Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 628936 (CVE-2017-7562) - <app-crypt/mit-krb5-1.16: forged certificate allows improper authorization (CVE-2017-7562)
Summary: <app-crypt/mit-krb5-1.16: forged certificate allows improper authorization (C...
Status: RESOLVED FIXED
Alias: CVE-2017-7562
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-25 22:16 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-04-22 21:26 UTC (History)
1 user (show)

See Also:
Package list:
app-crypt/mit-krb5-1.16
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-08-25 22:16:24 UTC
From $URL:

A flaw was found in krb5 certificate EKU validation which could lead to improper authorization if a forged certificate with the right EKU and no SAN is used.

The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication.

Upstream bug:

https://github.com/krb5/krb5/pull/694

Upstream patch:

https://github.com/krb5/krb5/pull/694/commits/50fe4074f188c2d4da0c421e96553acea8378db2
https://github.com/krb5/krb5/pull/694/commits/1de6ca2f2eb1fdbab51f1549a25a6903aefcc196
https://github.com/krb5/krb5/pull/694/commits/b7af544e50a4d8291524f590e20dd44430bf627d
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-01-26 20:24:05 UTC
This is fixed upstream in mit-krb5-1.16 which has released on 2017-12-05.
Comment 2 Larry the Git Cow gentoo-dev 2018-01-26 21:07:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4a050c738af81bb82e7b640667f08e3199c5ca1

commit f4a050c738af81bb82e7b640667f08e3199c5ca1
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-01-26 21:07:00 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-01-26 21:07:29 +0000

    app-crypt/mit-krb5: bump, fixes CVE-2017-7562
    
    Ebuild changes:
    ===============
    - Dropped the following upstreamed patches which are now included in v1.16:
    
      - mit-krb5-1.14.2-redeclared-ttyname.patch
      - mit-krb5-1.14.4-disable-nls.patch
      - mit-krb5-1.15.2-fix-pkinit.patch
    
    - We are now installing systemd services. [Bug 524412]
    
    - Tests are now restricted because they are requiring network access.
    
    Closes: https://bugs.gentoo.org/524412
    Bug: https://bugs.gentoo.org/628936
    Package-Manager: Portage-2.3.20, Repoman-2.3.6

 app-crypt/mit-krb5/Manifest                        |   1 +
 app-crypt/mit-krb5/files/mit-krb5kadmind.service   |   8 ++
 app-crypt/mit-krb5/files/mit-krb5kdc.service       |   9 ++
 app-crypt/mit-krb5/files/mit-krb5kpropd.service    |   8 ++
 app-crypt/mit-krb5/files/mit-krb5kpropd.socket     |   9 ++
 app-crypt/mit-krb5/files/mit-krb5kpropd_at.service |   8 ++
 app-crypt/mit-krb5/mit-krb5-1.16.ebuild            | 155 +++++++++++++++++++++
 7 files changed, 198 insertions(+)}
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-03-25 15:30:33 UTC
@arches, please stabilize.
Comment 4 Sergei Trofimovich gentoo-dev 2018-03-25 20:33:15 UTC
ppc64 stable
Comment 5 Sergei Trofimovich gentoo-dev 2018-03-25 21:00:59 UTC
ppc stable
Comment 6 Sergei Trofimovich gentoo-dev 2018-03-25 21:58:37 UTC
ia64 stable
Comment 7 Mart Raudsepp gentoo-dev 2018-03-28 19:38:19 UTC
not newstabling arm64
Comment 8 Larry the Git Cow gentoo-dev 2018-03-29 02:01:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c476eeeae26a5ac514e5769e9a9a5346a6f21349

commit c476eeeae26a5ac514e5769e9a9a5346a6f21349
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-03-29 01:37:10 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-03-29 01:37:10 +0000

    app-crypt/mit-krb5: amd64 stable
    
    Bug: https://bugs.gentoo.org/628936
    Package-Manager: Portage-2.3.26, Repoman-2.3.7

 app-crypt/mit-krb5/mit-krb5-1.16.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 9 Thomas Deutschmann gentoo-dev Security 2018-03-29 14:53:51 UTC
x86 stable
Comment 10 Tobias Klausmann gentoo-dev 2018-03-31 14:18:55 UTC
Stable on alpha.
Comment 11 Markus Meier gentoo-dev 2018-04-08 10:48:44 UTC
arm stable
Comment 12 Matt Turner gentoo-dev 2018-04-22 20:20:10 UTC
hppa stable
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-22 21:25:07 UTC
GLSA Vote: No

Cleanup will happen in bug 628936
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-22 21:26:08 UTC
(In reply to Aaron Bauman from comment #13)
> GLSA Vote: No
> 
> Cleanup will happen in bug 628936

bug 649610 rather