Your message dated Wed, 18 Feb 2015 22:34:47 +0100
with message-id <[email protected]>
and subject line Re: Bug#778713: unblock: krb5/1.12.1+dfsg-18
has caused the Debian Bug report #778713,
regarding unblock: krb5/1.12.1+dfsg-18
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
778713: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778713
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package krb5
Upstream released a patch for CVE-2014-5355, a NULL dereference
or out-of-bounds read in krb5_recvauth(). It is not clear that any
aging is necessary; perhaps the security team will request some.
The attached debdiff includes upstream's commit message, which includes
more details about the issue.
unblock krb5/1.12.1+dfsg-18
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru krb5-1.12.1+dfsg/debian/changelog krb5-1.12.1+dfsg/debian/changelog
--- krb5-1.12.1+dfsg/debian/changelog 2015-02-03 10:33:39.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/changelog 2015-02-18 12:52:19.000000000 -0500
@@ -1,3 +1,9 @@
+krb5 (1.12.1+dfsg-18) unstable; urgency=high
+
+ * Import upstream patch for CVE-2014-5355, Closes: #778647
+
+ -- Benjamin Kaduk <[email protected]> Wed, 18 Feb 2015 12:52:14 -0500
+
krb5 (1.12.1+dfsg-17) unstable; urgency=high
* MITKRB5-SA-2015-001
diff -Nru krb5-1.12.1+dfsg/debian/.git-dpm krb5-1.12.1+dfsg/debian/.git-dpm
--- krb5-1.12.1+dfsg/debian/.git-dpm 2015-02-03 10:33:39.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/.git-dpm 2015-02-18 12:39:54.000000000 -0500
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-769a3f26c919339002ef2936592a90d144d0e238
-769a3f26c919339002ef2936592a90d144d0e238
+200a429df2c47467eb3a0973eb7594a475cc18fe
+200a429df2c47467eb3a0973eb7594a475cc18fe
00dec38e79dd6436e9efed873df00e6ea11fdd0e
00dec38e79dd6436e9efed873df00e6ea11fdd0e
krb5_1.12.1+dfsg.orig.tar.gz
diff -Nru krb5-1.12.1+dfsg/debian/patches/series krb5-1.12.1+dfsg/debian/patches/series
--- krb5-1.12.1+dfsg/debian/patches/series 2015-02-03 10:33:39.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/patches/series 2015-02-18 12:39:54.000000000 -0500
@@ -27,3 +27,4 @@
upstream/0027-Fix-LDAP-misused-policy-name-crash-CVE-2014-5353.patch
0028-Support-keyless-principals-in-LDAP-CVE-2014-5354.patch
upstream/0029-MITKRB5-SA-2015-0001.patch
+upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch
diff -Nru krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch
--- krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch 1969-12-31 19:00:00.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch 2015-02-18 12:39:54.000000000 -0500
@@ -0,0 +1,112 @@
+From 200a429df2c47467eb3a0973eb7594a475cc18fe Mon Sep 17 00:00:00 2001
+From: Greg Hudson <[email protected]>
+Date: Tue, 9 Dec 2014 12:37:44 -0500
+Subject: Fix krb5_read_message handling [CVE-2014-5355]
+
+In recvauth_common, do not use strcmp against the data fields of
+krb5_data objects populated by krb5_read_message(), as there is no
+guarantee that they are C strings. Instead, create an expected
+krb5_data value and use data_eq().
+
+In the sample user-to-user server application, check that the received
+client principal name is null-terminated before using it with printf
+and krb5_parse_name.
+
+CVE-2014-5355:
+
+In MIT krb5, when a server process uses the krb5_recvauth function, an
+unauthenticated remote attacker can cause a NULL dereference by
+sending a zero-byte version string, or a read beyond the end of
+allocated storage by sending a non-null-terminated version string.
