in testing), as well as #704647 (rdns=false is broken).
The last is not exactly a security fix, so the patch is targeted for 
stable-proposed-updates.  A patch without that change could be targeted 
for stable-security, but we see the #704647 issue crop up regularly on the 
kerberos mailing lists and it would be very nice to get it fixed as well.

-Ben
[krb5-s-p-u.patch (text/plain, ATTACHMENT)]
diff -u krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
--- krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
+++ krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
@@ -111,19 +111,12 @@
                hostnames associated.  */
 
             memset(&hints, 0, sizeof(hints));
-            hints.ai_family = AF_INET;
             hints.ai_flags = AI_CANONNAME;
-        try_getaddrinfo_again:
             err = getaddrinfo(hostname, 0, &hints, &ai);
             if (err) {
 #ifdef DEBUG_REFERRALS
                 printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname);
 #endif
-                if (hints.ai_family == AF_INET) {
-                    /* Just in case it's an IPv6-only name.  */
-                    hints.ai_family = 0;
-                    goto try_getaddrinfo_again;
-                }
                 return KRB5_ERR_BAD_HOSTNAME;
             }
             remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname);
diff -u krb5-1.8.3+dfsg/debian/changelog krb5-1.8.3+dfsg/debian/changelog
--- krb5-1.8.3+dfsg/debian/changelog
+++ krb5-1.8.3+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+krb5 (1.8.3+dfsg-4squeeze7) stable-proposed-updates; urgency=high
+
+  * CVE-2013-1416 TGS-REQ null pointer dereference in KDC, Closes: #704775
+  * CVE-2013-1415 KDC null pointer dereference with PKINIT
+  * Import upstream's workaround for a getaddrinfo bug, Closes: #704647
+
+ -- Benjamin Kaduk <kaduk@mit.edu>  Sun, 21 Apr 2013 15:49:14 -0400
+
 krb5 (1.8.3+dfsg-4squeeze6) stable-security; urgency=high
 
   * MITKRB5-SA-2012-001 CVE-2012-1015: KDC frees uninitialized pointer
only in patch2:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ krb5-1.8.3+dfsg/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2879,7 +2879,7 @@
     pkiDebug("found kdcPkId in AS REQ\n");
     is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
     if (is == NULL)
-        goto cleanup;
+        return retval;
 
     status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
     if (!status) {
@@ -2889,7 +2889,6 @@
     }
 
     retval = 0;
-cleanup:
     X509_NAME_free(is->issuer);
     ASN1_INTEGER_free(is->serial);
     free(is);
only in patch2:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/kdc/do_tgs_req.c
+++ krb5-1.8.3+dfsg/src/kdc/do_tgs_req.c
@@ -1216,7 +1216,8 @@
             retval = ENOMEM;
             goto cleanup;
         }
-        strlcpy(comp1_str,comp1->data,comp1->length+1);
+        if (comp1->data != NULL)
+            memcpy(comp1_str, comp1->data, comp1->length);
 
         if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
              krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST ||
@@ -1239,7 +1240,8 @@
                 retval = ENOMEM;
                 goto cleanup;
             }
-            strlcpy(temp_buf, comp2->data,comp2->length+1);
+            if (comp2->data != NULL)
+                memcpy(temp_buf, comp2->data, comp2->length);
             retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms);
             free(temp_buf);
             if (retval) {

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#704775; Package krb5-kdc. (Thu, 25 Apr 2013 13:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list. (Thu, 25 Apr 2013 13:39:04 GMT) Full text and rfc822 format available.

Message #64 received at 704775@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Cc: 704775@bugs.debian.org
Subject: Re: Bug#704775: Processed: found 704775 in 1.8.3+dfsg-4squeeze6
Date: Thu, 25 Apr 2013 09:35:49 -0400
OK.
Why don't you run that patch by debian-release@lists.debian.org with a
SRM tag in the subject.
If you get an ack, then I'm happy to  to sign and upload.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 08:17:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 08:39:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.