Bug 15202 - krb5 new security issues CVE-2014-5352 and CVE-2014-942[1-3]
Summary: krb5 new security issues CVE-2014-5352 and CVE-2014-942[1-3]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/631828/
Whiteboard: has_procedure advisory MGA4-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-02-04 16:41 CET by David Walser
Modified: 2015-02-15 16:57 CET (History)
2 users (show)

See Also:
Source RPM: krb5-1.11.4-1.3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-02-04 16:41:35 CET
Upstream has issued an advisory on February 3:
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.txt

Debian has issued an advisory for this:
https://www.debian.org/security/2015/dsa-3153

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated krb5 packages fix security vulnerabilities:

Incorrect memory management in the libgssapi_krb5 library might result in
denial of service or the execution of arbitrary code (CVE-2014-5352).

Incorrect memory management in kadmind's processing of XDR data might result
in denial of service or the execution of arbitrary code (CVE-2014-9421).

Incorrect processing of two-component server principals might result in
impersonation attacks (CVE-2014-9422).

An information leak in the libgssrpc library (CVE-2014-9423).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9423
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.txt
https://www.debian.org/security/2015/dsa-3153
========================

Updated packages in core/updates_testing:
========================
krb5-1.11.4-1.4.mga4
libkrb53-devel-1.11.4-1.4.mga4
libkrb53-1.11.4-1.4.mga4
krb5-server-1.11.4-1.4.mga4
krb5-server-ldap-1.11.4-1.4.mga4
krb5-workstation-1.11.4-1.4.mga4
krb5-pkinit-openssl-1.11.4-1.4.mga4

from krb5-1.11.4-1.4.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-02-04 16:41:48 CET
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Krb5

Whiteboard: (none) => has_procedure

David Walser 2015-02-04 20:06:14 CET

URL: (none) => http://lwn.net/Vulnerabilities/631828/

Comment 2 olivier charles 2015-02-04 21:27:37 CET
Testing on Mageia 4x64 real hardware following procedure mentioned in Comment 1

From current packages :
---------------------
$ rpm -q -i krb5-server
Name        : krb5-server
Version     : 1.11.4
Release     : 1.3.mga4
Architecture: x86_64

To updated testing packages :
---------------------------
- krb5-1.11.4-1.4.mga4.x86_64
- krb5-pkinit-openssl-1.11.4-1.4.mga4.x86_64
- krb5-server-1.11.4-1.4.mga4.x86_64
- krb5-server-ldap-1.11.4-1.4.mga4.x86_64
- krb5-workstation-1.11.4-1.4.mga4.x86_64
- lib64krb53-1.11.4-1.4.mga4.x86_64
- lib64krb53-devel-1.11.4-1.4.mga4.x86_64

In both instances after restarting xinetd.service, command
$ krlogin $(hostname) 
showed :
This rlogin session is encrypting all data transmissions.

All OK

CC: (none) => olchal
Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 3 claire robinson 2015-02-11 16:20:02 CET
Advisory uploaded.

Whiteboard: has_procedure MGA4-64-OK => has_procedure advisory MGA4-64-OK

Comment 4 David Walser 2015-02-13 15:22:27 CET
I've never been able to get Dave's full test cases working in a VM with the secure msec level set, but I have krb5.conf configured for our AD server domain here, and kinit (AD username) works and klist shows me my ticket.  I think that's a sufficient test (Mageia 4 i586).

Whiteboard: has_procedure advisory MGA4-64-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK

Comment 5 claire robinson 2015-02-13 19:24:21 CET
Validating.

Please push to 4 updates.

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-02-15 16:57:53 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0066.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.