Bug 14581

Summary: krb5 new security issue CVE-2014-5351
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: olchal, rverschelde, shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/622610/
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK advisory
Source RPM: krb5-1.11.4-1.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-11-17 05:44:15 CET 
A security issue in MIT krb5 has been fixed upstream in 1.13:
https://bugzilla.redhat.com/show_bug.cgi?id=1145425

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated krb5 packages fix security vulnerability:

The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in
kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response
to a -randkey -keepold request, which allows remote authenticated users to
forge tickets by leveraging administrative access (CVE-2014-5351).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5351
https://bugzilla.redhat.com/show_bug.cgi?id=1145425
========================

Updated packages in core/updates_testing:
========================
krb5-1.11.1-1.5.mga3
libkrb53-devel-1.11.1-1.5.mga3
libkrb53-1.11.1-1.5.mga3
krb5-server-1.11.1-1.5.mga3
krb5-server-ldap-1.11.1-1.5.mga3
krb5-workstation-1.11.1-1.5.mga3
krb5-pkinit-openssl-1.11.1-1.5.mga3
krb5-1.11.4-1.2.mga4
libkrb53-devel-1.11.4-1.2.mga4
libkrb53-1.11.4-1.2.mga4
krb5-server-1.11.4-1.2.mga4
krb5-server-ldap-1.11.4-1.2.mga4
krb5-workstation-1.11.4-1.2.mga4
krb5-pkinit-openssl-1.11.4-1.2.mga4

from SRPMS:
krb5-1.11.1-1.5.mga3.src.rpm
krb5-1.11.4-1.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-11-17 05:44:54 CET 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Krb5

Whiteboard: (none) => MGA3TOO has_procedure

Comment 2 olivier charles 2014-11-17 22:26:40 CET 
krb5 current packages :
---------------------

- krb5-pkinit-openssl-1.11.1-1.4.mga3.x86_64
- krb5-server-1.11.1-1.4.mga3.x86_64
- krb5-server-ldap-1.11.1-1.4.mga3.x86_64
- krb5-workstation-1.11.1-1.4.mga3.x86_64
- lib64ev4-4.11-3.mga3.x86_64
- lib64ldap2.4_2-devel-2.4.33-7.1.mga3.x86_64
- lib64verto1-0.2.5-2.mga3.x86_64
- lib64wrap-devel-7.6-43.mga3.x86_64
- libverto-libev-0.2.5-2.mga3.x86_64

Followed procedure mentionned in comment 1

To make it work, had to 
# urpmi bind
configure firewall
and reboot.

Could then complete procedure.

Updated to testing packages
---------------------------
- krb5-1.11.1-1.5.mga3.x86_64
- krb5-pkinit-openssl-1.11.1-1.5.mga3.x86_64
- krb5-server-1.11.1-1.5.mga3.x86_64
- krb5-server-ldap-1.11.1-1.5.mga3.x86_64
- krb5-workstation-1.11.1-1.5.mga3.x86_64
- lib64krb53-1.11.1-1.5.mga3.x86_64
- lib64krb53-devel-1.11.1-1.5.mga3.x86_64

rebooted

$ kinit
$ klist
$ krlogin $(hostname)
still showed expected results.

OK then.

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-64-OK

Comment 3 Shlomi Fish 2014-11-18 16:24:49 CET 
Testing complete on a Mageia 4 x86-64 VM in the same way as comment 1 suggested.

Now going to test a Mageia 4 i586 VM.

CC: (none) => shlomif
Whiteboard: MGA3TOO has_procedure MGA3-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK

Comment 4 Shlomi Fish 2014-11-18 16:43:55 CET 
(In reply to Shlomi Fish from comment #3)
> Testing complete on a Mageia 4 x86-64 VM in the same way as comment 1
> suggested.
> 
> Now going to test a Mageia 4 i586 VM.

test procedure ran fine on a Mageia 4 i586 VM.

Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK

Comment 5 David Walser 2014-11-18 17:46:10 CET 
I finally got this to work (Mageia 3 i586).  I noticed that the path to kadm5.keytab in the script is incorrect (should be /var/lib/krb5kdc).  The trick to finally getting this to work was, I had to change my /etc/hosts entry that had my hostname from 127.0.0.1 to my actual IP address.

Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK

Comment 6 RĂ©mi Verschelde 2014-11-19 13:35:40 CET 
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 7 Mageia Robot 2014-11-21 13:45:58 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0477.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-11-21 19:03:42 CET

URL: (none) => http://lwn.net/Vulnerabilities/622610/