| Summary: | krb5 new security issue CVE-2012-1013 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, dmorganec, guillomovitch, stormi-mageia, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/502054/ | ||
| Whiteboard: | MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK, MGA2-64-OK | ||
| Source RPM: | krb5-1.9.2-2.mga2.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
Patch to fix kadmin startup script
krb5_server_setup.sh script for qa testers to install and create principals. krb5_server_setup.sh - QA Testing script for installing and setting up kerberos |
||
|
Description
David Walser
2012-06-14 22:48:19 CEST
David Walser
2012-06-14 22:48:27 CEST
Whiteboard:
(none) =>
MGA2TOO, MGA1TOO
David Walser
2012-06-14 22:48:33 CEST
Source RPM:
krb5-1.9.2-2.mga2.src.rp =>
krb5-1.9.2-2.mga2.src.rpm
David Walser
2012-06-14 22:48:43 CEST
CC:
(none) =>
guillomovitch
David Walser
2012-06-14 22:48:49 CEST
CC:
(none) =>
dmorganec Patched packages uploaded for Cauldron, Mageia 2, and Mageia 1. Advisory: ======================== Updated krb5 packages fix security vulnerabilities: The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before 1.10.2 allows remote authenticated administrators to cause a denial of service (NULL pointer dereference and daemon crash) via a KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password (CVE-2012-1013). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html ======================== Updated packages in core/updates_testing: ======================== krb5-1.8.3-5.2.mga1 libkrb53-devel-1.8.3-5.2.mga1 libkrb53-1.8.3-5.2.mga1 krb5-server-1.8.3-5.2.mga1 krb5-server-ldap-1.8.3-5.2.mga1 krb5-workstation-1.8.3-5.2.mga1 krb5-pkinit-openssl-1.8.3-5.2.mga1 krb5-1.9.2-2.1.mga2 libkrb53-devel-1.9.2-2.1.mga2 libkrb53-1.9.2-2.1.mga2 krb5-server-1.9.2-2.1.mga2 krb5-server-ldap-1.9.2-2.1.mga2 krb5-workstation-1.9.2-2.1.mga2 krb5-pkinit-openssl-1.9.2-2.1.mga2 from SRPMS: krb5-1.8.3-5.2.mga1.src.rpm krb5-1.9.2-2.1.mga2.src.rpm Version:
Cauldron =>
2 Testing complete on Mageia 1 i586 for the srpm krb5-1.8.3-5.2.mga1.src.rpm After installing, setting up the principals, enabling /etc/xinetd.d/eklogin I was able to use kinit to get a ticket, and then use klogin to get access to the Kerberized service. I'll attach the script I used to install and setup the principals, and add the testing procedure to https://wiki.mageia.org/en/Testing_procedure_for_krb5 after I complete testing on Mageia 2 i586. CC:
(none) =>
davidwhodgins I'm having a problem using the same procedure on Mageia 2. The krb5kdc service starts ok, but the kadmin service is failing to start with kadmin[2542]: Error. Default principal database does not exist. Don't kadmin and krb5kdc use the same config file? /etc/krb5.conf, /etc/kerberos/krb5kdc/kdc.conf, and /etc/kerberos/krb5kdc/kadm5.acl are identical to what I used in Mageia 1, as are the kadmin.local commands I used to create the principals. Created attachment 2476 [details]
Patch to fix kadmin startup script
Figured out the problem. My Mageia 1 install, is the same one I used to
test kerberos last November. When I removed it, I missed the empty file
/var/kerberos/krb5kdc/principal, which is not currently owned by any package.
What ever created it when I installed last November, is no longer creating it
now, so this is a regression that is affecting both Mageia 1 and Mageia 2.
The attached patch should be applied to both.
In addition, in Mageia 2, $ cat /usr/bin/krlogin
#!/bin/sh
/usr/kerberos/bin/rlogin -x "$@"
while in Mageia 1, where it works, cat /usr/bin/krlogin
#!/bin/sh
/usr/bin/rlogin -x "$@"
So the Mageia 1 version of krlogin should be copied to the Mageia 2 version.
claire robinson
2012-06-20 18:39:10 CEST
Hardware:
i586 =>
All Reassigning back to developer till the problems in comment 4 are taken care of. CC:
(none) =>
qa-bugs
David Walser
2012-06-20 21:28:54 CEST
Assignee:
luigiwalser =>
guillomovitch
Dave Hodgins
2012-06-20 22:26:37 CEST
Whiteboard:
MGA1TOO, mga1-32-OK =>
MGA1TOO Created attachment 2478 [details]
krb5_server_setup.sh script for qa testers to install and create principals.
