Bug 628936 (CVE-2017-7562)

Summary:	<app-crypt/mit-krb5-1.16: forged certificate allows improper authorization (CVE-2017-7562)
Product:	Gentoo Security	Reporter:	Aleksandr Wagner (Kivak) <alwag>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	kerberos
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1485510
Whiteboard:	B4 [noglsa cve]
Package list:	app-crypt/mit-krb5-1.16	Runtime testing required:	---

Description Aleksandr Wagner (Kivak) 2017-08-25 22:16:24 UTC

From $URL:

A flaw was found in krb5 certificate EKU validation which could lead to improper authorization if a forged certificate with the right EKU and no SAN is used.

The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication.

Upstream bug:

https://github.com/krb5/krb5/pull/694

Upstream patch:

https://github.com/krb5/krb5/pull/694/commits/50fe4074f188c2d4da0c421e96553acea8378db2
https://github.com/krb5/krb5/pull/694/commits/1de6ca2f2eb1fdbab51f1549a25a6903aefcc196
https://github.com/krb5/krb5/pull/694/commits/b7af544e50a4d8291524f590e20dd44430bf627d

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-26 20:24:05 UTC

This is fixed upstream in mit-krb5-1.16 which has released on 2017-12-05.

Comment 2 Larry the Git Cow gentoo-dev

2018-01-26 21:07:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4a050c738af81bb82e7b640667f08e3199c5ca1

commit f4a050c738af81bb82e7b640667f08e3199c5ca1
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-01-26 21:07:00 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-01-26 21:07:29 +0000

    app-crypt/mit-krb5: bump, fixes CVE-2017-7562
    
    Ebuild changes:
    ===============
    - Dropped the following upstreamed patches which are now included in v1.16:
    
      - mit-krb5-1.14.2-redeclared-ttyname.patch
      - mit-krb5-1.14.4-disable-nls.patch
      - mit-krb5-1.15.2-fix-pkinit.patch
    
    - We are now installing systemd services. [Bug 524412]
    
    - Tests are now restricted because they are requiring network access.
    
    Closes: https://bugs.gentoo.org/524412
    Bug: https://bugs.gentoo.org/628936
    Package-Manager: Portage-2.3.20, Repoman-2.3.6

 app-crypt/mit-krb5/Manifest                        |   1 +
 app-crypt/mit-krb5/files/mit-krb5kadmind.service   |   8 ++
 app-crypt/mit-krb5/files/mit-krb5kdc.service       |   9 ++
 app-crypt/mit-krb5/files/mit-krb5kpropd.service    |   8 ++
 app-crypt/mit-krb5/files/mit-krb5kpropd.socket     |   9 ++
 app-crypt/mit-krb5/files/mit-krb5kpropd_at.service |   8 ++
 app-crypt/mit-krb5/mit-krb5-1.16.ebuild            | 155 +++++++++++++++++++++
 7 files changed, 198 insertions(+)}

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-03-25 15:30:33 UTC

@arches, please stabilize.

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-25 20:33:15 UTC

ppc64 stable

Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-25 21:00:59 UTC

ppc stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-25 21:58:37 UTC

ia64 stable

Comment 7 Mart Raudsepp gentoo-dev

2018-03-28 19:38:19 UTC

not newstabling arm64

Comment 8 Larry the Git Cow gentoo-dev

2018-03-29 02:01:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c476eeeae26a5ac514e5769e9a9a5346a6f21349

commit c476eeeae26a5ac514e5769e9a9a5346a6f21349
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-03-29 01:37:10 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-03-29 01:37:10 +0000

    app-crypt/mit-krb5: amd64 stable
    
    Bug: https://bugs.gentoo.org/628936
    Package-Manager: Portage-2.3.26, Repoman-2.3.7

 app-crypt/mit-krb5/mit-krb5-1.16.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2018-03-29 14:53:51 UTC

x86 stable

Comment 10 Tobias Klausmann (RETIRED) gentoo-dev

2018-03-31 14:18:55 UTC

Stable on alpha.

Comment 11 Markus Meier gentoo-dev

2018-04-08 10:48:44 UTC

arm stable

Comment 12 Matt Turner gentoo-dev

2018-04-22 20:20:10 UTC

hppa stable

Comment 13 Aaron Bauman (RETIRED) gentoo-dev

2018-04-22 21:25:07 UTC

GLSA Vote: No

Cleanup will happen in bug 628936

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2018-04-22 21:26:08 UTC

(In reply to Aaron Bauman from comment #13)
> GLSA Vote: No
> 
> Cleanup will happen in bug 628936

bug 649610 rather