Bug 30918 - krb5-appl new security issue CVE-2022-39028
Summary: krb5-appl new security issue CVE-2022-39028
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-09-30 20:44 CEST by David Walser
Modified: 2022-10-28 08:55 CEST (History)
4 users (show)

See Also:
Source RPM: krb5-appl-1.0.3-13.1.mga8.src.rpm
CVE: CVE-2022-39028
Status comment:


Attachments

Description David Walser 2022-09-30 20:44:24 CEST
SUSE has issued an advisory on September 29:
https://lists.suse.com/pipermail/sle-security-updates/2022-September/012454.html

Mageia 8 is also affected.
David Walser 2022-09-30 20:44:36 CEST

Whiteboard: (none) => MGA8TOO
Severity: normal => major

Comment 1 Lewis Smith 2022-10-01 20:39:32 CEST
This looks right to assign to neoclust, registered maintainer.

Assignee: bugsquad => mageia

Comment 2 Nicolas Salguero 2022-10-19 11:34:37 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

NULL pointer dereference in krb5-appl telnetd. (CVE-2022-39028)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39028
https://lists.suse.com/pipermail/sle-security-updates/2022-September/012454.html
========================

Updated packages in core/updates_testing:
========================
krb5-appl-clients-1.0.3-13.2.mga8
krb5-appl-servers-1.0.3-13.2.mga8

from SRPM:
krb5-appl-1.0.3-13.2.mga8.src.rpm

Assignee: mageia => qa-bugs
Source RPM: krb5-appl-1.0.3-15.mga9.src.rpm => krb5-appl-1.0.3-13.1.mga8.src.rpm
Summary: krb5-appl new security issue CVE-2022-39208 => krb5-appl new security issue CVE-2022-39028
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2022-39028
Version: Cauldron => 8
CC: (none) => nicolas.salguero

Comment 3 Herman Viaene 2022-10-25 14:47:38 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Tried to follow bug 28460 and the https://wiki.mageia.org/en/QA_procedure:Krb5,
but after editing the conf file and # systemctl restart xinetd.service
# systemctl -l status xinetd.service
● xinetd.service - Xinetd A Powerful Replacement For Inetd
     Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-10-25 14:42:43 CEST; 19s ago
       Docs: man:xinetd
             man:xinetd.conf
             man:xinetd.log
   Main PID: 22374 (xinetd)
      Tasks: 1 (limit: 4364)
     Memory: 744.0K
        CPU: 236ms
     CGroup: /system.slice/xinetd.service
             └─22374 /usr/sbin/xinetd -stayalive -dontfork

Oct 25 14:42:43 mach7.hviaene.thuis systemd[1]: Started Xinetd A Powerful Replacement For Inetd.
Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/cvs [file=/etc/xinetd.conf] [line=60]
Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/eklogin [file=/etc/xinetd.d/eklogin] [line=12]
Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/ekrb5-telnet [file=/etc/xinetd.d/ekrb5-telnet] [line=13]
Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/gssftp [file=/etc/xinetd.d/gssftp] [line=14]
Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/klogin [file=/etc/xinetd.d/klogin] [line=14]
Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/krb5-telnet [file=/etc/xinetd.d/krb5-telnet] [line=12]
Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/kshell [file=/etc/xinetd.d/kshell] [line=13]
Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: 2.3.15.4 started with libwrap loadavg options compiled in.
Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Started working: 1 available service
as normal user:
$ kinit
bash: kinit: command not found

CC: (none) => herman.viaene

Comment 4 David Walser 2022-10-25 15:07:07 CEST
kinit is in krb5-workstation
Comment 5 Dave Hodgins 2022-10-25 15:46:23 CEST
kinit worked in Mageia 7, but has never worked in Mageia 8.

krb5-appl should be dropped from Mageia since it does not work. No broken
updates for a broken package should be validated. Same with the rest of
the kerberos packages.

CC: (none) => davidwhodgins

Comment 6 David Walser 2022-10-25 16:59:41 CEST
krb5-appl is usable even if kerberos isn't working.  That's a separate issue of another package (and I seriously doubt it's broken for all use cases).
Comment 7 Dave Hodgins 2022-10-25 17:32:58 CEST
Without kinit working none of the programs in krb5-appl-clients or
krb5-appl-servers can work.

The workstation provides the authentication via for users and servers.

It ensures only validly logged in users anywhere on an untrusted network
can login, and that they can only access validated servers, to ensure there
isn't a man in the middle attack.

Without the workstation the clients can not connect, and the servers cannot
be accessed, even from the same computer the servers are running on.

The only krb5 packages that are of any use on Mageia 8 are
lib64krb53 and libkrb53 which are used by other applications.

All of the other rpm packages created from the krb5 source rpm are broken.
Comment 8 David Walser 2022-10-25 17:39:07 CEST
The krb5-appl programs are kerberized and support that, but telnet and ftp work without it.
Comment 9 David Walser 2022-10-28 00:25:17 CEST
Verified that ftp and telnet clients work fine.  Let's move this along.

Whiteboard: (none) => MGA8-64-OK

Comment 10 Dave Hodgins 2022-10-28 04:16:12 CEST
Letting it through just for ftp/telnet bothers me, but ok.

Validating the update. Advisory committed to svn.

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 11 David Walser 2022-10-28 04:27:06 CEST
ftp and telnet are what these packages are primarily used for.
Comment 12 Mageia Robot 2022-10-28 08:55:41 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0394.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.