Those wrappers belongs to the krb5-appl package, not to krb5. I just submitted a krb5-appl-1.0.2-3.1.mga2 package, fixing this issue, to updates_testing. Thanks Guillaume. Updated advisory and assigned back to QA. Advisory: ======================== Updated krb5 packages fix security vulnerabilities: The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before 1.10.2 allows remote authenticated administrators to cause a denial of service (NULL pointer dereference and daemon crash) via a KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password (CVE-2012-1013). Additionally, the paths to the rsh and rlogin commands used by krsh and krlogin were fixed in the krb5-appl-clients package on Mageia 2. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html ======================== Updated packages in core/updates_testing: ======================== krb5-1.8.3-5.2.mga1 libkrb53-devel-1.8.3-5.2.mga1 libkrb53-1.8.3-5.2.mga1 krb5-server-1.8.3-5.2.mga1 krb5-server-ldap-1.8.3-5.2.mga1 krb5-workstation-1.8.3-5.2.mga1 krb5-pkinit-openssl-1.8.3-5.2.mga1 krb5-1.9.2-2.1.mga2 libkrb53-devel-1.9.2-2.1.mga2 libkrb53-1.9.2-2.1.mga2 krb5-server-1.9.2-2.1.mga2 krb5-server-ldap-1.9.2-2.1.mga2 krb5-workstation-1.9.2-2.1.mga2 krb5-pkinit-openssl-1.9.2-2.1.mga2 krb5-appl-servers-1.0.2-3.1.mga2 krb5-appl-clients-1.0.2-3.1.mga2 from SRPMS: krb5-1.8.3-5.2.mga1.src.rpm krb5-1.9.2-2.1.mga2.src.rpm krb5-appl-1.0.2-3.1.mga2.src.rpm CC:
qa-bugs =>
(none) BTW, this 'security hole' had a very low impact factor, reading the description 'allows remote authenticated administrators to cause a denial of service'. "authenticated admins" = "the guys with already full data read/write access" :) Testing complete on Mageia 1 i586 using the procedure at https://wiki.mageia.org/en/QA_procedure:Krb5 Will test Mageia 2 i586 shortly. (In reply to comment #7) > Those wrappers belongs to the krb5-appl package, not to krb5. I just submitted > a krb5-appl-1.0.2-3.1.mga2 package, fixing this issue, to updates_testing. rpm -q -f /etc/init.d/kadmin krb5-server-1.9.2-2.1.mga2 Just realized my Mageia 1 test still used my patched version of the /etc/init.d/kadmin script, so wasn't a valid test. In Mageia 2, it still fails to start kadmin due to it looking for /var/kerberos/krb5kdc/principal instead of /etc/kerberos/krb5kdc/principal. Take a look at the patch attached to comment 4. (In reply to comment #11) > Just realized my Mageia 1 test still used my patched version of the > /etc/init.d/kadmin script, so wasn't a valid test. So does it work there or not? > In Mageia 2, it still fails to start kadmin due to it looking for > /var/kerberos/krb5kdc/principal instead of > /etc/kerberos/krb5kdc/principal. Is this a problem with /etc/init.d/kadmin? Is it fine in Mageia 1? > Take a look at the patch attached to comment 4. Already applied by Guillaume, or did I miss something? (In reply to comment #12) > (In reply to comment #11) > > Just realized my Mageia 1 test still used my patched version of the > > /etc/init.d/kadmin script, so wasn't a valid test. > > So does it work there or not? After uninstalling/reinstalling krb5-server, the kadmin service cannot be started due to the wrong path for the database. > > In Mageia 2, it still fails to start kadmin due to it looking for > > /var/kerberos/krb5kdc/principal instead of > > /etc/kerberos/krb5kdc/principal. > > Is this a problem with /etc/init.d/kadmin? Is it fine in Mageia 1? > > > Take a look at the patch attached to comment 4. > > Already applied by Guillaume, or did I miss something? As far as I can see, only the problem with the Mageia 2 version of /usr/bin/krlogin was fixed. The problem with /etc/init.d/kadmin still exists in both Mageia 1 and 2. Thanks Dave, I understand now. I noticed the same thing in the kprop init script. I have asked on the -dev list if all of these should just be changed. Assuming yes, does this sound like the right thing to add to the advisory? The paths to the principal database and kpropd access list in the kadmin and kpropd init scripts have also been fixed. Well I have made the changes. They seem correct, looking at the config file. It may be a while before the Mageia 2 packages are available on the mirrors, as the build system seems to be having some issues. Advisory: ======================== Updated krb5 packages fix security vulnerabilities: The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before 1.10.2 allows remote authenticated administrators to cause a denial of service (NULL pointer dereference and daemon crash) via a KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password (CVE-2012-1013). Additionally, the paths to the principal database and kpropd access list in the kadmin and kpropd init scripts have been fixed. Finally, the paths to the rsh and rlogin commands used by krsh and krlogin were fixed in the krb5-appl-clients package on Mageia 2. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html ======================== Updated packages in core/updates_testing: ======================== krb5-1.8.3-5.3.mga1 libkrb53-devel-1.8.3-5.3.mga1 libkrb53-1.8.3-5.3.mga1 krb5-server-1.8.3-5.3.mga1 krb5-server-ldap-1.8.3-5.3.mga1 krb5-workstation-1.8.3-5.3.mga1 krb5-pkinit-openssl-1.8.3-5.3.mga1 krb5-1.9.2-2.2.mga2 libkrb53-devel-1.9.2-2.2.mga2 libkrb53-1.9.2-2.2.mga2 krb5-server-1.9.2-2.2.mga2 krb5-server-ldap-1.9.2-2.2.mga2 krb5-workstation-1.9.2-2.2.mga2 krb5-pkinit-openssl-1.9.2-2.2.mga2 from SRPMS: krb5-1.8.3-5.3.mga1.src.rpm krb5-1.9.2-2.2.mga2.src.rpm While it is obviously needed to make init scripts (and systemd services) compliant with database location, it is less obvious which path should be used exactly. As this database is actually a state information, and for consistency with other kerberos package (heimdal), and for consistency with fedora, I'll switch the cauldron package to use /var/kerberos instead of /etc/kerberos. For the security update, it could be considered less intrusive the keep current path, for sake of not disturbing a running service. However, given the lack of bug report on this topic, it's highly probable no one ever used this package,... update: I used /var/lib/krb5kdc, as gentoo, which seems more FHS consistent. Thanks Guillaume. Mageia 2 update finished building and all of the packages are on the mirrors. Created attachment 2526 [details] krb5_server_setup.sh - QA Testing script for installing and setting up kerberos The advisory is missing the srpm krb5-appl-1.0.1-2.3.1.mga1.src.rpm and rpm package krb5-appl-clients-1.0.1-2.3.1.mga1 and the Mageia 2 equivalents. I've updated the QA Testing script to parse the db location from the file /etc/kerberos/krb5kdc/kdc.conf Testing complete on Mageia 1 i586. I'll update https://wiki.mageia.org/en/QA_procedure:Krb5 to point to the new attachment. I'll test Mageia 2 i586 shortly.
Attachment 2478 is obsolete:
0 =>
1
Dave Hodgins
2012-07-05 19:23:51 CEST
Whiteboard:
MGA1TOO =>
MGA1TOO, mga1-32-OK My mistake. The rpm packages krb5-appl-clients-1.0.2-3.1.mga2 krb5-appl-servers-1.0.2-3.1.mga2 from the srpm krb5-appl-1.0.2-3.1.mga2.src.rpm only applies to Mageia 2, not Mageia 1. Testing complete on Mageia 2 i586. Whiteboard:
MGA1TOO, mga1-32-OK =>
MGA1TOO, mga1-32-OK, mga2-32-OK Mandriva has issued an advisory for this today (July 6): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:102 Testing complete on Mageia 1 64 bits using procedure at https://wiki.mageia.org/en/QA_procedure:Krb5 (thanks Dave, much useful!) CC:
(none) =>
stormi Testing complete on Mageia 2 64 bits. Update validated. Sorry for the delay. No linking needed. Advisory: ======================== Updated krb5 packages fix security vulnerabilities: The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before 1.10.2 allows remote authenticated administrators to cause a denial of service (NULL pointer dereference and daemon crash) via a KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password (CVE-2012-1013). Additionally, the paths to the principal database and kpropd access list in the kadmin and kpropd init scripts have been fixed. Finally, the paths to the rsh and rlogin commands used by krsh and krlogin were fixed in the krb5-appl-clients package on Mageia 2. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html ======================== Updated packages in core/updates_testing: ======================== krb5-1.8.3-5.3.mga1 libkrb53-devel-1.8.3-5.3.mga1 libkrb53-1.8.3-5.3.mga1 krb5-server-1.8.3-5.3.mga1 krb5-server-ldap-1.8.3-5.3.mga1 krb5-workstation-1.8.3-5.3.mga1 krb5-pkinit-openssl-1.8.3-5.3.mga1 krb5-1.9.2-2.2.mga2 libkrb53-devel-1.9.2-2.2.mga2 libkrb53-1.9.2-2.2.mga2 krb5-server-1.9.2-2.2.mga2 krb5-server-ldap-1.9.2-2.2.mga2 krb5-workstation-1.9.2-2.2.mga2 krb5-pkinit-openssl-1.9.2-2.2.mga2 from SRPMS: krb5-1.8.3-5.3.mga1.src.rpm krb5-1.9.2-2.2.mga2.src.rpm Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0178 Status:
NEW =>
RESOLVED krb5-appl-1.0.2-3.1.mga2.src.rpm should have been pushed with this update (see Comment 8). Thomas, could you push this one please? Sorry about this :o( Status:
RESOLVED =>
REOPENED krb5-appl pushed Status:
REOPENED =>
RESOLVED |