Bug 6469 - krb5 new security issue CVE-2012-1013
: krb5 new security issue CVE-2012-1013
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/502054/
: MGA1TOO, mga1-32-OK, mga2-32-OK, mga1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-14 22:48 CEST by David Walser
Modified: 2012-08-26 21:55 CEST (History)
6 users (show)

See Also:
Source RPM: krb5-1.9.2-2.mga2.src.rpm
CVE:


Attachments
Patch to fix kadmin startup script (784 bytes, patch)
2012-06-20 03:39 CEST, Dave Hodgins
Details | Diff
krb5_server_setup.sh script for qa testers to install and create principals. (2.70 KB, text/plain)
2012-06-21 03:08 CEST, Dave Hodgins
Details
krb5_server_setup.sh - QA Testing script for installing and setting up kerberos (2.75 KB, application/octet-stream)
2012-07-05 19:23 CEST, Dave Hodgins
Details

Description David Walser 2012-06-14 22:48:19 CEST
Fedora has issued an advisory on June 2:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html

It is fixed upstream in 1.10.2, and there is a link to the upstream change that fixed it in RedHat's bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=827517
Comment 1 David Walser 2012-06-15 21:11:09 CEST
Patched packages uploaded for Cauldron, Mageia 2, and Mageia 1.

Advisory:
========================

Updated krb5 packages fix security vulnerabilities:

The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in
kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before
1.10.2 allows remote authenticated administrators to cause a denial
of service (NULL pointer dereference and daemon crash) via a
KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password
(CVE-2012-1013).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html
========================

Updated packages in core/updates_testing:
========================
krb5-1.8.3-5.2.mga1
libkrb53-devel-1.8.3-5.2.mga1
libkrb53-1.8.3-5.2.mga1
krb5-server-1.8.3-5.2.mga1
krb5-server-ldap-1.8.3-5.2.mga1
krb5-workstation-1.8.3-5.2.mga1
krb5-pkinit-openssl-1.8.3-5.2.mga1
krb5-1.9.2-2.1.mga2
libkrb53-devel-1.9.2-2.1.mga2
libkrb53-1.9.2-2.1.mga2
krb5-server-1.9.2-2.1.mga2
krb5-server-ldap-1.9.2-2.1.mga2
krb5-workstation-1.9.2-2.1.mga2
krb5-pkinit-openssl-1.9.2-2.1.mga2

from SRPMS:
krb5-1.8.3-5.2.mga1.src.rpm
krb5-1.9.2-2.1.mga2.src.rpm
Comment 2 Dave Hodgins 2012-06-19 01:35:41 CEST
Testing complete on Mageia 1 i586 for the srpm
krb5-1.8.3-5.2.mga1.src.rpm

After installing, setting up the principals, enabling /etc/xinetd.d/eklogin
I was able to use kinit to get a ticket, and then use klogin to get access
to the Kerberized service.

I'll attach the script I used to install and setup the principals,
and add the testing procedure to
https://wiki.mageia.org/en/Testing_procedure_for_krb5
after I complete testing on Mageia 2 i586.
Comment 3 Dave Hodgins 2012-06-19 04:01:54 CEST
I'm having a problem using the same procedure on Mageia 2.

The krb5kdc service starts ok, but the kadmin service is failing to start with

kadmin[2542]: Error. Default principal database does not exist.

Don't kadmin and krb5kdc use the same config file?

/etc/krb5.conf, /etc/kerberos/krb5kdc/kdc.conf, and /etc/kerberos/krb5kdc/kadm5.acl
are identical to what I used in Mageia 1, as are the kadmin.local commands
I used to create the principals.
Comment 4 Dave Hodgins 2012-06-20 03:39:53 CEST
Created attachment 2476 [details]
Patch to fix kadmin startup script

Figured out the problem.  My Mageia 1 install, is the same one I used to
test kerberos last November.  When I removed it, I missed the empty file
/var/kerberos/krb5kdc/principal, which is not currently owned by any package.

What ever created it when I installed last November, is no longer creating it
now, so this is a regression that is affecting both Mageia 1 and Mageia 2.
The attached patch should be applied to both.

In addition, in Mageia 2, $ cat /usr/bin/krlogin 
#!/bin/sh
/usr/kerberos/bin/rlogin -x "$@"
while in Mageia 1, where it works, cat /usr/bin/krlogin
#!/bin/sh
/usr/bin/rlogin -x "$@"

So the Mageia 1 version of krlogin should be copied to the Mageia 2 version.
Comment 5 Dave Hodgins 2012-06-20 21:08:58 CEST
Reassigning back to developer till the problems in comment 4
are taken care of.
Comment 6 Dave Hodgins 2012-06-21 03:08:47 CEST
Created attachment 2478 [details]
krb5_server_setup.sh script for qa testers to install and create principals.
Comment 7 Guillaume Rousse 2012-06-27 17:05:17 CEST
Those wrappers belongs to the krb5-appl package, not to krb5. I just submitted a krb5-appl-1.0.2-3.1.mga2 package, fixing this issue, to updates_testing.
Comment 8 David Walser 2012-06-27 17:15:30 CEST
Thanks Guillaume.  Updated advisory and assigned back to QA.

Advisory:
========================

Updated krb5 packages fix security vulnerabilities:

The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in
kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before
1.10.2 allows remote authenticated administrators to cause a denial
of service (NULL pointer dereference and daemon crash) via a
KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password
(CVE-2012-1013).

Additionally, the paths to the rsh and rlogin commands used by krsh
and krlogin were fixed in the krb5-appl-clients package on Mageia 2.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html
========================

Updated packages in core/updates_testing:
========================
krb5-1.8.3-5.2.mga1
libkrb53-devel-1.8.3-5.2.mga1
libkrb53-1.8.3-5.2.mga1
krb5-server-1.8.3-5.2.mga1
krb5-server-ldap-1.8.3-5.2.mga1
krb5-workstation-1.8.3-5.2.mga1
krb5-pkinit-openssl-1.8.3-5.2.mga1
krb5-1.9.2-2.1.mga2
libkrb53-devel-1.9.2-2.1.mga2
libkrb53-1.9.2-2.1.mga2
krb5-server-1.9.2-2.1.mga2
krb5-server-ldap-1.9.2-2.1.mga2
krb5-workstation-1.9.2-2.1.mga2
krb5-pkinit-openssl-1.9.2-2.1.mga2
krb5-appl-servers-1.0.2-3.1.mga2
krb5-appl-clients-1.0.2-3.1.mga2

from SRPMS:
krb5-1.8.3-5.2.mga1.src.rpm
krb5-1.9.2-2.1.mga2.src.rpm
krb5-appl-1.0.2-3.1.mga2.src.rpm
Comment 9 Guillaume Rousse 2012-06-27 18:33:50 CEST
BTW, this 'security hole' had a very low impact factor, reading the description 'allows remote authenticated administrators to cause a denial of service'. "authenticated admins" = "the guys with already full data read/write access" :)
Comment 10 Dave Hodgins 2012-07-04 01:43:40 CEST
Testing complete on Mageia 1 i586 using the procedure at

https://wiki.mageia.org/en/QA_procedure:Krb5

Will test Mageia 2 i586 shortly.
Comment 11 Dave Hodgins 2012-07-04 02:15:45 CEST
(In reply to comment #7)
> Those wrappers belongs to the krb5-appl package, not to krb5. I just submitted
> a krb5-appl-1.0.2-3.1.mga2 package, fixing this issue, to updates_testing.

rpm -q -f /etc/init.d/kadmin 
krb5-server-1.9.2-2.1.mga2

Just realized my Mageia 1 test still used my patched version of the
/etc/init.d/kadmin script, so wasn't a valid test.

In Mageia 2, it still fails to start kadmin due to it looking for
/var/kerberos/krb5kdc/principal instead of
/etc/kerberos/krb5kdc/principal.

Take a look at the patch attached to comment 4.
Comment 12 David Walser 2012-07-04 15:47:52 CEST
(In reply to comment #11)
> Just realized my Mageia 1 test still used my patched version of the
> /etc/init.d/kadmin script, so wasn't a valid test.

So does it work there or not?

> In Mageia 2, it still fails to start kadmin due to it looking for
> /var/kerberos/krb5kdc/principal instead of
> /etc/kerberos/krb5kdc/principal.

Is this a problem with /etc/init.d/kadmin?  Is it fine in Mageia 1?

> Take a look at the patch attached to comment 4.

Already applied by Guillaume, or did I miss something?
Comment 13 Dave Hodgins 2012-07-04 23:33:32 CEST
(In reply to comment #12)
> (In reply to comment #11)
> > Just realized my Mageia 1 test still used my patched version of the
> > /etc/init.d/kadmin script, so wasn't a valid test.
> 
> So does it work there or not?

After uninstalling/reinstalling krb5-server, the kadmin service
cannot be started due to the wrong path for the database.

> > In Mageia 2, it still fails to start kadmin due to it looking for
> > /var/kerberos/krb5kdc/principal instead of
> > /etc/kerberos/krb5kdc/principal.
> 
> Is this a problem with /etc/init.d/kadmin?  Is it fine in Mageia 1?
> 
> > Take a look at the patch attached to comment 4.
> 
> Already applied by Guillaume, or did I miss something?

As far as I can see, only the problem with the Mageia 2 version
of /usr/bin/krlogin was fixed.  The problem with /etc/init.d/kadmin
still exists in both Mageia 1 and 2.
Comment 14 David Walser 2012-07-05 00:32:35 CEST
Thanks Dave, I understand now.  I noticed the same thing in the kprop init script.  I have asked on the -dev list if all of these should just be changed.
Comment 15 David Walser 2012-07-05 00:37:46 CEST
Assuming yes, does this sound like the right thing to add to the advisory?

The paths to the principal database and kpropd access list in the kadmin
and kpropd init scripts have also been fixed.
Comment 16 David Walser 2012-07-05 03:31:36 CEST
Well I have made the changes.  They seem correct, looking at the config file.

It may be a while before the Mageia 2 packages are available on the mirrors, as the build system seems to be having some issues.

Advisory:
========================

Updated krb5 packages fix security vulnerabilities:

The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in
kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before
1.10.2 allows remote authenticated administrators to cause a denial
of service (NULL pointer dereference and daemon crash) via a
KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password
(CVE-2012-1013).

Additionally, the paths to the principal database and kpropd access
list in the kadmin and kpropd init scripts have been fixed.

Finally, the paths to the rsh and rlogin commands used by krsh and
krlogin were fixed in the krb5-appl-clients package on Mageia 2.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html
========================

Updated packages in core/updates_testing:
========================
krb5-1.8.3-5.3.mga1
libkrb53-devel-1.8.3-5.3.mga1
libkrb53-1.8.3-5.3.mga1
krb5-server-1.8.3-5.3.mga1
krb5-server-ldap-1.8.3-5.3.mga1
krb5-workstation-1.8.3-5.3.mga1
krb5-pkinit-openssl-1.8.3-5.3.mga1
krb5-1.9.2-2.2.mga2
libkrb53-devel-1.9.2-2.2.mga2
libkrb53-1.9.2-2.2.mga2
krb5-server-1.9.2-2.2.mga2
krb5-server-ldap-1.9.2-2.2.mga2
krb5-workstation-1.9.2-2.2.mga2
krb5-pkinit-openssl-1.9.2-2.2.mga2

from SRPMS:
krb5-1.8.3-5.3.mga1.src.rpm
krb5-1.9.2-2.2.mga2.src.rpm
Comment 17 Guillaume Rousse 2012-07-05 10:05:31 CEST
While it is obviously needed to make init scripts (and systemd services) compliant with database location, it is less obvious which path should be used exactly.

