Fedora has issued an advisory on June 2: http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html It is fixed upstream in 1.10.2, and there is a link to the upstream change that fixed it in RedHat's bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=827517
Whiteboard: (none) => MGA2TOO, MGA1TOO
Source RPM: krb5-1.9.2-2.mga2.src.rp => krb5-1.9.2-2.mga2.src.rpm
CC: (none) => guillomovitch
CC: (none) => dmorganec
Patched packages uploaded for Cauldron, Mageia 2, and Mageia 1. Advisory: ======================== Updated krb5 packages fix security vulnerabilities: The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before 1.10.2 allows remote authenticated administrators to cause a denial of service (NULL pointer dereference and daemon crash) via a KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password (CVE-2012-1013). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html ======================== Updated packages in core/updates_testing: ======================== krb5-1.8.3-5.2.mga1 libkrb53-devel-1.8.3-5.2.mga1 libkrb53-1.8.3-5.2.mga1 krb5-server-1.8.3-5.2.mga1 krb5-server-ldap-1.8.3-5.2.mga1 krb5-workstation-1.8.3-5.2.mga1 krb5-pkinit-openssl-1.8.3-5.2.mga1 krb5-1.9.2-2.1.mga2 libkrb53-devel-1.9.2-2.1.mga2 libkrb53-1.9.2-2.1.mga2 krb5-server-1.9.2-2.1.mga2 krb5-server-ldap-1.9.2-2.1.mga2 krb5-workstation-1.9.2-2.1.mga2 krb5-pkinit-openssl-1.9.2-2.1.mga2 from SRPMS: krb5-1.8.3-5.2.mga1.src.rpm krb5-1.9.2-2.1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Testing complete on Mageia 1 i586 for the srpm krb5-1.8.3-5.2.mga1.src.rpm After installing, setting up the principals, enabling /etc/xinetd.d/eklogin I was able to use kinit to get a ticket, and then use klogin to get access to the Kerberized service. I'll attach the script I used to install and setup the principals, and add the testing procedure to https://wiki.mageia.org/en/Testing_procedure_for_krb5 after I complete testing on Mageia 2 i586.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO => mga1-32-OK
I'm having a problem using the same procedure on Mageia 2. The krb5kdc service starts ok, but the kadmin service is failing to start with kadmin[2542]: Error. Default principal database does not exist. Don't kadmin and krb5kdc use the same config file? /etc/krb5.conf, /etc/kerberos/krb5kdc/kdc.conf, and /etc/kerberos/krb5kdc/kadm5.acl are identical to what I used in Mageia 1, as are the kadmin.local commands I used to create the principals.
Created attachment 2476 [details] Patch to fix kadmin startup script Figured out the problem. My Mageia 1 install, is the same one I used to test kerberos last November. When I removed it, I missed the empty file /var/kerberos/krb5kdc/principal, which is not currently owned by any package. What ever created it when I installed last November, is no longer creating it now, so this is a regression that is affecting both Mageia 1 and Mageia 2. The attached patch should be applied to both. In addition, in Mageia 2, $ cat /usr/bin/krlogin #!/bin/sh /usr/kerberos/bin/rlogin -x "$@" while in Mageia 1, where it works, cat /usr/bin/krlogin #!/bin/sh /usr/bin/rlogin -x "$@" So the Mageia 1 version of krlogin should be copied to the Mageia 2 version.
Hardware: i586 => AllWhiteboard: mga1-32-OK => MGA1TOO, mga1-32-OK
Reassigning back to developer till the problems in comment 4 are taken care of.
CC: (none) => qa-bugsAssignee: qa-bugs => luigiwalser
Assignee: luigiwalser => guillomovitch
Whiteboard: MGA1TOO, mga1-32-OK => MGA1TOO
Created attachment 2478 [details] krb5_server_setup.sh script for qa testers to install and create principals.
Those wrappers belongs to the krb5-appl package, not to krb5. I just submitted a krb5-appl-1.0.2-3.1.mga2 package, fixing this issue, to updates_testing.
