Bug#928966: heimdal: CVE-2018-16860

2019-05-21 Thread Brian May 
Salvatore Bonaccorso  writes:

> Ah right, this is #923930?

Yes, looks like it. I didn't get the recent emails, thanks for the
reference. I have now followed up there.
-- 
Brian May

Bug#928966: heimdal: CVE-2018-16860

2019-05-21 Thread Salvatore Bonaccorso 
Hi Brian,

On Tue, May 21, 2019 at 07:00:52PM +1000, Brian May wrote:
> Salvatore Bonaccorso  writes:
> 
> > Alright, I will mark it no-dsa for stretch then at least. For buster,
> > might be still good to have the fix go in?
> 
> First attempt, looks like version in buster/sid doesn't build :-(

Ah right, this is #923930?

Regards,
Salvatore

Bug#928966: heimdal: CVE-2018-16860

2019-05-21 Thread Brian May 
Salvatore Bonaccorso  writes:

> Alright, I will mark it no-dsa for stretch then at least. For buster,
> might be still good to have the fix go in?

First attempt, looks like version in buster/sid doesn't build :-(

=== cut ===

=
   Heimdal 7.5.0: lib/hx509/test-suite.log
=

# TOTAL: 16
# PASS:  13
# SKIP:  0
# XFAIL: 0
# FAIL:  3
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: test_ca
=

create certificate request
issue certificate
verify certificate
issue crl (no cert)
verify certificate (with CRL)
issue crl (with cert)
verify certificate (included in CRL)
issue crl (with cert)
verify certificate (included in CRL, and lifetime 1 month)
issue certificate (10years 1 month)
issue certificate (with https ekus)
issue certificate (pkinit KDC)
issue certificate (pkinit client)
issue certificate (hostnames)
verify certificate hostname (ok)
verify certificate hostname (fail)
verify certificate hostname (fail)
issue certificate (hostname in CN)
verify certificate hostname (ok)
verify certificate hostname (fail)
issue certificate (email)
issue certificate (email, null subject DN)
issue certificate (jabber)
issue self-signed cert
issue ca cert
issue self-signed ca cert
issue proxy certificate
verify proxy cert
FAIL test_ca (exit status: 1)

FAIL: test_chain


cert -> root
FAIL test_chain (exit status: 1)

FAIL: test_cms
==

not testing ECDSA since hcrypto doesnt support ECDSA
create signed data
verify signed data
hxtool: hx509_cms_verify_signed: Failed to find certificate with id 
CE776EDE0BF421F878C01A7CC3B966EC4C3D4A23
FAIL test_cms (exit status: 1)


Testsuite summary for Heimdal 7.5.0

# TOTAL: 16
# PASS:  13
# SKIP:  0
# XFAIL: 0
# FAIL:  3
# XPASS: 0
# ERROR: 0

See lib/hx509/test-suite.log
Please report to https://github.com/heimdal/heimdal/issues

make[7]: *** [Makefile:1460: test-suite.log] Error 1
make[7]: Leaving directory '/<>/lib/hx509'
make[6]: *** [Makefile:1568: check-TESTS] Error 2
make[6]: Leaving directory '/<>/lib/hx509'
make[5]: *** [Makefile:1750: check-am] Error 2
make[5]: Leaving directory '/<>/lib/hx509'
make[4]: *** [Makefile:1752: check] Error 2
make[4]: Leaving directory '/<>/lib/hx509'
make[3]: *** [Makefile:565: check-recursive] Error 1
make[3]: Leaving directory '/<>/lib'
make[2]: *** [Makefile:613: check-recursive] Error 1
make[2]: Leaving directory '/<>'
dh_auto_test: make -j8 check VERBOSE=1 -j1 returned exit code 2
make[1]: *** [debian/rules:35: override_dh_auto_test] Error 2
make[1]: Leaving directory '/<>'
make: *** [debian/rules:7: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2

