323525 – <app-crypt/mit-krb5-1.8.2 multiple vulnerabilities (CVE-2010-{1320,1321})

Bug 323525 - <app-crypt/mit-krb5-1.8.2 multiple vulnerabilities (CVE-2010-{1320,1321})

Summary: <app-crypt/mit-krb5-1.8.2 multiple vulnerabilities (CVE-2010-{1320,1321})

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:	http://web.mit.edu/Kerberos/krb5-1.8/
Whiteboard:	B1 [glsa]
Keywords:

Depends on:
Blocks:	321935
	Show dependency tree

Reported:	2010-06-11 09:08 UTC by Eray Aslan
Modified:	2012-01-23 20:38 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
kpropd.xinetd (kpropd.xinetd,194 bytes, text/plain) 2010-06-11 09:09 UTC, Eray Aslan	no flags	Details
mit-krb5-1.8.2.ebuild (mit-krb5-1.8.2.ebuild,2.47 KB, text/plain) 2010-06-11 09:30 UTC, Eray Aslan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Eray Aslan gentoo-dev

2010-06-11 09:08:14 UTC

Major changes in 1.8.2
----------------------

This is primarily a bugfix release.

* Fix vulnerabilities:
  ** CVE-2010-1320 KDC double free caused by ticket renewal
     (MITKRB5-SA-2010-004)
  ** CVE-2010-1321 GSS-API lib null pointer deref (MITKRB5-SA-2010-005)

* Allow numeric IPv6 addresses for configuring KDC locations.

krb5-1.8.2 changes by ticket ID
-------------------------------

6562    kinit not working if kdc is configured with numerical IPv6 address
6696    gss_accept_sec_context doesn't produce error tokens
6697    segfault caused by dlerror returning NULL
6698    kproplog displays incorrect iprop timestamps on 64-bit platforms
6702    CVE-2010-1320 KDC double free caused by ticket renewal
        (MITKRB5-SA-2010-004)
6711    memory leak in process_tgs_req in r23724
6718    Make KADM5_FAIL_AUTH_COUNT_INCREMENT more robust with LDAP
6722    Error handling bug in krb5_init_creds_init()
6725    CVE-2010-1321 GSS-API lib null pointer deref (MITKRB5-SA-2010-005)
6726    SPNEGO doesn't interoperate with Windows 2000
6730    kdc_tcp_ports not documented in kdc.conf.M
6734    FAST negotiation could erroneously succeed

Reproducible: Always

Comment 1 Eray Aslan gentoo-dev

2010-06-11 09:09:36 UTC

Created attachment 234919 [details]
kpropd.xinetd

Comment 2 Eray Aslan gentoo-dev

2010-06-11 09:30:49 UTC

Created attachment 234923 [details]
mit-krb5-1.8.2.ebuild

Changelog:

Version bump bug #323525.  Added xinetd USE flag bug #321939.  Disabled parallel make bug #321141.  No need to inherit autotools anymore.

Comment 3 Jeremy Olexa (darkside) (RETIRED) archtester

2010-06-11 15:55:52 UTC

+  11 Jun 2010; Jeremy Olexa <darkside@gentoo.org> +mit-krb5-1.8.2.ebuild,
+  +files/kpropd.xinetd:
+  Version bump bug #323525. Added xinetd USE flag bug #321939. Disabled
+  parallel make bug #321141. No need to inherit autotools anymore.

Comment 4 Eray Aslan gentoo-dev

2010-06-15 09:21:15 UTC

Multiple vulnerabilities exists for <app-crypt/mit-krb5-1.8.2.  Please see http://web.mit.edu/kerberos/advisories/ for a full list.

Arches, please test and mark stable =app-crypt/mit-krb5-1.8.2

Target keywords:
"alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"

Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev

2010-06-15 20:10:07 UTC

reassigning to security and fixing product/component

Eray, please file security related bugs in the Gentoo Security product. Also please don't close bugs assigned to security@g.o
For more information about handling security bugs have a look at http://www.gentoo.org/security/en/vulnerability-policy.xml and http://www.gentoo.org/security/en/index.xml

Comment 6 Eray Aslan gentoo-dev

2010-06-16 08:35:48 UTC

Noted.  Sorry about that.

Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-06-16 09:15:35 UTC

x86 stable

Comment 8 Alex Buell 2010-06-17 00:25:34 UTC

Unfortunately, stabilizing mit-krb5 1.8.2 has had the undesirable side-effect of putting a blocker on apps that uses heimdal. 

equery d heimdal
[ Searching for packages depending on heimdal... ]
net-ftp/proftpd-1.3.2d (kerberos? app-crypt/heimdal)
net-nds/openldap-2.4.19-r1 (!minimal & smbkrb5passwd? app-crypt/heimdal)

This really needs sorting out as I use kerberos as one of my USE flags!