Thanks Guillaume. Updated advisory and assigned back to QA. Advisory: ======================== Updated krb5 packages fix security vulnerabilities: The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before 1.10.2 allows remote authenticated administrators to cause a denial of service (NULL pointer dereference and daemon crash) via a KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password (CVE-2012-1013). Additionally, the paths to the rsh and rlogin commands used by krsh and krlogin were fixed in the krb5-appl-clients package on Mageia 2. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html ======================== Updated packages in core/updates_testing: ======================== krb5-1.8.3-5.2.mga1 libkrb53-devel-1.8.3-5.2.mga1 libkrb53-1.8.3-5.2.mga1 krb5-server-1.8.3-5.2.mga1 krb5-server-ldap-1.8.3-5.2.mga1 krb5-workstation-1.8.3-5.2.mga1 krb5-pkinit-openssl-1.8.3-5.2.mga1 krb5-1.9.2-2.1.mga2 libkrb53-devel-1.9.2-2.1.mga2 libkrb53-1.9.2-2.1.mga2 krb5-server-1.9.2-2.1.mga2 krb5-server-ldap-1.9.2-2.1.mga2 krb5-workstation-1.9.2-2.1.mga2 krb5-pkinit-openssl-1.9.2-2.1.mga2 krb5-appl-servers-1.0.2-3.1.mga2 krb5-appl-clients-1.0.2-3.1.mga2 from SRPMS: krb5-1.8.3-5.2.mga1.src.rpm krb5-1.9.2-2.1.mga2.src.rpm krb5-appl-1.0.2-3.1.mga2.src.rpm
CC: qa-bugs => (none)Assignee: guillomovitch => qa-bugs
BTW, this 'security hole' had a very low impact factor, reading the description 'allows remote authenticated administrators to cause a denial of service'. "authenticated admins" = "the guys with already full data read/write access" :)
Testing complete on Mageia 1 i586 using the procedure at https://wiki.mageia.org/en/QA_procedure:Krb5 Will test Mageia 2 i586 shortly.
(In reply to comment #7) > Those wrappers belongs to the krb5-appl package, not to krb5. I just submitted > a krb5-appl-1.0.2-3.1.mga2 package, fixing this issue, to updates_testing. rpm -q -f /etc/init.d/kadmin krb5-server-1.9.2-2.1.mga2 Just realized my Mageia 1 test still used my patched version of the /etc/init.d/kadmin script, so wasn't a valid test. In Mageia 2, it still fails to start kadmin due to it looking for /var/kerberos/krb5kdc/principal instead of /etc/kerberos/krb5kdc/principal. Take a look at the patch attached to comment 4.
(In reply to comment #11) > Just realized my Mageia 1 test still used my patched version of the > /etc/init.d/kadmin script, so wasn't a valid test. So does it work there or not? > In Mageia 2, it still fails to start kadmin due to it looking for > /var/kerberos/krb5kdc/principal instead of > /etc/kerberos/krb5kdc/principal. Is this a problem with /etc/init.d/kadmin? Is it fine in Mageia 1? > Take a look at the patch attached to comment 4. Already applied by Guillaume, or did I miss something?
(In reply to comment #12) > (In reply to comment #11) > > Just realized my Mageia 1 test still used my patched version of the > > /etc/init.d/kadmin script, so wasn't a valid test. > > So does it work there or not? After uninstalling/reinstalling krb5-server, the kadmin service cannot be started due to the wrong path for the database. > > In Mageia 2, it still fails to start kadmin due to it looking for > > /var/kerberos/krb5kdc/principal instead of > > /etc/kerberos/krb5kdc/principal. > > Is this a problem with /etc/init.d/kadmin? Is it fine in Mageia 1? > > > Take a look at the patch attached to comment 4. > > Already applied by Guillaume, or did I miss something? As far as I can see, only the problem with the Mageia 2 version of /usr/bin/krlogin was fixed. The problem with /etc/init.d/kadmin still exists in both Mageia 1 and 2.
Thanks Dave, I understand now. I noticed the same thing in the kprop init script. I have asked on the -dev list if all of these should just be changed.
Assuming yes, does this sound like the right thing to add to the advisory? The paths to the principal database and kpropd access list in the kadmin and kpropd init scripts have also been fixed.
