Debian Bug report logs -
#702633
CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c
Reported by: Helmut Grohne <helmut@subdivi.de>
Date: Sat, 9 Mar 2013 11:48:01 UTC
Severity: serious
Tags: patch, security
Found in version krb5/1.10.1+dfsg-4
Fixed in version krb5/1.10.1+dfsg-4+nmu1
Done: Michael Gilbert <mgilbert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#702633
; Package src:krb5
.
(Sat, 09 Mar 2013 11:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Helmut Grohne <helmut@subdivi.de>
:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Sat, 09 Mar 2013 11:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: src:krb5
Version: 1.10.1+dfsg-4
Severity: serious
Tags: security
Dear kerberos maintainers,
I noticed that your recent upload of 1.10.1+dfsg-4 fixed CVE-2013-1415,
but it does not say anything about CVE-2012-1016. Those two
vulnerabilities were fixed in the same upstream release 1.10.4. Could
you have a look at whether this particular issue CVE-2012-1016 affects
us and downgrade or close this bug as appropriate?
Helmut
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#702633
; Package src:krb5
.
(Fri, 15 Mar 2013 19:00:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Arnaud Fontaine <arnau@debian.org>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Fri, 15 Mar 2013 19:00:10 GMT) (full text, mbox, link).
Message #10 received at 702633@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 702633 + patch
thanks
Hello,
After checking the source code, this part of the code does not seem to
have changed between 1.10.1 and 1.10.4, so AFAIU this bug affects at
least the version available in testing and unstable. The current code
is:
if ((rep9 != NULL &&
rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
(rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
/* If mutually supported KDFs were found, use the alg agility KDF */
if (rep->u.dh_Info.kdfID) {
Thus, rep could be NULL which has been addressed by the following
upstream patch:
https://github.com/krb5/krb5/commit/cd5ff932c9d1439c961b0cf9ccff979356686aff
I also prepared a NMU[0] in case it helps (it builds fine with
cowbuilder but I could not test it though) and attached the diff to this
email.
Cheers,
--
Arnaud Fontaine
[0] http://people.debian.org/~arnau/packages/krb5/
[krb5_CVE-2012-1016_702633.patch (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Arnaud Fontaine <arnau@debian.org>
to control@bugs.debian.org
.
(Fri, 15 Mar 2013 19:01:16 GMT) (full text, mbox, link).
Reply sent
to Sebastian Ramacher <sramacher@debian.org>
:
You have taken responsibility.
(Sat, 16 Mar 2013 19:30:05 GMT) (full text, mbox, link).
Notification sent
to Helmut Grohne <helmut@subdivi.de>
:
Bug acknowledged by developer.
(Sat, 16 Mar 2013 19:30:05 GMT) (full text, mbox, link).
Message #17 received at 702633-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 1.10.1+dfsg-4+nmu1
Hi Arnaud
On 2013-03-15 17:20:12, Arnaud Fontaine wrote:
> After checking the source code, this part of the code does not seem to
> have changed between 1.10.1 and 1.10.4, so AFAIU this bug affects at
> least the version available in testing and unstable. The current code
> is:
>
> if ((rep9 != NULL &&
> rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
> (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
>
> /* If mutually supported KDFs were found, use the alg agility KDF */
> if (rep->u.dh_Info.kdfID) {
>
> Thus, rep could be NULL which has been addressed by the following
> upstream patch:
>
> https://github.com/krb5/krb5/commit/cd5ff932c9d1439c961b0cf9ccff979356686aff
>
> I also prepared a NMU[0] in case it helps (it builds fine with
> cowbuilder but I could not test it though) and attached the diff to this
> email.
The bug has already been fixed in 1.10.1+dfsg-4+nmu1 with the same
patch. There doesn't seem to be an nmudiff in the bug log and the -done
mail is also missing. Maybe they got lost during the BTS outage
yesterday or are stuck in some queue and have yet to be delivered to
the BTS.
So let's close the bug. I've also attached the debdiff between
1.10.1+dfsg-4 and 1.10.1+dfsg-1+nmu1.
Regards
--
Sebastian Ramacher
[krb5_1.10.1+dfsg-4+nmu1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#702633
; Package src:krb5
.
(Tue, 19 Mar 2013 19:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Benjamin Kaduk <kaduk@MIT.EDU>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Tue, 19 Mar 2013 19:51:04 GMT) (full text, mbox, link).
Message #22 received at 702633@bugs.debian.org (full text, mbox, reply):
reopen 702633
thanks
The changelog entry for krb5 1.10.1+dfsg-4+nmu1 mentions the CVE number
2013-1016; this vulnerability is actually cve-2012-1016 (note 2012 instead
of 2013).
I don't see a debian-security-announce mail yet, so hopefully the typo
will not be promulgated there.
-Ben Kaduk
Bug reopened
Request was from Benjamin Kaduk <kaduk@MIT.EDU>
to control@bugs.debian.org
.
(Tue, 19 Mar 2013 19:51:13 GMT) (full text, mbox, link).
No longer marked as fixed in versions 1.10.1+dfsg-4+nmu1.
Request was from Benjamin Kaduk <kaduk@MIT.EDU>
to control@bugs.debian.org
.
(Tue, 19 Mar 2013 19:51:14 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#702633
; Package src:krb5
.
