Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 323525 - <app-crypt/mit-krb5-1.8.2 multiple vulnerabilities (CVE-2010-{1320,1321})
Summary: <app-crypt/mit-krb5-1.8.2 multiple vulnerabilities (CVE-2010-{1320,1321})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://web.mit.edu/Kerberos/krb5-1.8/
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks: 321935
  Show dependency tree
 
Reported: 2010-06-11 09:08 UTC by Eray Aslan
Modified: 2012-01-23 20:38 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
kpropd.xinetd (kpropd.xinetd,194 bytes, text/plain)
2010-06-11 09:09 UTC, Eray Aslan
no flags Details
mit-krb5-1.8.2.ebuild (mit-krb5-1.8.2.ebuild,2.47 KB, text/plain)
2010-06-11 09:30 UTC, Eray Aslan
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Eray Aslan gentoo-dev 2010-06-11 09:08:14 UTC
Major changes in 1.8.2
----------------------

This is primarily a bugfix release.

* Fix vulnerabilities:
  ** CVE-2010-1320 KDC double free caused by ticket renewal
     (MITKRB5-SA-2010-004)
  ** CVE-2010-1321 GSS-API lib null pointer deref (MITKRB5-SA-2010-005)

* Allow numeric IPv6 addresses for configuring KDC locations.

krb5-1.8.2 changes by ticket ID
-------------------------------

6562    kinit not working if kdc is configured with numerical IPv6 address
6696    gss_accept_sec_context doesn't produce error tokens
6697    segfault caused by dlerror returning NULL
6698    kproplog displays incorrect iprop timestamps on 64-bit platforms
6702    CVE-2010-1320 KDC double free caused by ticket renewal
        (MITKRB5-SA-2010-004)
6711    memory leak in process_tgs_req in r23724
6718    Make KADM5_FAIL_AUTH_COUNT_INCREMENT more robust with LDAP
6722    Error handling bug in krb5_init_creds_init()
6725    CVE-2010-1321 GSS-API lib null pointer deref (MITKRB5-SA-2010-005)
6726    SPNEGO doesn't interoperate with Windows 2000
6730    kdc_tcp_ports not documented in kdc.conf.M
6734    FAST negotiation could erroneously succeed

Reproducible: Always
Comment 1 Eray Aslan gentoo-dev 2010-06-11 09:09:36 UTC
Created attachment 234919 [details]
kpropd.xinetd
Comment 2 Eray Aslan gentoo-dev 2010-06-11 09:30:49 UTC
Created attachment 234923 [details]
mit-krb5-1.8.2.ebuild

Changelog:

Version bump bug #323525.  Added xinetd USE flag bug #321939.  Disabled parallel make bug #321141.  No need to inherit autotools anymore.
Comment 3 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-11 15:55:52 UTC
+  11 Jun 2010; Jeremy Olexa <darkside@gentoo.org> +mit-krb5-1.8.2.ebuild,
+  +files/kpropd.xinetd:
+  Version bump bug #323525. Added xinetd USE flag bug #321939. Disabled
+  parallel make bug #321141. No need to inherit autotools anymore.
Comment 4 Eray Aslan gentoo-dev 2010-06-15 09:21:15 UTC
Multiple vulnerabilities exists for <app-crypt/mit-krb5-1.8.2.  Please see http://web.mit.edu/kerberos/advisories/ for a full list.

Arches, please test and mark stable =app-crypt/mit-krb5-1.8.2

Target keywords:
"alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-15 20:10:07 UTC
reassigning to security and fixing product/component

Eray, please file security related bugs in the Gentoo Security product. Also please don't close bugs assigned to security@g.o
For more information about handling security bugs have a look at http://www.gentoo.org/security/en/vulnerability-policy.xml and http://www.gentoo.org/security/en/index.xml
Comment 6 Eray Aslan gentoo-dev 2010-06-16 08:35:48 UTC
Noted.  Sorry about that.
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-06-16 09:15:35 UTC
x86 stable
Comment 8 Alex Buell 2010-06-17 00:25:34 UTC
Unfortunately, stabilizing mit-krb5 1.8.2 has had the undesirable side-effect of putting a blocker on apps that uses heimdal. 

equery d heimdal
[ Searching for packages depending on heimdal... ]
net-ftp/proftpd-1.3.2d (kerberos? app-crypt/heimdal)
net-nds/openldap-2.4.19-r1 (!minimal & smbkrb5passwd? app-crypt/heimdal)

This really needs sorting out as I use kerberos as one of my USE flags!