+The example user-to-user server application (uuserver) is similarly
+vulnerable to a zero-length or non-null-terminated principal name
+string.
+
+The krb5_recvauth function reads two version strings from the client
+using krb5_read_message(), which produces a krb5_data structure
+containing a length and a pointer to an octet sequence. krb5_recvauth
+assumes that the data pointer is a valid C string and passes it to
+strcmp() to verify the versions. If the client sends an empty octet
+sequence, the data pointer will be NULL and strcmp() will dereference
+a NULL pointer, causing the process to crash. If the client sends a
+non-null-terminated octet sequence, strcmp() will read beyond the end
+of the allocated storage, possibly causing the process to crash.
+
+uuserver similarly uses krb5_read_message() to read a client principal
+name, and then passes it to printf() and krb5_parse_name() without
+verifying that it is a valid C string.
+
+The krb5_recvauth function is used by kpropd and the Kerberized
+versions of the BSD rlogin and rsh daemons. These daemons are usually
+run out of inetd or in a mode which forks before processing incoming
+connections, so a process crash will generally not result in a
+complete denial of service.
+
+Thanks to Tim Uglow for discovering this issue.
+
+CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
+
+[[email protected]: CVSS score]
+
+ticket: 8050 (new)
+target_version: 1.13.1
+tags: pullup
+
+(cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec)
+
+Patch-Category: upstream
+---
+ src/appl/user_user/server.c | 4 +++-
+ src/lib/krb5/krb/recvauth.c | 9 ++++++---
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/appl/user_user/server.c b/src/appl/user_user/server.c
+index dbff68e..b136c72 100644
+--- a/src/appl/user_user/server.c
++++ b/src/appl/user_user/server.c
+@@ -113,8 +113,10 @@ int main(argc, argv)
+ }
+ #endif
+
++ /* principal name must be sent null-terminated. */
+ retval = krb5_read_message(context, (krb5_pointer) &sock, &pname_data);
+- if (retval) {
++ if (retval || pname_data.length == 0 ||
++ pname_data.data[pname_data.length - 1] != '\0') {
+ com_err ("uu-server", retval, "reading pname");
+ return 2;
+ }
+diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
+index da836283..5adc6dd 100644
+--- a/src/lib/krb5/krb/recvauth.c
++++ b/src/lib/krb5/krb/recvauth.c
+@@ -59,6 +59,7 @@ recvauth_common(krb5_context context,
+ krb5_rcache rcache = 0;
+ krb5_octet response;
+ krb5_data null_server;
++ krb5_data d;
+ int need_error_free = 0;
+ int local_rcache = 0, local_authcon = 0;
+
+@@ -77,7 +78,8 @@ recvauth_common(krb5_context context,
+ */
+ if ((retval = krb5_read_message(context, fd, &inbuf)))
+ return(retval);
+- if (strcmp(inbuf.data, sendauth_version)) {
++ d = make_data((char *)sendauth_version, strlen(sendauth_version) + 1);
++ if (!data_eq(inbuf, d)) {
+ problem = KRB5_SENDAUTH_BADAUTHVERS;
+ response = 1;
+ }
+@@ -93,8 +95,9 @@ recvauth_common(krb5_context context,
+ */
+ if ((retval = krb5_read_message(context, fd, &inbuf)))
+ return(retval);
+- if (appl_version && strcmp(inbuf.data, appl_version)) {
+- if (!problem) {
++ if (appl_version != NULL && !problem) {
++ d = make_data(appl_version, strlen(appl_version) + 1);
++ if (!data_eq(inbuf, d)) {
+ problem = KRB5_SENDAUTH_BADAPPLVERS;
+ response = 2;
+ }
--- End Message ---
--- Begin Message ---
On Wed, Feb 18, 2015 at 04:14:32PM -0500, Benjamin Kaduk <[email protected]> wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package krb5
>
Unblocked.
Regards,
--
Mehdi Dogguy
--- End Message ---
