Bug 6929

Summary: krb5 new security issue CVE-2012-1015
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, stormi-mageia, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/509170/
Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA2-64-OK MGA1-64-OK MGA2-32-OK
Source RPM: krb5-1.9.2-2.2.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-08-01 22:58:46 CEST 
Mandriva has issued an advisory today (August 1):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:111

Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated krb5 packages fix security vulnerability:

The MIT krb5 KDC (Key Distribution Center) daemon can free an
uninitialized pointer while processing an unusual AS-REQ, corrupting
the process heap and possibly causing the daemon to abnormally
terminate. An attacker could use this vulnerability to execute
malicious code, but exploiting frees of uninitialized pointers to
execute code is believed to be difficult. It is possible that a
legitimate client that is misconfigured in an unusual way could
trigger this vulnerability (CVE-2012-1015).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1015
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:111
========================

Updated packages in core/updates_testing:
========================
krb5-1.8.3-5.4.mga1
libkrb53-devel-1.8.3-5.4.mga1
libkrb53-1.8.3-5.4.mga1
krb5-server-1.8.3-5.4.mga1
krb5-server-ldap-1.8.3-5.4.mga1
krb5-workstation-1.8.3-5.4.mga1
krb5-pkinit-openssl-1.8.3-5.4.mga1
krb5-1.9.2-2.3.mga2
libkrb53-devel-1.9.2-2.3.mga2
libkrb53-1.9.2-2.3.mga2
krb5-server-1.9.2-2.3.mga2
krb5-server-ldap-1.9.2-2.3.mga2
krb5-workstation-1.9.2-2.3.mga2
krb5-pkinit-openssl-1.9.2-2.3.mga2

from SRPMS:
krb5-1.8.3-5.4.mga1.src.rpm
krb5-1.9.2-2.3.mga2.src.rpm
David Walser 2012-08-01 22:58:52 CEST

Whiteboard: (none) => MGA1TOO

Comment 1 Samuel Verschelde 2012-08-02 09:56:57 CEST 
We've got a testing procedure for testing krb5: https://wiki.mageia.org/en/QA_procedure:Krb5

No known exploit, so following the testing procedure should be enough.

CC: (none) => stormi
Whiteboard: MGA1TOO => MGA1TOO has_procedure

Comment 2 Dave Hodgins 2012-08-02 20:44:34 CEST 
Testing complete on Mageia 1 i586.

I'll be testing the others shortly.

CC: (none) => davidwhodgins

Comment 3 Dave Hodgins 2012-08-02 21:06:33 CEST 
On Mageia 1 x86-64, everything is fine until I try to krlogin.

There login fails, but there is no message displayed.
In /var/log/auth.log, there is an error message ...
klogind[32124]: Error reading message

I'm trying to figure out what is causing the problem.
Comment 4 Dave Hodgins 2012-08-02 22:37:50 CEST 
https://bugs.launchpad.net/ubuntu/+source/krb5-appl/+bug/564641

Seems to be the same problem and has a patch.

Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure feedback

Comment 5 Dave Hodgins 2012-08-02 23:26:47 CEST 
Testing complete on Mageia 2 x86-64.

I'll retest Mageia 1 x86-64 to see if comment 3 is a regression.

I've also updated the procedure to show what output krlogin should
be displaying.

Whiteboard: MGA1TOO has_procedure feedback => MGA1TOO has_procedure feedback MGA1-32-OK MGA2-64-OK

David Walser 2012-08-02 23:36:18 CEST

Severity: normal => major

Comment 6 Dave Hodgins 2012-08-02 23:41:49 CEST 
I've now confirmed the problem with krlogin in Mageia 1 x86-64 is not a
regression.

As klist shows the ticket is being granted, I'll consider testing complete
on Mageia 1 64 bit, and will open a new bug report for the krlogin problem.

Whiteboard: MGA1TOO has_procedure feedback MGA1-32-OK MGA2-64-OK => MGA1TOO has_procedure feedback MGA1-32-OK MGA2-64-OK MGA1-64-OK

Dave Hodgins 2012-08-02 23:42:13 CEST

Whiteboard: MGA1TOO has_procedure feedback MGA1-32-OK MGA2-64-OK MGA1-64-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-64-OK MGA1-64-OK

Comment 7 Dave Hodgins 2012-08-03 00:10:20 CEST 
Testing complete.  Bug 6939 opened for the krlogin problem.

Could someone from the sysadmin team push the srpm
krb5-1.9.2-2.3.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
krb5-1.8.3-5.4.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated krb5 packages fix security vulnerability:

The MIT krb5 KDC (Key Distribution Center) daemon can free an
uninitialized pointer while processing an unusual AS-REQ, corrupting
the process heap and possibly causing the daemon to abnormally
terminate. An attacker could use this vulnerability to execute
malicious code, but exploiting frees of uninitialized pointers to
execute code is believed to be difficult. It is possible that a
legitimate client that is misconfigured in an unusual way could
trigger this vulnerability (CVE-2012-1015).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1015
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:111

https://bugs.mageia.org/show_bug.cgi?id=6929

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA2-64-OK MGA1-64-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-64-OK MGA1-64-OK MGA2-32-OK

Comment 8 Thomas Backlund 2012-08-03 22:55:25 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0196

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED