6929 – krb5 new security issue CVE-2012-1015

Bug 6929 - krb5 new security issue CVE-2012-1015

Summary: krb5 new security issue CVE-2012-1015

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	2
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:	http://lwn.net/Vulnerabilities/509170/
Whiteboard:	MGA1TOO has_procedure MGA1-32-OK MGA2...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2012-08-01 22:58 CEST by David Walser
Modified:	2012-08-03 22:55 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	krb5-1.9.2-2.2.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-08-01 22:58:46 CEST

Mandriva has issued an advisory today (August 1):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:111

Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated krb5 packages fix security vulnerability:

The MIT krb5 KDC (Key Distribution Center) daemon can free an
uninitialized pointer while processing an unusual AS-REQ, corrupting
the process heap and possibly causing the daemon to abnormally
terminate. An attacker could use this vulnerability to execute
malicious code, but exploiting frees of uninitialized pointers to
execute code is believed to be difficult. It is possible that a
legitimate client that is misconfigured in an unusual way could
trigger this vulnerability (CVE-2012-1015).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1015
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:111
========================

Updated packages in core/updates_testing:
========================
krb5-1.8.3-5.4.mga1
libkrb53-devel-1.8.3-5.4.mga1
libkrb53-1.8.3-5.4.mga1
krb5-server-1.8.3-5.4.mga1
krb5-server-ldap-1.8.3-5.4.mga1
krb5-workstation-1.8.3-5.4.mga1
krb5-pkinit-openssl-1.8.3-5.4.mga1
krb5-1.9.2-2.3.mga2
libkrb53-devel-1.9.2-2.3.mga2
libkrb53-1.9.2-2.3.mga2
krb5-server-1.9.2-2.3.mga2
krb5-server-ldap-1.9.2-2.3.mga2
krb5-workstation-1.9.2-2.3.mga2
krb5-pkinit-openssl-1.9.2-2.3.mga2

from SRPMS:
krb5-1.8.3-5.4.mga1.src.rpm
krb5-1.9.2-2.3.mga2.src.rpm

David Walser 2012-08-01 22:58:52 CEST

Whiteboard: (none) => MGA1TOO

Comment 1 Samuel Verschelde 2012-08-02 09:56:57 CEST

We've got a testing procedure for testing krb5: https://wiki.mageia.org/en/QA_procedure:Krb5

No known exploit, so following the testing procedure should be enough.

CC: (none) => stormi
Whiteboard: MGA1TOO => MGA1TOO has_procedure

Comment 2 Dave Hodgins 2012-08-02 20:44:34 CEST

Testing complete on Mageia 1 i586.

I'll be testing the others shortly.

CC: (none) => davidwhodgins

Comment 3 Dave Hodgins 2012-08-02 21:06:33 CEST

On Mageia 1 x86-64, everything is fine until I try to krlogin.

There login fails, but there is no message displayed.
In /var/log/auth.log, there is an error message ...
klogind[32124]: Error reading message

I'm trying to figure out what is causing the problem.

Comment 4 Dave Hodgins 2012-08-02 22:37:50 CEST

https://bugs.launchpad.net/ubuntu/+source/krb5-appl/+bug/564641

Seems to be the same problem and has a patch.

Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure feedback

Comment 5 Dave Hodgins 2012-08-02 23:26:47 CEST

Testing complete on Mageia 2 x86-64.

I'll retest Mageia 1 x86-64 to see if comment 3 is a regression.

I've also updated the procedure to show what output krlogin should
be displaying.

Whiteboard: MGA1TOO has_procedure feedback => MGA1TOO has_procedure feedback MGA1-32-OK MGA2-64-OK

David Walser 2012-08-02 23:36:18 CEST

Severity: normal => major

Comment 6 Dave Hodgins 2012-08-02 23:41:49 CEST

I've now confirmed the problem with krlogin in Mageia 1 x86-64 is not a
regression.

As klist shows the ticket is being granted, I'll consider testing complete
on Mageia 1 64 bit, and will open a new bug report for the krlogin problem.

Whiteboard: MGA1TOO has_procedure feedback MGA1-32-OK MGA2-64-OK => MGA1TOO has_procedure feedback MGA1-32-OK MGA2-64-OK MGA1-64-OK

Dave Hodgins 2012-08-02 23:42:13 CEST

Whiteboard: MGA1TOO has_procedure feedback MGA1-32-OK MGA2-64-OK MGA1-64-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-64-OK MGA1-64-OK

Comment 7 Dave Hodgins 2012-08-03 00:10:20 CEST

Testing complete.  Bug 6939 opened for the krlogin problem.

Could someone from the sysadmin team push the srpm
krb5-1.9.2-2.3.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
krb5-1.8.3-5.4.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated krb5 packages fix security vulnerability:

The MIT krb5 KDC (Key Distribution Center) daemon can free an
uninitialized pointer while processing an unusual AS-REQ, corrupting
the process heap and possibly causing the daemon to abnormally
terminate. An attacker could use this vulnerability to execute
malicious code, but exploiting frees of uninitialized pointers to
execute code is believed to be difficult. It is possible that a
legitimate client that is misconfigured in an unusual way could
trigger this vulnerability (CVE-2012-1015).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1015
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:111

https://bugs.mageia.org/show_bug.cgi?id=6929

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA2-64-OK MGA1-64-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-64-OK MGA1-64-OK MGA2-32-OK

Comment 8 Thomas Backlund 2012-08-03 22:55:25 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0196

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.