# equery d mit-krb5
[ Searching for packages depending on mit-krb5... ]
dev-lang/php-5.2.13 (kerberos? virtual/krb5)
dev-libs/cyrus-sasl-2.1.23-r1 (kerberos? virtual/krb5)
dev-libs/openssl-0.9.8o (kerberos? app-crypt/mit-krb5)
dev-perl/GSSAPI-0.24 (virtual/krb5)
dev-util/cvs-1.12.12-r6 (kerberos? virtual/krb5)
gnome-base/gnome-vfs-2.24.3-r1 (kerberos? virtual/krb5)
gnome-extra/evolution-data-server-2.28.3.1-r1 (kerberos? virtual/krb5)
                                              (krb4? app-crypt/mit-krb5[krb4])
mail-client/evolution-2.28.3.1 (kerberos? virtual/krb5)
                               (krb4? app-crypt/mit-krb5[krb4])
net-fs/nfs-utils-1.1.4-r1 (!nonfsv4 & kerberos? app-crypt/mit-krb5)
net-fs/samba-3.4.6 (ads? virtual/krb5)
net-ftp/proftpd-1.3.2d (kerberos? <app-crypt/mit-krb5-1.7)
net-im/pidgin-2.6.6 (zephyr? >=app-crypt/mit-krb5-1.3.6-r1[krb4])
net-mail/fetchmail-6.3.17 (kerberos? virtual/krb5)
net-misc/curl-7.20.0-r2 (kerberos? virtual/krb5)
net-misc/neon-0.29.3 (kerberos? virtual/krb5)
net-misc/openssh-5.3_p1-r1 (kerberos? virtual/krb5)
net-nds/openldap-2.4.19-r1 (!minimal & kerberos? virtual/krb5)
net-print/cups-1.3.11-r1 (kerberos? virtual/krb5)
Comment 9 Eray Aslan gentoo-dev 2010-06-17 06:50:19 UTC
Please open a seperate bug for it.  Thank you.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2010-06-21 18:34:47 UTC
(In reply to comment #8)
> Unfortunately, stabilizing mit-krb5 1.8.2 has had the undesirable side-effect
> of putting a blocker on apps that uses heimdal. 

That should be impossible as heimdal and mit-krb5 are interchangeable, and we don't impose a restriction on either use:

jeroen@astrid /keeps/gentoo/cvs/gentoo-x86/net-nds/openldap $ ebuildvar DEPEND | grep k
erb                                                                                    openldap-2.3.43-r1.ebuild:              kerberos? ( virtual/krb5 )
openldap-2.4.19-r1.ebuild:              kerberos? ( virtual/krb5 )
openldap-2.4.21.ebuild:                 kerberos? ( virtual/krb5 )
jeroen@astrid /keeps/gentoo/cvs/gentoo-x86/net-ftp/proftpd $ ebuildvar DEPEND | grep ke
rb                                                                                     proftpd-1.3.2b.ebuild:          kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heim
dal ) )                                                                                proftpd-1.3.2c.ebuild:          kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heim
dal ) )                                                                                proftpd-1.3.2d.ebuild:          kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heim
dal ) )                                                                                proftpd-1.3.2e.ebuild:          kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heim
dal ) )                                                                                proftpd-1.3.3.ebuild:   kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heimdal ) )

The proftpd DEPENDs are obviously wrong and should use virtual/krb5 instead, but that problem has nothing to do with this bug report.
Comment 11 Eray Aslan gentoo-dev 2010-06-21 18:54:47 UTC
(In reply to comment #10)
> The proftpd DEPENDs are obviously wrong and should use virtual/krb5 instead,
> but that problem has nothing to do with this bug report.

Agreed.  Please see bug #324903
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2010-06-22 01:17:57 UTC
Stable for HPPA.
Comment 13 Christoph Mende (RETIRED) gentoo-dev 2010-06-23 15:58:40 UTC
amd64 stable
Comment 14 Brent Baude (RETIRED) gentoo-dev 2010-07-08 15:53:12 UTC
ppc64 done
Comment 15 Tobias Klausmann gentoo-dev 2010-07-11 10:15:02 UTC
Stable on alpha.
Comment 16 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-07-14 15:21:02 UTC
(cleaning my bug queue, Eray can add me to CC for future requests)
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2010-07-18 17:42:26 UTC
arm/ia64/m68k/s390/sh/sparc stable
Comment 18 Joe Jezak (RETIRED) gentoo-dev 2010-07-19 00:38:02 UTC
Marked ppc stable.
Comment 19 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:35:59 UTC
glsa request filed.
Comment 20 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-02 10:04:57 UTC
CVE-2010-1320 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1320):
  Double free vulnerability in do_tgs_req.c in the Key Distribution
  Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x before
  1.8.2 allows remote authenticated users to cause a denial of service
  (daemon crash) or possibly execute arbitrary code via a request
  associated with (1) renewal or (2) validation.

CVE-2010-1321 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1321):
  The kg_accept_krb5 function in krb5/accept_sec_context.c in the
  GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8
  before 1.8.2, as used in kadmind and other applications, does not
  properly check for invalid GSS-API tokens, which allows remote
  authenticated users to cause a denial of service (NULL pointer
  dereference and daemon crash) via an AP-REQ message in which the
  authenticator's checksum field is missing.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:38:19 UTC
This issue was resolved and addressed in
 GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml
by GLSA coordinator Sean Amoss (ackle).