Bug 17642

Summary: krb5 new security issues CVE-2015-8629, CVE-2015-8630, CVE-2015-8631
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/674262/
Whiteboard: has_procedure MGA5-32-OK advisory
Source RPM: krb5-1.12.2-8.2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-01-29 21:03:38 CET 
Patched package uploaded for Mageia 5 with upstream patches (via Fedora) that fix three security issues and a crash in Chrome.

Advisory:
========================

Updated krb5 packages fix security vulnerabilities:

In all versions of MIT krb5, an authenticated attacker can cause
kadmind to read beyond the end of allocated memory by sending a string
without a terminating zero byte.  Information leakage may be possible
for an attacker with permission to modify the database (CVE-2015-8629).

In MIT krb5 1.12 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying a null policy value but including KADM5_POLICY in
the mask (CVE-2015-8630).

In all versions of MIT krb5, an authenticated attacker can cause
kadmind to leak memory by supplying a null principal name in a request
which uses one.  Repeating these requests will eventually cause
kadmind to exhaust all available memory (CVE-2015-8631).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8629
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8630
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8631
========================

Updated packages in core/updates_testing:
========================
krb5-1.12.2-8.3.mga5
libkrb53-devel-1.12.2-8.3.mga5
libkrb53-1.12.2-8.3.mga5
krb5-server-1.12.2-8.3.mga5
krb5-server-ldap-1.12.2-8.3.mga5
krb5-workstation-1.12.2-8.3.mga5
krb5-pkinit-openssl-1.12.2-8.3.mga5

from krb5-1.12.2-8.3.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-01-29 21:03:49 CET 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Krb5

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-02-01 17:08:53 CET 
Fedora has issued an advisory for this on January 31:
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176451.html

Advisory:
========================

Updated krb5 packages fix security vulnerabilities:

In all versions of MIT krb5, an authenticated attacker can cause
kadmind to read beyond the end of allocated memory by sending a string
without a terminating zero byte.  Information leakage may be possible
for an attacker with permission to modify the database (CVE-2015-8629).

In MIT krb5 1.12 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying a null policy value but including KADM5_POLICY in
the mask (CVE-2015-8630).

In all versions of MIT krb5, an authenticated attacker can cause
kadmind to leak memory by supplying a null principal name in a request
which uses one.  Repeating these requests will eventually cause
kadmind to exhaust all available memory (CVE-2015-8631).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8629
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8630
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8631
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176451.html
David Walser 2016-02-02 13:54:54 CET

URL: (none) => http://lwn.net/Vulnerabilities/674262/

Comment 3 Herman Viaene 2016-02-04 16:21:26 CET 
MGA5-32 on Acer D620 Xfce
No installation issues.
Followed procedure as per Comment 1: OK
$ kinit 
Password for tester5@xxxx.yyyy.zzzz: 
[tester5@xxxx essentialsql]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: tester5@xxxx.yyyy.zzzz

Valid starting     Expires            Service principal
04-02-16 16:15:05  05-02-16 16:15:05  krbtgt/xxxx.yyyy.zzz@xxxx.yyyy.zzzz
[tester5@xxx essentialsql]$  krlogin $(hostname)
This rlogin session is encrypting all data transmissions.
Last login: Thu Feb  4 15:12:04 on :0

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Dave Hodgins 2016-02-05 04:08:29 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2016-02-05 18:28:05 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0052.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED