Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 257075 (CVE-2009-0360) - sys-auth/pam_krb5 <3.12 Local privilege escalation {CVE-2009-0360,CVE-2009-0361}
Summary: sys-auth/pam_krb5 <3.12 Local privilege escalation {CVE-2009-0360,CVE-2009-0361}
Status: RESOLVED FIXED
Alias: CVE-2009-0360
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://thread.gmane.org/gmane.comp.en...
Whiteboard: B1 [glsa]
Keywords:
: 269008 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-01-31 10:37 UTC by Robert Buchholz (RETIRED)
Modified: 2009-05-08 10:26 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
pam_krb5-bug257075.patch (pam_krb5-bug257075.patch,8.93 KB, patch)
2009-01-31 10:46 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
pam_krb5-3.9-bug257075.patch (pam_krb5-3.9-bug257075.patch,4.13 KB, patch)
2009-01-31 10:46 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
new pam_krb5 ebuild (pam_krb5-3.12.ebuild,825 bytes, text/plain)
2009-02-01 17:40 UTC, Michael Hammer (RETIRED)
no flags Details
removed NEWS file from patch - simple to maintain over different releases (pam_krb5-3.12-CVE-20090211.patch,7.14 KB, patch)
2009-02-01 17:41 UTC, Michael Hammer (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-01-31 10:37:27 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Russ Allbery wrote:
The following two vulnerbilities are present in all versions of my
pam-krb5 module prior to 3.13:

* When linked with MIT Kerberos, pam-krb5 did not use the correct API for
  initializing the Kerberos libraries in a setuid context.  This meant the
  MIT Kerberos libraries would trust environmental variables to locate the
  Kerberos configuration.  An attacker could exploit this to bypass
  authentication checks in setuid applications using PAM for
  authentication, resulting in privilege escalation.  This vulnerability
  was not present if pam-krb5 was linked with the Heimdal Kerberos
  implementation.

* pam_setcred with PAM_REINITIALIZE_CREDS or PAM_REFRESH_CREDS is used to
  refresh existing credentials for a user, such as when releasing a locked
  screen.  It therefore honors the existing KRB5CCNAME environment
  variable to locate the existing Kerberos credential cache.  This means,
  however, that if those APIs were called by a setuid application without
  first calling PAM_ESTABLISH_CREDS or dropping privileges, pam-krb5 may
  overwrite and chown the file specified by KRB5CCNAME to an attacker.
  This PAM calling sequence is unusual, but it's known to be used by
  Solaris 10 su.  pam-krb5 3.13 and later will log an error message and
  return success without taking any action when a program attempts to
  reinitialize credentials in a setuid context.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-01-31 10:45:33 UTC
Russ provided us with both patches for git HEAD (probably to apply on 3.12) and 3.09/3.10. Please prepare an ebuild applying either of those patches (i.e. version bump or revision bump, your choice) and attach it to this bug. Do not commit anything to CVS!
We will do prestable testing on this bug.

I have a few more details that I would forward to anyone of you in CC working on this bug, so please shout out if you're there.

Furthermore, do we other Kerberos-enabled PAM plugins (i.e. the sourceforge one?). I know we had before, just want to make sure we do not anymore.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-01-31 10:46:35 UTC
Created attachment 180390 [details, diff]
pam_krb5-bug257075.patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-01-31 10:46:56 UTC
Created attachment 180392 [details, diff]
pam_krb5-3.9-bug257075.patch
Comment 4 Michael Hammer (RETIRED) gentoo-dev 2009-02-01 09:38:33 UTC
I'd say that' my job as kerberos maintainer.

Related to http://www.eyrie.org/~eagle/software/pam-krb5/ the latest stable release is still 3.12 (and not 3.13) therefore I'd say we provide a 3.12 release bump with the patch included. Give me some hours - I am visiting my family ATM.

greets, mueli
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-02-01 10:44:14 UTC
(In reply to comment #4)
> Related to http://www.eyrie.org/~eagle/software/pam-krb5/ the latest stable
> release is still 3.12 (and not 3.13)

Yep, 3.13 is coming out on Feb. 11 (the embargo date).

Comment 6 Michael Hammer (RETIRED) gentoo-dev 2009-02-01 17:40:33 UTC
Created attachment 180571 [details]
new pam_krb5 ebuild
Comment 7 Michael Hammer (RETIRED) gentoo-dev 2009-02-01 17:41:05 UTC
Created attachment 180573 [details, diff]
removed NEWS file from patch - simple to maintain over different releases
Comment 8 Michael Hammer (RETIRED) gentoo-dev 2009-02-01 17:43:30 UTC
ebuild compiles on my environments and functionality is ok - security bug not tested by myself. I've renamed the patch and removed the NEWS file from the patch because this file is simply not patchable with one patch over multiple releases.

Don't hesitate to tell me if you need something more.

greets, mueli
Comment 9 Michael Hammer (RETIRED) gentoo-dev 2009-02-01 17:47:05 UTC
BTW: I am not maintaining any other pam module for kerberos and I don't know of any other in our tree - but I might have missed some ... so if you know one more, please tell me!
Comment 10 Michael Hammer (RETIRED) gentoo-dev 2009-02-01 17:47:44 UTC
Sry - clicking to fast
Comment 11 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-02-01 18:12:04 UTC
FWIW I have no idea about Kerberos, I can tell you that sys-libs/pam does not have any kerberos bits though.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-02-02 11:39:34 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.