Well I have made the changes. They seem correct, looking at the config file. It may be a while before the Mageia 2 packages are available on the mirrors, as the build system seems to be having some issues. Advisory: ======================== Updated krb5 packages fix security vulnerabilities: The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before 1.10.2 allows remote authenticated administrators to cause a denial of service (NULL pointer dereference and daemon crash) via a KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password (CVE-2012-1013). Additionally, the paths to the principal database and kpropd access list in the kadmin and kpropd init scripts have been fixed. Finally, the paths to the rsh and rlogin commands used by krsh and krlogin were fixed in the krb5-appl-clients package on Mageia 2. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html ======================== Updated packages in core/updates_testing: ======================== krb5-1.8.3-5.3.mga1 libkrb53-devel-1.8.3-5.3.mga1 libkrb53-1.8.3-5.3.mga1 krb5-server-1.8.3-5.3.mga1 krb5-server-ldap-1.8.3-5.3.mga1 krb5-workstation-1.8.3-5.3.mga1 krb5-pkinit-openssl-1.8.3-5.3.mga1 krb5-1.9.2-2.2.mga2 libkrb53-devel-1.9.2-2.2.mga2 libkrb53-1.9.2-2.2.mga2 krb5-server-1.9.2-2.2.mga2 krb5-server-ldap-1.9.2-2.2.mga2 krb5-workstation-1.9.2-2.2.mga2 krb5-pkinit-openssl-1.9.2-2.2.mga2 from SRPMS: krb5-1.8.3-5.3.mga1.src.rpm krb5-1.9.2-2.2.mga2.src.rpm
While it is obviously needed to make init scripts (and systemd services) compliant with database location, it is less obvious which path should be used exactly. As this database is actually a state information, and for consistency with other kerberos package (heimdal), and for consistency with fedora, I'll switch the cauldron package to use /var/kerberos instead of /etc/kerberos. For the security update, it could be considered less intrusive the keep current path, for sake of not disturbing a running service. However, given the lack of bug report on this topic, it's highly probable no one ever used this package,...
update: I used /var/lib/krb5kdc, as gentoo, which seems more FHS consistent.
Thanks Guillaume.
Mageia 2 update finished building and all of the packages are on the mirrors.
Created attachment 2526 [details] krb5_server_setup.sh - QA Testing script for installing and setting up kerberos The advisory is missing the srpm krb5-appl-1.0.1-2.3.1.mga1.src.rpm and rpm package krb5-appl-clients-1.0.1-2.3.1.mga1 and the Mageia 2 equivalents. I've updated the QA Testing script to parse the db location from the file /etc/kerberos/krb5kdc/kdc.conf Testing complete on Mageia 1 i586. I'll update https://wiki.mageia.org/en/QA_procedure:Krb5 to point to the new attachment. I'll test Mageia 2 i586 shortly.
Attachment 2478 is obsolete: 0 => 1
Whiteboard: MGA1TOO => MGA1TOO, mga1-32-OK
My mistake. The rpm packages krb5-appl-clients-1.0.2-3.1.mga2 krb5-appl-servers-1.0.2-3.1.mga2 from the srpm krb5-appl-1.0.2-3.1.mga2.src.rpm only applies to Mageia 2, not Mageia 1. Testing complete on Mageia 2 i586.
Whiteboard: MGA1TOO, mga1-32-OK => MGA1TOO, mga1-32-OK, mga2-32-OK
Mandriva has issued an advisory for this today (July 6): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:102
Testing complete on Mageia 1 64 bits using procedure at https://wiki.mageia.org/en/QA_procedure:Krb5 (thanks Dave, much useful!)
CC: (none) => stormiWhiteboard: MGA1TOO, mga1-32-OK, mga2-32-OK => MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK
Testing complete on Mageia 2 64 bits. Update validated. Sorry for the delay. No linking needed. Advisory: ======================== Updated krb5 packages fix security vulnerabilities: The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before 1.10.2 allows remote authenticated administrators to cause a denial of service (NULL pointer dereference and daemon crash) via a KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password (CVE-2012-1013). Additionally, the paths to the principal database and kpropd access list in the kadmin and kpropd init scripts have been fixed. Finally, the paths to the rsh and rlogin commands used by krsh and krlogin were fixed in the krb5-appl-clients package on Mageia 2. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html ======================== Updated packages in core/updates_testing: ======================== krb5-1.8.3-5.3.mga1 libkrb53-devel-1.8.3-5.3.mga1 libkrb53-1.8.3-5.3.mga1 krb5-server-1.8.3-5.3.mga1 krb5-server-ldap-1.8.3-5.3.mga1 krb5-workstation-1.8.3-5.3.mga1 krb5-pkinit-openssl-1.8.3-5.3.mga1 krb5-1.9.2-2.2.mga2 libkrb53-devel-1.9.2-2.2.mga2 libkrb53-1.9.2-2.2.mga2 krb5-server-1.9.2-2.2.mga2 krb5-server-ldap-1.9.2-2.2.mga2 krb5-workstation-1.9.2-2.2.mga2 krb5-pkinit-openssl-1.9.2-2.2.mga2 from SRPMS: krb5-1.8.3-5.3.mga1.src.rpm krb5-1.9.2-2.2.mga2.src.rpm
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK => MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK, MGA2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0178
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
krb5-appl-1.0.2-3.1.mga2.src.rpm should have been pushed with this update (see Comment 8). Thomas, could you push this one please? Sorry about this :o(
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
krb5-appl pushed
Status: REOPENED => RESOLVEDResolution: (none) => FIXED