# equery d mit-krb5
[ Searching for packages depending on mit-krb5... ]
dev-lang/php-5.2.13 (kerberos? virtual/krb5)
dev-libs/cyrus-sasl-2.1.23-r1 (kerberos? virtual/krb5)
dev-libs/openssl-0.9.8o (kerberos? app-crypt/mit-krb5)
dev-perl/GSSAPI-0.24 (virtual/krb5)
dev-util/cvs-1.12.12-r6 (kerberos? virtual/krb5)
gnome-base/gnome-vfs-2.24.3-r1 (kerberos? virtual/krb5)
gnome-extra/evolution-data-server-2.28.3.1-r1 (kerberos? virtual/krb5)
                                              (krb4? app-crypt/mit-krb5[krb4])
mail-client/evolution-2.28.3.1 (kerberos? virtual/krb5)
                               (krb4? app-crypt/mit-krb5[krb4])
net-fs/nfs-utils-1.1.4-r1 (!nonfsv4 & kerberos? app-crypt/mit-krb5)
net-fs/samba-3.4.6 (ads? virtual/krb5)
net-ftp/proftpd-1.3.2d (kerberos? <app-crypt/mit-krb5-1.7)
net-im/pidgin-2.6.6 (zephyr? >=app-crypt/mit-krb5-1.3.6-r1[krb4])
net-mail/fetchmail-6.3.17 (kerberos? virtual/krb5)
net-misc/curl-7.20.0-r2 (kerberos? virtual/krb5)
net-misc/neon-0.29.3 (kerberos? virtual/krb5)
net-misc/openssh-5.3_p1-r1 (kerberos? virtual/krb5)
net-nds/openldap-2.4.19-r1 (!minimal & kerberos? virtual/krb5)
net-print/cups-1.3.11-r1 (kerberos? virtual/krb5)

Comment 9 Eray Aslan gentoo-dev

2010-06-17 06:50:19 UTC

Please open a seperate bug for it.  Thank you.

Comment 10 Jeroen Roovers (RETIRED) gentoo-dev

2010-06-21 18:34:47 UTC

(In reply to comment #8)
> Unfortunately, stabilizing mit-krb5 1.8.2 has had the undesirable side-effect
> of putting a blocker on apps that uses heimdal. 

That should be impossible as heimdal and mit-krb5 are interchangeable, and we don't impose a restriction on either use:

jeroen@astrid /keeps/gentoo/cvs/gentoo-x86/net-nds/openldap $ ebuildvar DEPEND | grep k
erb                                                                                    openldap-2.3.43-r1.ebuild:              kerberos? ( virtual/krb5 )
openldap-2.4.19-r1.ebuild:              kerberos? ( virtual/krb5 )
openldap-2.4.21.ebuild:                 kerberos? ( virtual/krb5 )
jeroen@astrid /keeps/gentoo/cvs/gentoo-x86/net-ftp/proftpd $ ebuildvar DEPEND | grep ke
rb                                                                                     proftpd-1.3.2b.ebuild:          kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heim
dal ) )                                                                                proftpd-1.3.2c.ebuild:          kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heim
dal ) )                                                                                proftpd-1.3.2d.ebuild:          kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heim
dal ) )                                                                                proftpd-1.3.2e.ebuild:          kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heim
dal ) )                                                                                proftpd-1.3.3.ebuild:   kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heimdal ) )

The proftpd DEPENDs are obviously wrong and should use virtual/krb5 instead, but that problem has nothing to do with this bug report.

Comment 11 Eray Aslan gentoo-dev

2010-06-21 18:54:47 UTC

(In reply to comment #10)
> The proftpd DEPENDs are obviously wrong and should use virtual/krb5 instead,
> but that problem has nothing to do with this bug report.

Agreed.  Please see bug #324903

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2010-06-22 01:17:57 UTC

Stable for HPPA.

Comment 13 Christoph Mende (RETIRED) gentoo-dev

2010-06-23 15:58:40 UTC

amd64 stable

Comment 14 Brent Baude (RETIRED) gentoo-dev

2010-07-08 15:53:12 UTC

ppc64 done

Comment 15 Tobias Klausmann (RETIRED) gentoo-dev

2010-07-11 10:15:02 UTC

Stable on alpha.

Comment 16 Jeremy Olexa (darkside) (RETIRED) archtester

2010-07-14 15:21:02 UTC

(cleaning my bug queue, Eray can add me to CC for future requests)

Comment 17 Raúl Porcel (RETIRED) gentoo-dev

2010-07-18 17:42:26 UTC

arm/ia64/m68k/s390/sh/sparc stable

Comment 18 Joe Jezak (RETIRED) gentoo-dev

2010-07-19 00:38:02 UTC

Marked ppc stable.

Comment 19 Stefan Behte (RETIRED) gentoo-dev

2010-08-01 12:35:59 UTC

glsa request filed.

Comment 20 Tobias Heinlein (RETIRED) gentoo-dev

2010-08-02 10:04:57 UTC

CVE-2010-1320 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1320):
  Double free vulnerability in do_tgs_req.c in the Key Distribution
  Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x before
  1.8.2 allows remote authenticated users to cause a denial of service
  (daemon crash) or possibly execute arbitrary code via a request
  associated with (1) renewal or (2) validation.

CVE-2010-1321 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1321):
  The kg_accept_krb5 function in krb5/accept_sec_context.c in the
  GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8
  before 1.8.2, as used in kadmind and other applications, does not
  properly check for invalid GSS-API tokens, which allows remote
  authenticated users to cause a denial of service (NULL pointer
  dereference and daemon crash) via an AP-REQ message in which the
  authenticator's checksum field is missing.

Comment 21 GLSAMaker/CVETool Bot gentoo-dev

2012-01-23 20:38:19 UTC

This issue was resolved and addressed in
 GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml
by GLSA coordinator Sean Amoss (ackle).