Bug#928966: heimdal: CVE-2018-16860
Salvatore Bonaccorso writes: > Ah right, this is #923930? Yes, looks like it. I didn't get the recent emails, thanks for the reference. I have now followed up there. -- Brian May
Bug#928966: heimdal: CVE-2018-16860
Hi Brian, On Tue, May 21, 2019 at 07:00:52PM +1000, Brian May wrote: > Salvatore Bonaccorso writes: > > > Alright, I will mark it no-dsa for stretch then at least. For buster, > > might be still good to have the fix go in? > > First attempt, looks like version in buster/sid doesn't build :-( Ah right, this is #923930? Regards, Salvatore
Bug#928966: heimdal: CVE-2018-16860
Salvatore Bonaccorso writes: > Alright, I will mark it no-dsa for stretch then at least. For buster, > might be still good to have the fix go in? First attempt, looks like version in buster/sid doesn't build :-( === cut === = Heimdal 7.5.0: lib/hx509/test-suite.log = # TOTAL: 16 # PASS: 13 # SKIP: 0 # XFAIL: 0 # FAIL: 3 # XPASS: 0 # ERROR: 0 .. contents:: :depth: 2 FAIL: test_ca = create certificate request issue certificate verify certificate issue crl (no cert) verify certificate (with CRL) issue crl (with cert) verify certificate (included in CRL) issue crl (with cert) verify certificate (included in CRL, and lifetime 1 month) issue certificate (10years 1 month) issue certificate (with https ekus) issue certificate (pkinit KDC) issue certificate (pkinit client) issue certificate (hostnames) verify certificate hostname (ok) verify certificate hostname (fail) verify certificate hostname (fail) issue certificate (hostname in CN) verify certificate hostname (ok) verify certificate hostname (fail) issue certificate (email) issue certificate (email, null subject DN) issue certificate (jabber) issue self-signed cert issue ca cert issue self-signed ca cert issue proxy certificate verify proxy cert FAIL test_ca (exit status: 1) FAIL: test_chain cert -> root FAIL test_chain (exit status: 1) FAIL: test_cms == not testing ECDSA since hcrypto doesnt support ECDSA create signed data verify signed data hxtool: hx509_cms_verify_signed: Failed to find certificate with id CE776EDE0BF421F878C01A7CC3B966EC4C3D4A23 FAIL test_cms (exit status: 1) Testsuite summary for Heimdal 7.5.0 # TOTAL: 16 # PASS: 13 # SKIP: 0 # XFAIL: 0 # FAIL: 3 # XPASS: 0 # ERROR: 0 See lib/hx509/test-suite.log Please report to https://github.com/heimdal/heimdal/issues make[7]: *** [Makefile:1460: test-suite.log] Error 1 make[7]: Leaving directory '/<>/lib/hx509' make[6]: *** [Makefile:1568: check-TESTS] Error 2 make[6]: Leaving directory '/<>/lib/hx509' make[5]: *** [Makefile:1750: check-am] Error 2 make[5]: Leaving directory '/<>/lib/hx509' make[4]: *** [Makefile:1752: check] Error 2 make[4]: Leaving directory '/<>/lib/hx509' make[3]: *** [Makefile:565: check-recursive] Error 1 make[3]: Leaving directory '/<>/lib' make[2]: *** [Makefile:613: check-recursive] Error 1 make[2]: Leaving directory '/<>' dh_auto_test: make -j8 check VERBOSE=1 -j1 returned exit code 2 make[1]: *** [debian/rules:35: override_dh_auto_test] Error 2 make[1]: Leaving directory '/<>' make: *** [debian/rules:7: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 Build finished at 2019-05-21T08:56:44Z === cut === -- Brian May
Bug#928966: heimdal: CVE-2018-16860
Hi, On Tue, May 14, 2019 at 11:55:42AM +0200, Salvatore Bonaccorso wrote: > Hi Brian, > > On Tue, May 14, 2019 at 06:11:05PM +1000, Brian May wrote: > > Salvatore Bonaccorso writes: > > > > > Source: heimdal > > > Version: 7.5.0+dfsg-2.1 > > > Severity: important > > > Tags: security upstream > > > Control: found -1 7.1.0+dfsg-13+deb9u2 > > > Control: found -1 7.1.0+dfsg-13 > > > > > > Hi, > > > > > > The following vulnerability was published for heimdal, actually just > > > what is affecting samba embedded copy of heimdal. > > > > > > CVE-2018-16860[0]: > > > Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > > > For further information see: > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2018-16860 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860 > > > > > > Please adjust the affected versions in the BTS as needed, all versions > > > starting from 0.8 upwards including 7.5.0 are affected. > > > > > > What is your take on this? Does this need a DSA or is an update via an > > > upcoming point release enough? > > > > I am hardly authoritative on this, however my rough take right now is: > > > > * There is a vulerability. > > * The fix is simple. Looking at the Samba patches, I suspect we only > > need the bit that alters krb5tgs.c - below. > > * Not convinced this can actually be exploited without AD. It is > > unlikely you would be using the stock Heimdal with AD. So possible > > we don't need to worry. > > Alright, I will mark it no-dsa for stretch then at least. For buster, > might be still good to have the fix go in? For reference this is the patch in heimdal git repo: https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba Regards, Salvatore