Ebuild:
=sys-auth/pam_krb5-3.12

Note you only need the last two atached files.

Target keywords : "amd64 ppc sparc x86"

CC'ing current Liaisons:
   amd64 : keytoaster, tester
     ppc : dertobi123
   sparc : fmccor
     x86 : maekke, armin76
Comment 13 Markus Meier gentoo-dev 2009-02-04 20:26:45 UTC
looks good on amd64/x86.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 04:45:35 UTC
Public via http://thread.gmane.org/gmane.comp.encryption.kerberos.general/13398

mueli, please bump in the tree and commit straight to stable for the arches that responded here. We'll add the others afterwards.
Comment 15 Michael Hammer (RETIRED) gentoo-dev 2009-02-12 09:34:59 UTC
Done.

Pushed 3.13 as unstable into tree. I'd suggest to stable this one - what do you think?

g, Michael
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 10:53:57 UTC
(In reply to comment #15)
> Done.
> 
> Pushed 3.13 as unstable into tree. I'd suggest to stable this one - what do you
> think?

Judging from the ChangeLog there are no relevant changes for users (allow building against older Heimdal, figure out libdir if kerberos does not provide pkgconfig), so I'm hesitant to cause upgrades for them and work for amd64/x86 again. However, this is at your discretion. But feel free to add ppc and sparc for either version to this bug.

Also, can you please rename the patch to be pam_krb5-3.12-CVE-2009-0361-0362.patch or so, because right now it can be easily mistaken to be a patch for CVE-2009-0211 which would be a different issue (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0211). Thanks!
Comment 17 Michael Hammer (RETIRED) gentoo-dev 2009-02-12 13:57:08 UTC
ACK - as we have already stabled on x86/amd64 let us finalize for 3.12 release.

Renaming is done.

sparc, ppc - could you please stable pam_krb5-3.12?

greets, mueli
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 14:49:11 UTC
Arches, please test and mark stable:
=sys-auth/pam_krb5-3.12
Target keywords : "amd64 ppc sparc x86"
Already stabled : "amd64 x86"
Missing keywords: "ppc sparc"
Comment 19 Brent Baude (RETIRED) gentoo-dev 2009-02-12 16:24:01 UTC
ppc done
Comment 20 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-13 21:42:24 UTC
CVE-2009-0360 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0360):
  Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos,
  does not properly initialize the Kerberos libraries for setuid use,
  which allows local users to gain privileges by pointing an
  environment variable to a modified Kerberos configuration file, and
  then launching a PAM-based setuid application.

CVE-2009-0361 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0361):
  Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in
  Solaris 10, and other software, does not properly handle calls to
  pam_setcred when running setuid, which allows local users to
  overwrite and change the ownership of arbitrary files by setting the
  KRB5CCNAME environment variable, and then launching a setuid
  application that performs certain pam_setcred operations.

Comment 21 Raúl Porcel (RETIRED) gentoo-dev 2009-02-14 16:33:38 UTC
sparc stable
Comment 22 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-05 20:24:14 UTC
GLSA request filed.
Comment 23 Björn 2009-03-10 12:41:08 UTC
now users need to kinit manually after unlocking their screens with expired credentials. we should really think about that effect of the patch. admins should be warned about this change of behavior.
Comment 24 Michael Hammer (RETIRED) gentoo-dev 2009-03-17 09:05:42 UTC
Hi mastamind!

Do you have another solution for the security issue? If you do have - have you already discussed the patch with upstream?

Thx, mueli
Comment 25 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-19 21:18:22 UTC
(In reply to comment #24)
> Hi mastamind!
> 
> Do you have another solution for the security issue? If you do have - have you
> already discussed the patch with upstream?
> 
> Thx, mueli
> 
Not sure if he got the reply since he was not cc'ed...
Comment 26 Heath Caldwell (RETIRED) gentoo-dev 2009-03-23 19:20:17 UTC
Any word on stabling 3.13?
Comment 27 Heath Caldwell (RETIRED) gentoo-dev 2009-03-23 19:51:49 UTC
Also, why is the patch named pam_krb5-3.12-CVE-2009-0361-0362.patch when it fixes CVE-2009-0360 and CVE-2009-0361?
Comment 28 Michael Hammer (RETIRED) gentoo-dev 2009-03-24 07:45:40 UTC
Stabaling pam_krb5-3.13 should be fine - first commit was done on 2009-02-12. Is this soultion acceptable for the security team?
Comment 29 Robert Buchholz (RETIRED) gentoo-dev 2009-03-24 10:39:07 UTC
(In reply to comment #28)
> Stabaling pam_krb5-3.13 should be fine - first commit was done on 2009-02-12.
> Is this soultion acceptable for the security team?

It does not impact this security bug, but fell free to request a regular stabling on another bug.
Comment 30 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-25 22:47:45 UTC
(In reply to comment #27)
> Also, why is the patch named pam_krb5-3.12-CVE-2009-0361-0362.patch when it
> fixes CVE-2009-0360 and CVE-2009-0361?
> 
Just an error in the patch filename, nothing important.

This was GLSA 200903-39, thanks everyone.
Comment 31 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-08 10:26:16 UTC
*** Bug 269008 has been marked as a duplicate of this bug. ***