Bug 17116 - krb5 new security issue CVE-2015-2698
Summary: krb5 new security issue CVE-2015-2698
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/663791/
Whiteboard: has_procedure advisory MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-11-09 20:42 CET by David Walser
Modified: 2015-11-16 22:37 CET (History)
2 users (show)

See Also:
Source RPM: krb5-1.12.2-8.1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-11-09 20:42:35 CET 
Fedora has issued an advisory on November 8:
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171079.html

This issue is a regression from the CVE-2015-2696 fix (Bug 17078).

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated krb5 packages fix security vulnerabilities:

In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated (CVE-2015-2698).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2698
http://advisories.mageia.org/MGASA-2015-0436.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171079.html
========================

Updated packages in core/updates_testing:
========================
krb5-1.12.2-8.2.mga5
libkrb53-devel-1.12.2-8.2.mga5
libkrb53-1.12.2-8.2.mga5
krb5-server-1.12.2-8.2.mga5
krb5-server-ldap-1.12.2-8.2.mga5
krb5-workstation-1.12.2-8.2.mga5
krb5-pkinit-openssl-1.12.2-8.2.mga5

from krb5-1.12.2-8.2.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-11-09 20:42:49 CET 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Krb5

Whiteboard: (none) => has_procedure

Comment 2 Herman Viaene 2015-11-10 14:49:39 CET 
MGA5-32 on AcerD620 Xfce
No installation issues, but leaves a question: the previous version of krb5 was installed, but selecting the new version of krb does not draw in the new version of the other package. I aselected those myself, but a user not very awake could end up with krb5-8.2 and libkrb53-8.2 Is that safe and/or friendly????
Completed the test procedure as per Comment 1, OK for me. just one remark:
if you're lazy as I was, and just hit <Enter> on defining the passwords, and then do the same on calling kinit, I got:
 Password incorrect while getting initial credentials
I reran the setup, this time with real passwords and then all was OK

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 3 claire robinson 2015-11-16 09:43:34 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 claire robinson 2015-11-16 17:35:33 CET 
Advisory uploaded.

Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK

Comment 5 Mageia Robot 2015-11-16 22:37:41 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0446.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.