Bug 11668

Summary: krb5 new security issues CVE-2013-1417 and CVE-2013-1418
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, guillomovitch, oe, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/574583/
Whiteboard: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK advisory
Source RPM: krb5-1.11.3-3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2013-11-14 15:52:30 CET 
Upstream has released version 1.11.4 on November 4, fixing two security issues:
http://web.mit.edu/kerberos/krb5-1.11/

CVE-2013-1417 was fixed in July here:
https://github.com/krb5/krb5/commit/4c023ba43c16396f0d199e2df1cfa59b88b62acc

Looking at the code, I don't believe CVE-2013-1417 affects 1.9.2 in Mageia 2.

For CVE-2013-1418, Fedora incorporated an upstream patch against 1.11.3 in Fedora 19 here:
http://pkgs.fedoraproject.org/cgit/krb5.git/commit/?h=f19&id=74a7640cba4b98dde8e04127fef62718f4003a1e

More details on CVE-2013-1418 are in the RedHat bug here:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1418

The CVE-2013-1418 patch is easily re-diffed against 1.9.2 for Mageia 2.

I've checked the CVE-2013-1417 and CVE-2013-1418 patches in to SVN for Mageia 3 and the CVE-2013-1418 patch into SVN for Mageia 2.

I've also verified that 1.11.4 builds in Cauldron.  Guillaume, if you'd like, I can check it into Cauldron SVN and request the freeze push, or you can do it.

Reproducible: 

Steps to Reproduce:
David Walser 2013-11-14 15:52:38 CET

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-11-14 16:50:58 CET 
Just compiling the advisories for when we do push this to QA.

BTW the commit log entry for CVE-2013-1417 confirms that only 1.11.x is vulnerable.  CVE-2013-1418 was also fixed in 1.10.7 for that branch.

Advisory (Mageia 2):
========================

Updated krb5 packages fix security vulnerabilities:

If a KDC serves multiple realms, certain requests can cause
setup_server_realm() to dereference a null pointer, crashing the KDC. This
can be triggered by an unauthenticated user (CVE-2013-1418).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1418
http://web.mit.edu/kerberos/krb5-1.11/README-1.11.4.txt
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1418
========================

Updated packages in core/updates_testing:
========================
krb5-1.9.2-2.7.mga2
libkrb53-1.9.2-2.7.mga2
libkrb53-devel-1.9.2-2.7.mga2
krb5-server-1.9.2-2.7.mga2
krb5-server-ldap-1.9.2-2.7.mga2
krb5-workstation-1.9.2-2.7.mga2
krb5-pkinit-openssl-1.9.2-2.7.mga2

from krb5-1.9.2-2.7.mga2.src.rpm

Advisory (Mageia 3):
========================

Updated krb5 packages fix security vulnerabilities:

An authenticated remote client can cause a KDC to crash by making a valid
TGS-REQ to a KDC serving a realm with a single-component name. The
process_tgs_req() function dereferences a null pointer because an unusual
failure condition causes a helper function to return success (CVE-2013-1417).

If a KDC serves multiple realms, certain requests can cause
setup_server_realm() to dereference a null pointer, crashing the KDC. This
can be triggered by an unauthenticated user (CVE-2013-1418).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1418
http://web.mit.edu/kerberos/krb5-1.11/README-1.11.4.txt
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1418
========================

Updated packages in core/updates_testing:
========================
krb5-1.11.1-1.3.mga3
libkrb53-devel-1.11.1-1.3.mga3
libkrb53-1.11.1-1.3.mga3
krb5-server-1.11.1-1.3.mga3
krb5-server-ldap-1.11.1-1.3.mga3
krb5-workstation-1.11.1-1.3.mga3
krb5-pkinit-openssl-1.11.1-1.3.mga3

from krb5-1.11.1-1.3.mga3.src.rpm
Comment 2 David Walser 2013-11-15 12:37:58 CET 
krb5-1.11.4-1.mga4 uploaded for Cauldron.  Thanks Guillaume!

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 3 David Walser 2013-11-15 12:53:44 CET 
Patched packages uploaded for Mageia 2 and Mageia 3.

Advisories and package lists in Comment 1.

CC: (none) => guillomovitch
Assignee: guillomovitch => qa-bugs

Comment 4 Dave Hodgins 2013-11-18 19:38:01 CET 
Testing complete on Mageia 2 and 3, i586 and x86_64.

Could someone from the sysadmin team push the advisories 11668.mga2.adv and
11668.mga3.adv to updates.

CC: (none) => davidwhodgins
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK advisory validated_update

claire robinson 2013-11-18 19:40:24 CET

Keywords: (none) => validated_update
Whiteboard: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK advisory validated_update => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 5 Oden Eriksson 2013-11-19 10:23:44 CET 
======================================================
Name: CVE-2013-6800
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6800
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20131115
Category: 
Reference: CONFIRM:http://krbdev.mit.edu/rt/Ticket/Display.html?id=7757
Reference: CONFIRM:https://github.com/krb5/krb5/commit/c2ccf4197f697c4ff143b8a786acdd875e70a89d

An unspecified third-party database module for the Key Distribution
Center (KDC) in MIT Kerberos 5 (aka krb5) 1.10.x allows remote
authenticated users to cause a denial of service (NULL pointer
dereference and daemon crash) via a crafted request, a different
vulnerability than CVE-2013-1418.

CC: (none) => oe

Oden Eriksson 2013-11-19 10:24:09 CET

Summary: krb5 new security issues CVE-2013-1417 and CVE-2013-1418 => krb5 new security issues CVE-2013-1417, CVE-2013-1418, CVE-2013-6800

Comment 6 David Walser 2013-11-19 14:00:00 CET 
I concur with the RedHat folks that CVE-2013-6800 shouldn't have been assigned for this; it's just a simple NULL pointer dereference and it's CVE-2013-1418.  We don't have 1.10.x packaged, and our update is for 1.11.x for Mageia 3.  For 1.9.x for Mageia 2, I don't see any reason to call it anything other than CVE-2013-1418.
https://bugzilla.redhat.com/show_bug.cgi?id=1031499

Summary: krb5 new security issues CVE-2013-1417, CVE-2013-1418, CVE-2013-6800 => krb5 new security issues CVE-2013-1417 and CVE-2013-1418

Comment 7 Thomas Backlund 2013-11-20 22:01:39 CET 
Mga2 update pushed:
http://advisories.mageia.org/MGASA-2013-0335.html

Mga3 update pushed:
http://advisories.mageia.org/MGASA-2013-0336.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2013-11-21 16:45:10 CET

URL: (none) => http://lwn.net/Vulnerabilities/574583/