(Tue, 19 Mar 2013 20:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Tue, 19 Mar 2013 20:03:08 GMT) (full text, mbox, link).
Message #31 received at 702633@bugs.debian.org (full text, mbox, reply):
On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote:
> reopen 702633
Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain
a fix for this bug?
If the answer to my first question is "because it's not fixed in stable
yet", then the re-opening was incorrect, as the actual effect was to
mark it as not fixed in _unstable_.
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#702633
; Package src:krb5
.
(Tue, 19 Mar 2013 20:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Benjamin Kaduk <kaduk@MIT.EDU>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Tue, 19 Mar 2013 20:09:05 GMT) (full text, mbox, link).
Message #36 received at 702633@bugs.debian.org (full text, mbox, reply):
On Tue, 19 Mar 2013, Adam D. Barratt wrote:
> On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote:
>> reopen 702633
>
> Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain
> a fix for this bug?
The changelog entry for 1.10.1+dfsg-4+nmu1 mentions the wrong CVE number,
and as such the purpoted "fix" for this bug is incomplete, as the
documentation of the change is incorrect. Now, it may be that the package
maintainer or the security team may decide that a version bump is not
necessary to correct this error, but such a decision should be explicitly
made (IMHO).
> If the answer to my first question is "because it's not fixed in stable
> yet", then the re-opening was incorrect, as the actual effect was to
> mark it as not fixed in _unstable_.
My action of reopening the bug reflects the contents of the package in
unstable.
-Ben Kaduk
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#702633
; Package src:krb5
.
(Tue, 19 Mar 2013 20:18:12 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Tue, 19 Mar 2013 20:18:12 GMT) (full text, mbox, link).
Message #41 received at 702633@bugs.debian.org (full text, mbox, reply):
Control: fixed -1 1.10.1+dfsg-4+nmu1
On Tue, 2013-03-19 at 16:04 -0400, Benjamin Kaduk wrote:
> On Tue, 19 Mar 2013, Adam D. Barratt wrote:
>
> > On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote:
> >> reopen 702633
> >
> > Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain
> > a fix for this bug?
>
> The changelog entry for 1.10.1+dfsg-4+nmu1 mentions the wrong CVE number,
> and as such the purpoted "fix" for this bug is incomplete, as the
> documentation of the change is incorrect. Now, it may be that the package
> maintainer or the security team may decide that a version bump is not
> necessary to correct this error, but such a decision should be explicitly
> made (IMHO).
This bug is about CVE-2012-1016. If the package contains a fix for
CVE-2012-1016 then the bug is fixed, whether or not the changelog
correctly indicates that.
Yes, the changelog should be corrected, but that doesn't change the fact
that the package includes the fix for the security issue discussed in
this bug report.
Regards,
Adam
(Not that it should matter, but with a Release Manager hat on; the
maintainer / security team are of course free to disagree...)
Marked as fixed in versions krb5/1.10.1+dfsg-4+nmu1.
Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk>
to 702633-submit@bugs.debian.org
.
(Tue, 19 Mar 2013 20:18:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#702633
; Package src:krb5
.
(Tue, 19 Mar 2013 21:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Tue, 19 Mar 2013 21:18:04 GMT) (full text, mbox, link).
Message #48 received at 702633@bugs.debian.org (full text, mbox, reply):
Hi Benjamin
On Tue, Mar 19, 2013 at 04:04:59PM -0400, Benjamin Kaduk wrote:
> On Tue, 19 Mar 2013, Adam D. Barratt wrote:
>
> >On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote:
> >>reopen 702633
> >
> >Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain
> >a fix for this bug?
>
> The changelog entry for 1.10.1+dfsg-4+nmu1 mentions the wrong CVE
> number, and as such the purpoted "fix" for this bug is incomplete,
> as the documentation of the change is incorrect. Now, it may be
> that the package maintainer or the security team may decide that a
> version bump is not necessary to correct this error, but such a
> decision should be explicitly made (IMHO).
>
> >If the answer to my first question is "because it's not fixed in stable
> >yet", then the re-opening was incorrect, as the actual effect was to
> >mark it as not fixed in _unstable_.
>
> My action of reopening the bug reflects the contents of the package
> in unstable.
Thank you for noticing this. To track this I opened
http://bugs.debian.org/703457
Hope that helps,
Salvatore
Marked Bug as done
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org
.
(Fri, 05 Apr 2013 01:15:08 GMT) (full text, mbox, link).
Notification sent
to Helmut Grohne <helmut@subdivi.de>
:
Bug acknowledged by developer.
(Fri, 05 Apr 2013 01:15:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#702633
; Package src:krb5
.
(Sun, 21 Apr 2013 23:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Benjamin Kaduk <kaduk@MIT.EDU>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Sun, 21 Apr 2013 23:39:04 GMT) (full text, mbox, link).
Message #57 received at 702633@bugs.debian.org (full text, mbox, reply):
The check which introduced the bug for cve-2012-1016 was brought in when
pkinit agility was introduced, upstream's commit
3725d22140c23a376dd79b69d130be8e2b91005f on 19 Sept 2011. The first
release to include this code was krb5-1.10; the 1.8 version in squeeze is
too old for this bug.
-Ben Kaduk
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 02 Jun 2013 07:48:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:37:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.