Bug 33073 - krb5 new security issues CVE-2024-26458 and CVE-2024-26461
Summary: krb5 new security issues CVE-2024-26458 and CVE-2024-26461
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2024-04-09 10:32 CEST by Nicolas Salguero
Modified: 2024-05-01 00:26 CEST (History)
4 users (show)

See Also:
Source RPM: krb5-1.20.1-1.mga9.src.rpm
CVE: CVE-2024-26458, CVE-2024-26461
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-04-09 10:32:46 CEST 
SUSE has issued an advisory on April 8:
https://lwn.net/Articles/968978/

Mageia 9 is also affected.
Nicolas Salguero 2024-04-09 10:33:57 CEST

Status comment: (none) => Patches available from SUSE
CVE: (none) => CVE-2024-26458, CVE-2024-26461
Source RPM: (none) => krb5-1.21.2-2.mga10.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-04-09 21:31:44 CEST 
This starting point: https://lwn.net/Articles/968978/
  * CVE-2024-26458
  * CVE-2024-26461
contains these URLs:
 * https://bugzilla.suse.com/show_bug.cgi?id=1220770
 * https://bugzilla.suse.com/show_bug.cgi?id=1220771
which lead to what look like these patches:
https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_5.png
https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_1.png

In the absence of an obvious maintainer, assigning this globally.
CC'ing wally who has done most recent commits.

Assignee: bugsquad => pkg-bugs
CC: (none) => jani.valimaa

Comment 2 Nicolas Salguero 2024-04-29 13:56:40 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. (CVE-2024-26458)

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. (CVE-2024-26461)

References:
https://lwn.net/Articles/968978/
========================

Updated packages in core/updates_testing:
========================
krb5-1.20.1-1.1.mga9
krb5-pkinit-1.20.1-1.1.mga9
krb5-server-1.20.1-1.1.mga9
krb5-server-ldap-1.20.1-1.1.mga9
krb5-workstation-1.20.1-1.1.mga9
lib(64)krb53-1.20.1-1.1.mga9
lib(64)krb53-devel-1.20.1-1.1.mga9

from SRPM:
krb5-1.20.1-1.1.mga9.src.rpm

Status comment: Patches available from SUSE => (none)
Source RPM: krb5-1.21.2-2.mga10.src.rpm => krb5-1.20.1-1.mga9.src.rpm
Status: NEW => ASSIGNED
Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)

Comment 3 katnatek 2024-04-30 04:18:38 CEST 
RH mageia 9 x86_64

LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm
Marking krb5 as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list


installing krb5-1.20.1-1.1.mga9.x86_64.rpm krb5-server-ldap-1.20.1-1.1.mga9.x86_64.rpm lib64krb53-devel-1.20.1-1.1.mga9.x86_64.rpm krb5-pkinit-1.20.1-1.1.mga9.x86_64.rpm krb5-server-1.20.1-1.1.mga9.x86_64.rpm lib64krb53-1.20.1-1.1.mga9.x86_64.rpm krb5-workstation-1.20.1-1.1.mga9.x86_64.rpm from /home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/7: krb5                  ##################################################################################################
      2/7: lib64krb53            ##################################################################################################
      3/7: lib64krb53-devel      ##################################################################################################
      4/7: krb5-server           ##################################################################################################
      5/7: krb5-server-ldap      ##################################################################################################
      6/7: krb5-pkinit           ##################################################################################################
      7/7: krb5-workstation      ##################################################################################################
      1/3: removing lib64krb53-devel-1.20.1-1.mga9.x86_64
                                 ##################################################################################################
      2/3: removing lib64krb53-1.20.1-1.mga9.x86_64
                                 ##################################################################################################
      3/3: removing krb5-1.20.1-1.mga9.x86_64
                                 ##################################################################################################


I think the procedure https://wiki.mageia.org/en/QA_procedure:Krb5 should give some suggestions other than just [If the setup script complains that the forward and reverse dsn settings do not match, post a request for help to the qa discussion list.] 

I let in clean install, and Wait to see if others do a successful test
Comment 4 Herman Viaene 2024-04-30 14:45:51 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
Followed QA procedure, and it works OK as described, until at the end the krlogin command does not return feedback, and a telnet returns connection refused.
This is all quite the same as in previous bugs 31157 and 29260 and 24068, so giving the OK following those and the comment above.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2024-04-30 21:54:26 CEST 
With three bugs for examples, that should be good enough. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2024-05-01 00:26:09 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0158.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.