Bug 17078

Summary: krb5 new security issues CVE-2015-269[5-7]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/663078/
Whiteboard: has_procedure advisory MGA5-32-OK
Source RPM: krb5-1.12.2-8.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-11-03 17:46:52 CET 
Fedora has issued an advisory on November 2:
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170683.html

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated krb5 packages fix security vulnerabilities:

In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context().  Java server
applications using the native JGSS provider are vulnerable to this
bug.  A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment
(CVE-2015-2695).

In MIT krb5 1.9 and later, applications which call
gss_inquire_context() on a partially-established IAKERB context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  Java server applications using the
native JGSS provider are vulnerable to this bug.  A carefully crafted
IAKERB packet might allow the gss_inquire_context() call to succeed
with attacker-determined results, but applications should not make
access control decisions based on gss_inquire_context() results prior
to context establishment (CVE-2015-2696).

In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte.  If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm.  Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash
(CVE-2015-2697).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2696
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2697
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170683.html
========================

Updated packages in core/updates_testing:
========================
krb5-1.12.2-8.1.mga5
libkrb53-devel-1.12.2-8.1.mga5
libkrb53-1.12.2-8.1.mga5
krb5-server-1.12.2-8.1.mga5
krb5-server-ldap-1.12.2-8.1.mga5
krb5-workstation-1.12.2-8.1.mga5
krb5-pkinit-openssl-1.12.2-8.1.mga5

from krb5-1.12.2-8.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-11-03 17:47:06 CET 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Krb5

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-11-04 14:19:29 CET 
Perhaps this SuSE advisory is a better reference than the Fedora one, since it actually has some information:
http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00006.html
David Walser 2015-11-04 19:17:56 CET

URL: (none) => http://lwn.net/Vulnerabilities/663078/

Comment 3 Herman Viaene 2015-11-06 14:17:56 CET 
MGA5-32 on AcerD620 Xfce
No installation issues
Followed procedure as per Comment 1, runs impeccable.

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 4 claire robinson 2015-11-07 17:46:25 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 claire robinson 2015-11-07 18:02:00 CET 
Advisory uploaded.

Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK

Comment 6 Mageia Robot 2015-11-07 21:12:17 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0436.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED