Bug 11668 - krb5 new security issues CVE-2013-1417 and CVE-2013-1418
: krb5 new security issues CVE-2013-1417 and CVE-2013-1418
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/574583/
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-14 15:52 CET by David Walser
Modified: 2013-11-21 16:45 CET (History)
5 users (show)

See Also:
Source RPM: krb5-1.11.3-3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-11-14 15:52:30 CET
Upstream has released version 1.11.4 on November 4, fixing two security issues:
http://web.mit.edu/kerberos/krb5-1.11/

CVE-2013-1417 was fixed in July here:
https://github.com/krb5/krb5/commit/4c023ba43c16396f0d199e2df1cfa59b88b62acc

Looking at the code, I don't believe CVE-2013-1417 affects 1.9.2 in Mageia 2.

For CVE-2013-1418, Fedora incorporated an upstream patch against 1.11.3 in Fedora 19 here:
http://pkgs.fedoraproject.org/cgit/krb5.git/commit/?h=f19&id=74a7640cba4b98dde8e04127fef62718f4003a1e

More details on CVE-2013-1418 are in the RedHat bug here:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1418

The CVE-2013-1418 patch is easily re-diffed against 1.9.2 for Mageia 2.

I've checked the CVE-2013-1417 and CVE-2013-1418 patches in to SVN for Mageia 3 and the CVE-2013-1418 patch into SVN for Mageia 2.

I've also verified that 1.11.4 builds in Cauldron.  Guillaume, if you'd like, I can check it into Cauldron SVN and request the freeze push, or you can do it.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-14 16:50:58 CET
Just compiling the advisories for when we do push this to QA.

BTW the commit log entry for CVE-2013-1417 confirms that only 1.11.x is vulnerable.  CVE-2013-1418 was also fixed in 1.10.7 for that branch.

Advisory (Mageia 2):
========================

Updated krb5 packages fix security vulnerabilities:

If a KDC serves multiple realms, certain requests can cause
setup_server_realm() to dereference a null pointer, crashing the KDC. This
can be triggered by an unauthenticated user (CVE-2013-1418).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1418
http://web.mit.edu/kerberos/krb5-1.11/README-1.11.4.txt
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1418
========================

Updated packages in core/updates_testing:
========================
krb5-1.9.2-2.7.mga2
libkrb53-1.9.2-2.7.mga2
libkrb53-devel-1.9.2-2.7.mga2
krb5-server-1.9.2-2.7.mga2
krb5-server-ldap-1.9.2-2.7.mga2
krb5-workstation-1.9.2-2.7.mga2
krb5-pkinit-openssl-1.9.2-2.7.mga2

from krb5-1.9.2-2.7.mga2.src.rpm

Advisory (Mageia 3):
========================

Updated krb5 packages fix security vulnerabilities:

An authenticated remote client can cause a KDC to crash by making a valid
TGS-REQ to a KDC serving a realm with a single-component name. The
process_tgs_req() function dereferences a null pointer because an unusual
failure condition causes a helper function to return success (CVE-2013-1417).

If a KDC serves multiple realms, certain requests can cause
setup_server_realm() to dereference a null pointer, crashing the KDC. This
can be triggered by an unauthenticated user (CVE-2013-1418).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1418
http://web.mit.edu/kerberos/krb5-1.11/README-1.11.4.txt
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1418
========================

Updated packages in core/updates_testing:
========================
krb5-1.11.1-1.3.mga3
libkrb53-devel-1.11.1-1.3.mga3
libkrb53-1.11.1-1.3.mga3
krb5-server-1.11.1-1.3.mga3
krb5-server-ldap-1.11.1-1.3.mga3
krb5-workstation-1.11.1-1.3.mga3
krb5-pkinit-openssl-1.11.1-1.3.mga3

from krb5-1.11.1-1.3.mga3.src.rpm
Comment 2 David Walser 2013-11-15 12:37:58 CET
krb5-1.11.4-1.mga4 uploaded for Cauldron.  Thanks Guillaume!
Comment 3 David Walser 2013-11-15 12:53:44 CET
Patched packages uploaded for Mageia 2 and Mageia 3.

Advisories and package lists in Comment 1.
Comment 4 Dave Hodgins 2013-11-18 19:38:01 CET
Testing complete on Mageia 2 and 3, i586 and x86_64.

Could someone from the sysadmin team push the advisories 11668.mga2.adv and
11668.mga3.adv to updates.
Comment 5 Oden Eriksson 2013-11-19 10:23:44 CET
======================================================
Name: CVE-2013-6800
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6800
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20131115
Category: 
Reference: CONFIRM:http://krbdev.mit.edu/rt/Ticket/Display.html?id=7757
Reference: CONFIRM:https://github.com/krb5/krb5/commit/c2ccf4197f697c4ff143b8a786acdd875e70a89d

An unspecified third-party database module for the Key Distribution
Center (KDC) in MIT Kerberos 5 (aka krb5) 1.10.x allows remote
authenticated users to cause a denial of service (NULL pointer
dereference and daemon crash) via a crafted request, a different
vulnerability than CVE-2013-1418.
Comment 6 David Walser 2013-11-19 14:00:00 CET
I concur with the RedHat folks that CVE-2013-6800 shouldn't have been assigned for this; it's just a simple NULL pointer dereference and it's CVE-2013-1418.  We don't have 1.10.x packaged, and our update is for 1.11.x for Mageia 3.  For 1.9.x for Mageia 2, I don't see any reason to call it anything other than CVE-2013-1418.
https://bugzilla.redhat.com/show_bug.cgi?id=1031499
Comment 7 Thomas Backlund 2013-11-20 22:01:39 CET
Mga2 update pushed:
http://advisories.mageia.org/MGASA-2013-0335.html

Mga3 update pushed:
http://advisories.mageia.org/MGASA-2013-0336.html

Note You need to log in before you can comment on or make changes to this bug.