[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix

[Launchpad Bug Tracker]

This bug was fixed in the package pykerberos - 1.1+svn10616-2ubuntu0.1

---
pykerberos (1.1+svn10616-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: The checkPassword function does not authenticate the
KDC it attempts to communicate with (LP: #1716429)
- Add-KDC-authenticity-verification-support-CVE-2015-3206.patch
  retrieved from xenial version (1.1.5-2build1).
- CVE-2015-3206
- debian/NEWS: add explanation of issue and default chosen

 -- Mathieu Lafon   Thu, 05 Oct 2017 09:32:55 +0200

** Changed in: pykerberos (Ubuntu Trusty)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1716429

Title:
  pykerberos for trusty does not include CVE-2015-3206 fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix

[Mathieu Lafon]

Hi Steve,

> When debian fixed this issue [...], they left the default to off, in order to 
> not break [...]
> The update for Ubuntu 12.04 LTS included this default.

You're correct about debian, but this is not exactly what is in the 12.04 LTS 
update. The patch for precise has two issues:
- The default value for 'verify' in the source code (src/kerberos.c) is 1 
(enabled) although pysrc/kerberos.py (only used for documentation) has 
'verify=False'
- The 'verify' argument was not made optional in the PyArg_ParseTuple() call so 
whatever default value was specified, the call would fail if there was not 5 
parameters.

So 12.04 LTS already broke existing setups (and I was personally
impacted at that time).

The patch included in xenial has then fixes these issues:

pykerberos (1.1.5-2):
  * [d3133b6] Set verify=True in docs too.  This makes the docs consistent
with the default behaviour of the function.
  * [792f3b6] Make verify option really optional. So far it correctly
defaulted to true but couldn't be skipped.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1716429

Title:
  pykerberos for trusty does not include CVE-2015-3206 fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix

[Steve Beattie]

Hi Mathieu,

When debian fixed this issue for Jessie and Wheezy (their stable
releases), they left the default to off, in order to not break existing
setups that aren't prepared to do validation of the KDC (as it requires
possibly setting up an additional keytab). The update for Ubuntu 12.04
LTS included this default. I think this is the sensible thing to do for
Ubuntu 14.04 LTS.

(See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796195 and in
particular, the added NEWS entry in
http://launchpadlibrarian.net/211063096/pykerberos_1.1+svn4895-1build2_1.1+svn4895-1+deb6u1build0.12.04.1.diff.gz
for explanation.)

I'm touching up your debdiff to do this (and include a similar NEWS
entry), and will push this to trusty-security next week.

Thanks.


** Bug watch added: Debian Bug tracker #796195
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796195

** Changed in: pykerberos (Ubuntu Trusty)
 Assignee: (unassigned) => Steve Beattie (sbeattie)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1716429

Title:
  pykerberos for trusty does not include CVE-2015-3206 fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix

[Mathieu Lafon]

Here is a new debdiff with the following changes:
- Updated priority in changelog
- Added DEP-3 headers in included patch
- Removed const qualifier

Regards.

** Patch added: "pykerberos_1.1+svn10616-2_1.1+svn10616-2ubuntu0.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+attachment/4962596/+files/pykerberos_1.1+svn10616-2_1.1+svn10616-2ubuntu0.1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1716429

Title:
  pykerberos for trusty does not include CVE-2015-3206 fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix

[Seth Arnold]

Hrm, the debdiff includes:

++const int verify = 1;

This patch from upstream removed the 'const':

https://github.com/02strich/pykerberos/commit/873fca96cb42ff1c163859a5618dc9983796f438

The commit message includes this "gcc didn't respect the const
qualifiers, however" -- I'm not sure I like relying upon a whim of gcc
for this.

This debdiff does grab the |b vs b change though.

Does anything ever want verify = false?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1716429

Title:
  pykerberos for trusty does not include CVE-2015-3206 fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix

[Simon Quigley]

Hello Mathieu,

Please add the DEP-3 header to the included patch (Add-KDC-authenticity-
verification-support-CVE-2015-3206.patch).

Thanks for the triaging, I can get that on the tracker next time I do
some triaging (unless a member of ~ubuntu-security wants to take care of
it).

Thank you!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1716429

Title:
  pykerberos for trusty does not include CVE-2015-3206 fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix

[Mathieu Lafon]

Hello Simon,

On which patch do you expect me to add DEP-3 header? Is it the debdiff
or the included patch (Add-KDC-authenticity-verification-support-
CVE-2015-3206.patch)?

Regarding upstream, the patch has been included in 1.1.6 and updated in
1.1.10 regarding the 'verify' option (should have been optional but it
was not the case in the first patch).

Ref:
* 
https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c
* 
https://github.com/02strich/pykerberos/commit/5867201f1b9c682402aa9b495a654b8f346c8784

Regarding the ubuntu versions:
* precise: based on 1.1+svn4895, patch included
* trusty: based on 1.1+svn10616, patch *not* included
* vivid: based on 1.1.5, patch *not* included
* xenial: based on 1.1.5, patch included (updated with second fix)
* zesty: based on 1.1.5, patch included (updated with second fix)
* artful: based on 1.1.5, patch included (updated with second fix)

So only trusty and vivid lack the security patch. I don't know if
there's a need to patch vivid as it has already reached EOL.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1716429

Title:
  pykerberos for trusty does not include CVE-2015-3206 fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix

[Simon Quigley]

Hello Mathieu,

Two things about your debdiff that I would suggest before this is uploaded:
 1. Please set the priority to medium in the changelog to match the CVE 
priority, and I'm not sure the references to the other releases are needed, 
this can be dealt with in the DEP-3 header (see below).
 2. Adding a DEP-3 header helps parse your patch in a machine-readable format, 
please update your patch to use it: http://dep.debian.net/deps/dep3/

Lastly, in order to properly do the triaging on the tracker[1], could
you please tell us if Zesty and Artful are applicable, or if it is fixed
in Xenial and on, and also which upstream release it was fixed in?

After the above is taken care of, it should be good to upload, unless
anyone else has feedback. Thank you for your contribution to Ubuntu and
your willingness to get this fixed!

[1] https://people.canonical.com/~ubuntu-
security/cve/2015/CVE-2015-3206.html

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1716429

Title:
  pykerberos for trusty does not include CVE-2015-3206 fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix

[Simon Quigley]

** Changed in: pykerberos (Ubuntu)
   Status: Incomplete => Confirmed

** Also affects: pykerberos (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: pykerberos (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: pykerberos (Ubuntu)
   Importance: Undecided => Medium

** Changed in: pykerberos (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: pykerberos (Ubuntu Trusty)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1716429

Title:
  pykerberos for trusty does not include CVE-2015-3206 fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix

[Seth Arnold]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1716429

Title:
  pykerberos for trusty does not include CVE-2015-3206 fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs