Bug 419765 (CVE-2012-1013)

Summary:	<app-crypt/mit-krb5-1.9.4 : "check_1_6_dummy()" Denial of Service Weakness (CVE-2012-{1012,1013})
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	kerberos
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://secunia.com/advisories/49346/
Whiteboard:	B3 [glsa?]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2012-06-05 14:00:03 UTC

From secunia security advisory at $URL:

Description
A weakness has been reported in Kerberos, which can be exploited by malicious users to cause a DoS (Denial of Service).

The vulnerability is caused due to a NULL pointer dereference error in the "check_1_6_dummy()" function in src/lib/kadm5/srv/svr_principal.c. This can be exploited to cause a crash via a create-principal request containing no password but the KRB5_KDB_DISALLOW_ALL_TIX flag.

Successful exploitation requires an administrator account with "create" privileges.

The weakness is reported in versions prior to 1.10.2.


Solution
Update to version 1.10.2.

Comment 1 Eray Aslan gentoo-dev

2012-06-05 14:16:12 UTC

+*mit-krb5-1.10.2 (05 Jun 2012)
+
+  05 Jun 2012; Eray Aslan <eras@gentoo.org> +mit-krb5-1.10.2.ebuild:
+  security bump - bug #419765
+

@security.  We can stabilize =app-crypt/mit-krb5-1.10.2.  But there are some keywords missing.  Please see bug #412489.

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2012-06-05 16:58:44 UTC

Thanks, Eray. Given the administrator requirement I think we're ok waiting for bug 412489.

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2012-06-15 19:26:54 UTC

CVE-2012-1013 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1013):
  The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmind in
  MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before 1.10.2 allows
  remote authenticated administrators to cause a denial of service (NULL
  pointer dereference and daemon crash) via a KRB5_KDB_DISALLOW_ALL_TIX create
  request that lacks a password.

CVE-2012-1012 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1012):
  server/server_stubs.c in the kadmin protocol implementation in MIT Kerberos
  5 (aka krb5) 1.10 before 1.10.1 does not properly restrict access to (1)
  SET_STRING and (2) GET_STRINGS operations, which might allow remote
  authenticated administrators to modify or read string attributes by
  leveraging the global list privilege.

Comment 4 Eray Aslan gentoo-dev

2012-06-23 08:20:26 UTC

+*mit-krb5-1.9.4 (23 Jun 2012)
+
+  23 Jun 2012; Eray Aslan <eras@gentoo.org> +mit-krb5-1.9.4.ebuild:
+  security bump - bug #419765
+

@security: mit-krb5-1.9.4 is released with the fix.  We might want to stabilize =app-crypt/mit-krb5-1.9.4 - which has all the keywords - instead of waiting for  mit-krb5-1.10.2.

Comment 5 Agostino Sarubbo gentoo-dev

2012-06-23 08:30:49 UTC

Thanks Eras.

Arches, please test and mark stable:
=app-crypt/mit-krb5-appl-1.9.4
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 6 Agostino Sarubbo gentoo-dev

2012-06-23 10:01:28 UTC

amd64 stable

Comment 7 Jeff (JD) Horelick (RETIRED) gentoo-dev

2012-06-25 04:43:32 UTC

x86 stable

Comment 8 Jeroen Roovers (RETIRED) gentoo-dev

2012-06-26 01:52:38 UTC

Improvements in the test suite over the old stable.

Stable for HPPA.

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2012-07-08 14:49:19 UTC

alpha/arm/ia64/s390/sh/sparc stable

Comment 10 Michael Weber (RETIRED) gentoo-dev

2012-07-09 05:18:05 UTC

ppc stable

Comment 11 Agostino Sarubbo gentoo-dev

2012-08-01 16:48:09 UTC

@ppc64, you will continue in bug 429324



@security, please vote.

Comment 12 Tim Sammut (RETIRED) gentoo-dev

2012-08-14 15:46:35 UTC

Thanks, everyone. GLSA Vote: no.

Comment 13 Stefan Behte (RETIRED) gentoo-dev

2012-08-14 16:10:38 UTC

Vote: NO, closing noglsa.