Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550120 (CVE-2015-3206) - <dev-python/pykerberos-1.1.7: checkPassword() does not verify KDC authenticity
Summary: <dev-python/pykerberos-1.1.7: checkPassword() does not verify KDC authenticity
Status: RESOLVED FIXED
Alias: CVE-2015-3206
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-22 07:09 UTC by Agostino Sarubbo
Modified: 2016-11-26 00:02 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-22 07:09:20 UTC 
From ${URL} :

The python-kerberos checkPassword() function does not verify that the KDC that it is authenticating 
with is the one that it intended to communicate with. This could allow a man-in-the-middle attacker 
to spoof a KDC when an application using python-kerberos attempts to verify a password via the 
checkPassword() function.

This issue is tracked upstream in https://www.calendarserver.org/ticket/833 , however it was 
resolved by documenting the shortcomings of the checkPassword() function: 
https://pypi.python.org/pypi/kerberos .

The pykerberos library (https://pypi.python.org/pypi/pykerberos), a fork of python-kerberos, does 
include KDC validation support. This change should be backported to python-kerberos to avoid 
various other application that rely on checkPassword() from having to replace the checkPassword() 
with a more secure alternative.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2015-05-29 05:10:51 UTC 
*pykerberos-1.1.7 (29 May 2015)

  29 May 2015; Ian Delaney <idella4@gentoo.org> +pykerberos-1.1.7.ebuild:
  bump wrt to sec bug #550120

I bumped this as a member of proxy-maint. I know nothing more of the package. Check with the others listed in CC if you wish.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 17:40:03 UTC 
dev-python/pykerberos implemented KDC verification support via https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c

$ git tag --contains 02d13860b25fab58e739f0e000bed0067b7c6f9c
v1.1.10
v1.1.11
v1.1.12
v1.1.13
v1.1.6
v1.1.7
v1.1.8
v1.1.9

So this was fixed for Gentoo once =dev-python/pykerberos-1.1.7 appeared.



@ Arches,

please test and mark stable: =dev-python/pykerberos-1.1.9
Comment 3 Agostino Sarubbo gentoo-dev 2016-11-25 18:29:08 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-25 18:55:56 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Patrice Clement (RETIRED) gentoo-dev 2016-11-25 23:31:19 UTC 
commit 7dd1321fe354b963a72c3876e18d6c211fa2c0ab (HEAD -> master, origin/master, origin/HEAD)
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: Sat Nov 26 00:29:57 2016 +0100
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: Sat Nov 26 00:30:10 2016 +0100

dev-python/pykerberos: clean up vulnerable version.

Gentoo-Bug: https://bugs.gentoo.org/550120

Package-Manager: portage-2.3.0

dev-python/pykerberos/Manifest                |  1 -
dev-python/pykerberos/pykerberos-1.1.5.ebuild | 22 ----------------------
2 files changed, 23 deletions(-)
delete mode 100644 dev-python/pykerberos/pykerberos-1.1.5.ebuild
Comment 6 Patrice Clement (RETIRED) gentoo-dev 2016-11-25 23:32:54 UTC 
Clean up done. Over to the security team!
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-11-26 00:02:00 UTC 
GLSA Vote: No