Bug#928966: heimdal: CVE-2018-16860
Hi Brian, On Tue, May 14, 2019 at 06:11:05PM +1000, Brian May wrote: > Salvatore Bonaccorso writes: > > > Source: heimdal > > Version: 7.5.0+dfsg-2.1 > > Severity: important > > Tags: security upstream > > Control: found -1 7.1.0+dfsg-13+deb9u2 > > Control: found -1 7.1.0+dfsg-13 > > > > Hi, > > > > The following vulnerability was published for heimdal, actually just > > what is affecting samba embedded copy of heimdal. > > > > CVE-2018-16860[0]: > > Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2018-16860 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860 > > > > Please adjust the affected versions in the BTS as needed, all versions > > starting from 0.8 upwards including 7.5.0 are affected. > > > > What is your take on this? Does this need a DSA or is an update via an > > upcoming point release enough? > > I am hardly authoritative on this, however my rough take right now is: > > * There is a vulerability. > * The fix is simple. Looking at the Samba patches, I suspect we only > need the bit that alters krb5tgs.c - below. > * Not convinced this can actually be exploited without AD. It is > unlikely you would be using the stock Heimdal with AD. So possible > we don't need to worry. Alright, I will mark it no-dsa for stretch then at least. For buster, might be still good to have the fix go in? Regards, Salvatore
Bug#928966: heimdal: CVE-2018-16860
Salvatore Bonaccorso writes: > Source: heimdal > Version: 7.5.0+dfsg-2.1 > Severity: important > Tags: security upstream > Control: found -1 7.1.0+dfsg-13+deb9u2 > Control: found -1 7.1.0+dfsg-13 > > Hi, > > The following vulnerability was published for heimdal, actually just > what is affecting samba embedded copy of heimdal. > > CVE-2018-16860[0]: > Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-16860 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860 > > Please adjust the affected versions in the BTS as needed, all versions > starting from 0.8 upwards including 7.5.0 are affected. > > What is your take on this? Does this need a DSA or is an update via an > upcoming point release enough? I am hardly authoritative on this, however my rough take right now is: * There is a vulerability. * The fix is simple. Looking at the Samba patches, I suspect we only need the bit that alters krb5tgs.c - below. * Not convinced this can actually be exploited without AD. It is unlikely you would be using the stock Heimdal with AD. So possible we don't need to worry. diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index a888788bb6f..ff7d93138c0 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1925,6 +1925,13 @@ server_lookup: goto out; } + if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) { + free_PA_S4U2Self(&self); + kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum"); + ret = KRB5KRB_AP_ERR_INAPP_CKSUM; + goto out; + } + ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack); if (ret) goto out; -- Brian May
Bug#928966: heimdal: CVE-2018-16860
Source: heimdal Version: 7.5.0+dfsg-2.1 Severity: important Tags: security upstream Control: found -1 7.1.0+dfsg-13+deb9u2 Control: found -1 7.1.0+dfsg-13 Hi, The following vulnerability was published for heimdal, actually just what is affecting samba embedded copy of heimdal. CVE-2018-16860[0]: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-16860 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860 Please adjust the affected versions in the BTS as needed, all versions starting from 0.8 upwards including 7.5.0 are affected. What is your take on this? Does this need a DSA or is an update via an upcoming point release enough? Regards, Salvatore