Build finished at 2019-05-21T08:56:44Z
=== cut ===

-- 
Brian May

Bug#928966: heimdal: CVE-2018-16860

2019-05-15 Thread Salvatore Bonaccorso 
Hi,

On Tue, May 14, 2019 at 11:55:42AM +0200, Salvatore Bonaccorso wrote:
> Hi Brian,
> 
> On Tue, May 14, 2019 at 06:11:05PM +1000, Brian May wrote:
> > Salvatore Bonaccorso  writes:
> > 
> > > Source: heimdal
> > > Version: 7.5.0+dfsg-2.1
> > > Severity: important
> > > Tags: security upstream
> > > Control: found -1 7.1.0+dfsg-13+deb9u2
> > > Control: found -1 7.1.0+dfsg-13
> > >
> > > Hi,
> > >
> > > The following vulnerability was published for heimdal, actually just
> > > what is affecting samba embedded copy of heimdal.
> > >
> > > CVE-2018-16860[0]:
> > > Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
> > >
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > >
> > > For further information see:
> > >
> > > [0] https://security-tracker.debian.org/tracker/CVE-2018-16860
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860
> > >
> > > Please adjust the affected versions in the BTS as needed, all versions
> > > starting from 0.8 upwards including 7.5.0 are affected.
> > >
> > > What is your take on this? Does this need a DSA or is an update via an
> > > upcoming point release enough?
> > 
> > I am hardly authoritative on this, however my rough take right now is:
> > 
> > * There is a vulerability.
> > * The fix is simple. Looking at the Samba patches, I suspect we only
> >   need the bit that alters krb5tgs.c - below.
> > * Not convinced this can actually be exploited without AD. It is
> >   unlikely you would be using the stock Heimdal with AD. So possible
> >   we don't need to worry.
> 
> Alright, I will mark it no-dsa for stretch then at least. For buster,
> might be still good to have the fix go in?

For reference this is the patch in heimdal git repo:

https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba

Regards,
Salvatore

Bug#928966: heimdal: CVE-2018-16860

2019-05-14 Thread Salvatore Bonaccorso 
Hi Brian,

On Tue, May 14, 2019 at 06:11:05PM +1000, Brian May wrote:
> Salvatore Bonaccorso  writes:
> 
> > Source: heimdal
> > Version: 7.5.0+dfsg-2.1
> > Severity: important
> > Tags: security upstream
> > Control: found -1 7.1.0+dfsg-13+deb9u2
> > Control: found -1 7.1.0+dfsg-13
> >
> > Hi,
> >
> > The following vulnerability was published for heimdal, actually just
> > what is affecting samba embedded copy of heimdal.
> >
> > CVE-2018-16860[0]:
> > Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-16860
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860
> >
> > Please adjust the affected versions in the BTS as needed, all versions
> > starting from 0.8 upwards including 7.5.0 are affected.
> >
> > What is your take on this? Does this need a DSA or is an update via an
> > upcoming point release enough?
> 
> I am hardly authoritative on this, however my rough take right now is:
> 
> * There is a vulerability.
> * The fix is simple. Looking at the Samba patches, I suspect we only
>   need the bit that alters krb5tgs.c - below.
> * Not convinced this can actually be exploited without AD. It is
>   unlikely you would be using the stock Heimdal with AD. So possible
>   we don't need to worry.

Alright, I will mark it no-dsa for stretch then at least. For buster,
might be still good to have the fix go in?

Regards,
Salvatore

Bug#928966: heimdal: CVE-2018-16860

2019-05-14 Thread Brian May 
Salvatore Bonaccorso  writes:

> Source: heimdal
> Version: 7.5.0+dfsg-2.1
> Severity: important
> Tags: security upstream
> Control: found -1 7.1.0+dfsg-13+deb9u2
> Control: found -1 7.1.0+dfsg-13
>
> Hi,
>
> The following vulnerability was published for heimdal, actually just
> what is affecting samba embedded copy of heimdal.
>
> CVE-2018-16860[0]:
> Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-16860
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860
>
> Please adjust the affected versions in the BTS as needed, all versions
> starting from 0.8 upwards including 7.5.0 are affected.
>
> What is your take on this? Does this need a DSA or is an update via an
> upcoming point release enough?

I am hardly authoritative on this, however my rough take right now is:

* There is a vulerability.
* The fix is simple. Looking at the Samba patches, I suspect we only
  need the bit that alters krb5tgs.c - below.
* Not convinced this can actually be exploited without AD. It is
  unlikely you would be using the stock Heimdal with AD. So possible
  we don't need to worry.


diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index a888788bb6f..ff7d93138c0 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1925,6 +1925,13 @@ server_lookup:
goto out;
}
 
+   if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
+   free_PA_S4U2Self(&self);
+   kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed 
checksum");
+   ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
+   goto out;
+   }
+
ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
if (ret)
goto out;


-- 
Brian May

Bug#928966: heimdal: CVE-2018-16860

2019-05-14 Thread Salvatore Bonaccorso 
Source: heimdal
Version: 7.5.0+dfsg-2.1
Severity: important
Tags: security upstream
Control: found -1 7.1.0+dfsg-13+deb9u2
Control: found -1 7.1.0+dfsg-13

Hi,

The following vulnerability was published for heimdal, actually just
what is affecting samba embedded copy of heimdal.

CVE-2018-16860[0]:
Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-16860
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860

Please adjust the affected versions in the BTS as needed, all versions
starting from 0.8 upwards including 7.5.0 are affected.

What is your take on this? Does this need a DSA or is an update via an
upcoming point release enough?

Regards,
Salvatore