Your message dated Sat, 16 Mar 2013 20:26:44 +0100
with message-id <[email protected]>
and subject line Re: Bug#702633: CVE-2012-1016: NULL pointer dereference (DoS)
in plugins/preauth/pkinit/pkinit_srv.c
has caused the Debian Bug report #702633,
regarding CVE-2012-1016: NULL pointer dereference (DoS) in
plugins/preauth/pkinit/pkinit_srv.c
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
702633: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702633
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: src:krb5
Version: 1.10.1+dfsg-4
Severity: serious
Tags: security
Dear kerberos maintainers,
I noticed that your recent upload of 1.10.1+dfsg-4 fixed CVE-2013-1415,
but it does not say anything about CVE-2012-1016. Those two
vulnerabilities were fixed in the same upstream release 1.10.4. Could
you have a look at whether this particular issue CVE-2012-1016 affects
us and downgrade or close this bug as appropriate?
Helmut
--- End Message ---
--- Begin Message ---
Version: 1.10.1+dfsg-4+nmu1
Hi Arnaud
On 2013-03-15 17:20:12, Arnaud Fontaine wrote:
> After checking the source code, this part of the code does not seem to
> have changed between 1.10.1 and 1.10.4, so AFAIU this bug affects at
> least the version available in testing and unstable. The current code
> is:
>
> if ((rep9 != NULL &&
> rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
> (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
>
> /* If mutually supported KDFs were found, use the alg agility KDF */
> if (rep->u.dh_Info.kdfID) {
>
> Thus, rep could be NULL which has been addressed by the following
> upstream patch:
>
> https://github.com/krb5/krb5/commit/cd5ff932c9d1439c961b0cf9ccff979356686aff
>
> I also prepared a NMU[0] in case it helps (it builds fine with
> cowbuilder but I could not test it though) and attached the diff to this
> email.
The bug has already been fixed in 1.10.1+dfsg-4+nmu1 with the same
patch. There doesn't seem to be an nmudiff in the bug log and the -done
mail is also missing. Maybe they got lost during the BTS outage
yesterday or are stuck in some queue and have yet to be delivered to
the BTS.
So let's close the bug. I've also attached the debdiff between
1.10.1+dfsg-4 and 1.10.1+dfsg-1+nmu1.
Regards
--
Sebastian Ramacher
diff -Nru krb5-1.10.1+dfsg/debian/changelog krb5-1.10.1+dfsg/debian/changelog
--- krb5-1.10.1+dfsg/debian/changelog 2013-02-20 02:54:44.000000000 +0100
+++ krb5-1.10.1+dfsg/debian/changelog 2013-03-15 05:17:03.000000000 +0100
@@ -1,3 +1,11 @@
+krb5 (1.10.1+dfsg-4+nmu1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix cve-2013-1016: null pointer derefence when handling a draft9 request
+ (closes: #702633).
+
+ -- Michael Gilbert <[email protected]> Fri, 15 Mar 2013 04:15:27 +0000
+
krb5 (1.10.1+dfsg-4) unstable; urgency=high
* KDC null pointer dereference with PKINIT, CVE-2013-1415
diff -Nru krb5-1.10.1+dfsg/debian/patches/cve-2013-1016.patch
krb5-1.10.1+dfsg/debian/patches/cve-2013-1016.patch
--- krb5-1.10.1+dfsg/debian/patches/cve-2013-1016.patch 1970-01-01
01:00:00.000000000 +0100
+++ krb5-1.10.1+dfsg/debian/patches/cve-2013-1016.patch 2013-03-15
05:18:53.000000000 +0100
@@ -0,0 +1,16 @@
+Description: fix cve-2013-1016.
+Author: Michael Gilbert <[email protected]>
+
+--- krb5-1.10.1+dfsg.orig/src/plugins/preauth/pkinit/pkinit_srv.c
++++ krb5-1.10.1+dfsg/src/plugins/preauth/pkinit/pkinit_srv.c
+@@ -1017,8 +1017,8 @@ pkinit_server_return_padata(krb5_context
+ (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
+
+ /* If mutually supported KDFs were found, use the alg agility KDF */
+- if (rep->u.dh_Info.kdfID) {
+- secret.data = server_key;
++ if (rep != NULL && rep->u.dh_Info.kdfID) {
++ secret.data = (char *)server_key;
+ secret.length = server_key_len;
+
+ retval = pkinit_alg_agility_kdf(context, &secret,
diff -Nru krb5-1.10.1+dfsg/debian/patches/series
krb5-1.10.1+dfsg/debian/patches/series
--- krb5-1.10.1+dfsg/debian/patches/series 2013-02-20 02:54:44.000000000
+0100
+++ krb5-1.10.1+dfsg/debian/patches/series 2013-03-15 05:18:29.000000000
+0100
@@ -19,3 +19,4 @@
upstream/0019-Null-pointer-deref-in-kadmind-CVE-2012-1013.patch
0020-gssapi-never-unload-mechanisms.patch
0021-PKINIT-null-pointer-deref-CVE-2013-1415.patch
+cve-2013-1016.patch
signature.asc
Description: Digital signature
--- End Message ---