As this database is actually a state information, and for consistency with other kerberos package (heimdal), and for consistency with fedora, I'll switch the cauldron package to use /var/kerberos instead of /etc/kerberos. For the security update, it could be considered less intrusive the keep current path, for sake of not disturbing a running service. However, given the lack of bug report on this topic, it's highly probable no one ever used this package,...
Comment 18 Guillaume Rousse 2012-07-05 11:18:58 CEST
update: I used /var/lib/krb5kdc, as gentoo, which seems more FHS consistent.
Comment 19 David Walser 2012-07-05 13:39:11 CEST
Thanks Guillaume.
Comment 20 David Walser 2012-07-05 13:40:41 CEST
Mageia 2 update finished building and all of the packages are on the mirrors.
Comment 21 Dave Hodgins 2012-07-05 19:23:03 CEST
Created attachment 2526 [details]
krb5_server_setup.sh - QA Testing script for installing and setting up kerberos

The advisory is missing the srpm
krb5-appl-1.0.1-2.3.1.mga1.src.rpm
and rpm package
krb5-appl-clients-1.0.1-2.3.1.mga1
and the Mageia 2 equivalents.

I've updated the QA Testing script to parse the db location from the
file /etc/kerberos/krb5kdc/kdc.conf

Testing complete on Mageia 1 i586.

I'll update https://wiki.mageia.org/en/QA_procedure:Krb5 to point
to the new attachment.

I'll test Mageia 2 i586 shortly.
Comment 22 Dave Hodgins 2012-07-05 19:57:27 CEST
My mistake.  The rpm packages
krb5-appl-clients-1.0.2-3.1.mga2
krb5-appl-servers-1.0.2-3.1.mga2
from the srpm
krb5-appl-1.0.2-3.1.mga2.src.rpm
only applies to Mageia 2, not Mageia 1.

Testing complete on Mageia 2 i586.
Comment 23 David Walser 2012-07-06 16:11:49 CEST
Mandriva has issued an advisory for this today (July 6):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:102
Comment 24 Samuel Verschelde 2012-07-08 16:17:08 CEST
Testing complete on Mageia 1 64 bits using procedure at https://wiki.mageia.org/en/QA_procedure:Krb5 (thanks Dave, much useful!)
Comment 25 Samuel Verschelde 2012-07-23 18:29:22 CEST
Testing complete on Mageia 2 64 bits.

Update validated. Sorry for the delay. No linking needed.

Advisory:
========================

Updated krb5 packages fix security vulnerabilities:

The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in
kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before
1.10.2 allows remote authenticated administrators to cause a denial
of service (NULL pointer dereference and daemon crash) via a
KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password
(CVE-2012-1013).

Additionally, the paths to the principal database and kpropd access
list in the kadmin and kpropd init scripts have been fixed.

Finally, the paths to the rsh and rlogin commands used by krsh and
krlogin were fixed in the krb5-appl-clients package on Mageia 2.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html
========================

Updated packages in core/updates_testing:
========================
krb5-1.8.3-5.3.mga1
libkrb53-devel-1.8.3-5.3.mga1
libkrb53-1.8.3-5.3.mga1
krb5-server-1.8.3-5.3.mga1
krb5-server-ldap-1.8.3-5.3.mga1
krb5-workstation-1.8.3-5.3.mga1
krb5-pkinit-openssl-1.8.3-5.3.mga1
krb5-1.9.2-2.2.mga2
libkrb53-devel-1.9.2-2.2.mga2
libkrb53-1.9.2-2.2.mga2
krb5-server-1.9.2-2.2.mga2
krb5-server-ldap-1.9.2-2.2.mga2
krb5-workstation-1.9.2-2.2.mga2
krb5-pkinit-openssl-1.9.2-2.2.mga2

from SRPMS:
krb5-1.8.3-5.3.mga1.src.rpm
krb5-1.9.2-2.2.mga2.src.rpm
Comment 26 Thomas Backlund 2012-07-24 13:14:37 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0178
Comment 27 David Walser 2012-08-26 17:58:31 CEST
krb5-appl-1.0.2-3.1.mga2.src.rpm should have been pushed with this update (see Comment 8).

Thomas, could you push this one please?

Sorry about this :o(
Comment 28 Thomas Backlund 2012-08-26 21:55:22 CEST
krb5-appl pushed

Note You need to log in before you can comment on or make changes to this bug.