Related Vulnerabilities: CVE-2012-1016 CVE-2013-1415 cve-2012-1016

Source

Debian Bug report logs - #702633
CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c

Package: src:krb5; Maintainer for src:krb5 is Sam Hartman <hartmans@debian.org>;

Reported by: Helmut Grohne <helmut@subdivi.de>

Date: Sat, 9 Mar 2013 11:48:01 UTC

Severity: serious

Tags: patch, security

Found in version krb5/1.10.1+dfsg-4

Fixed in version krb5/1.10.1+dfsg-4+nmu1

Done: Michael Gilbert <mgilbert@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#702633; Package src:krb5. (Sat, 09 Mar 2013 11:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>. (Sat, 09 Mar 2013 11:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: src:krb5
Version: 1.10.1+dfsg-4
Severity: serious
Tags: security

Dear kerberos maintainers,

I noticed that your recent upload of 1.10.1+dfsg-4 fixed CVE-2013-1415,
but it does not say anything about CVE-2012-1016. Those two
vulnerabilities were fixed in the same upstream release 1.10.4. Could
you have a look at whether this particular issue CVE-2012-1016 affects
us and downgrade or close this bug as appropriate?

Helmut

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#702633; Package src:krb5. (Fri, 15 Mar 2013 19:00:10 GMT) (full text, mbox, link).

Acknowledgement sent to Arnaud Fontaine <arnau@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Fri, 15 Mar 2013 19:00:10 GMT) (full text, mbox, link).

Message #10 received at 702633@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

tags 702633 + patch
thanks

Hello,

After checking the source  code, this part of the code  does not seem to
have changed  between 1.10.1 and  1.10.4, so  AFAIU this bug  affects at
least the  version available in  testing and unstable. The  current code
is:

    if ((rep9 != NULL &&
         rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
        (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {

        /* If mutually supported KDFs were found, use the alg agility KDF */
        if (rep->u.dh_Info.kdfID) {

Thus,  rep could  be  NULL which  has been  addressed  by the  following
upstream patch:

https://github.com/krb5/krb5/commit/cd5ff932c9d1439c961b0cf9ccff979356686aff

I  also  prepared  a NMU[0]  in  case  it  helps  (it builds  fine  with
cowbuilder but I could not test it though) and attached the diff to this
email.

Cheers,
-- 
Arnaud Fontaine

[0] http://people.debian.org/~arnau/packages/krb5/

[krb5_CVE-2012-1016_702633.patch (text/x-diff, attachment)]

Added tag(s) patch. Request was from Arnaud Fontaine <arnau@debian.org> to control@bugs.debian.org. (Fri, 15 Mar 2013 19:01:16 GMT) (full text, mbox, link).

Reply sent to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility. (Sat, 16 Mar 2013 19:30:05 GMT) (full text, mbox, link).

Notification sent to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer. (Sat, 16 Mar 2013 19:30:05 GMT) (full text, mbox, link).

Message #17 received at 702633-done@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Version: 1.10.1+dfsg-4+nmu1

Hi Arnaud

On 2013-03-15 17:20:12, Arnaud Fontaine wrote:
> After checking the source  code, this part of the code  does not seem to
> have changed  between 1.10.1 and  1.10.4, so  AFAIU this bug  affects at
> least the  version available in  testing and unstable. The  current code
> is:
> 
>     if ((rep9 != NULL &&
>          rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
>         (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
> 
>         /* If mutually supported KDFs were found, use the alg agility KDF */
>         if (rep->u.dh_Info.kdfID) {
> 
> Thus,  rep could  be  NULL which  has been  addressed  by the  following
> upstream patch:
> 
> https://github.com/krb5/krb5/commit/cd5ff932c9d1439c961b0cf9ccff979356686aff
> 
> I  also  prepared  a NMU[0]  in  case  it  helps  (it builds  fine  with
> cowbuilder but I could not test it though) and attached the diff to this
> email.

The bug has already been fixed in 1.10.1+dfsg-4+nmu1 with the same
patch. There doesn't seem to be an nmudiff in the bug log and the -done
mail is also missing. Maybe they got lost during the BTS outage
yesterday or are stuck in some queue and have yet to be delivered to
the BTS.

So let's close the bug. I've also attached the debdiff between
1.10.1+dfsg-4 and 1.10.1+dfsg-1+nmu1.

Regards
-- 
Sebastian Ramacher

[krb5_1.10.1+dfsg-4+nmu1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#702633; Package src:krb5. (Tue, 19 Mar 2013 19:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Benjamin Kaduk <kaduk@MIT.EDU>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Tue, 19 Mar 2013 19:51:04 GMT) (full text, mbox, link).

Message #22 received at 702633@bugs.debian.org (full text, mbox, reply):

reopen 702633
thanks

The changelog entry for krb5 1.10.1+dfsg-4+nmu1 mentions the CVE number 
2013-1016; this vulnerability is actually cve-2012-1016 (note 2012 instead 
of 2013).

I don't see a debian-security-announce mail yet, so hopefully the typo 
will not be promulgated there.

-Ben Kaduk

Bug reopened Request was from Benjamin Kaduk <kaduk@MIT.EDU> to control@bugs.debian.org. (Tue, 19 Mar 2013 19:51:13 GMT) (full text, mbox, link).

No longer marked as fixed in versions 1.10.1+dfsg-4+nmu1. Request was from Benjamin Kaduk <kaduk@MIT.EDU> to control@bugs.debian.org. (Tue, 19 Mar 2013 19:51:14 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#702633; Package src:krb5. (Tue, 19 Mar 2013 20:03:08 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Tue, 19 Mar 2013 20:03:08 GMT) (full text, mbox, link).

Message #31 received at 702633@bugs.debian.org (full text, mbox, reply):

On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote:
> reopen 702633

Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain
a fix for this bug?

If the answer to my first question is "because it's not fixed in stable
yet", then the re-opening was incorrect, as the actual effect was to
mark it as not fixed in _unstable_.

Regards,

Adam

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#702633; Package src:krb5. (Tue, 19 Mar 2013 20:09:05 GMT) (full text, mbox, link).

Message #36 received at 702633@bugs.debian.org (full text, mbox, reply):

On Tue, 19 Mar 2013, Adam D. Barratt wrote:

> On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote:
>> reopen 702633
>
> Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain
> a fix for this bug?

The changelog entry for 1.10.1+dfsg-4+nmu1 mentions the wrong CVE number, 
and as such the purpoted "fix" for this bug is incomplete, as the 
documentation of the change is incorrect.  Now, it may be that the package 
maintainer or the security team may decide that a version bump is not 
necessary to correct this error, but such a decision should be explicitly 
made (IMHO).

> If the answer to my first question is "because it's not fixed in stable
> yet", then the re-opening was incorrect, as the actual effect was to
> mark it as not fixed in _unstable_.

My action of reopening the bug reflects the contents of the package in 
unstable.

-Ben Kaduk

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#702633; Package src:krb5. (Tue, 19 Mar 2013 20:18:12 GMT) (full text, mbox, link).

Message #41 received at 702633@bugs.debian.org (full text, mbox, reply):

Control: fixed -1 1.10.1+dfsg-4+nmu1

On Tue, 2013-03-19 at 16:04 -0400, Benjamin Kaduk wrote:
> On Tue, 19 Mar 2013, Adam D. Barratt wrote:
> 
> > On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote:
> >> reopen 702633
> >
> > Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain
> > a fix for this bug?
> 
> The changelog entry for 1.10.1+dfsg-4+nmu1 mentions the wrong CVE number, 
> and as such the purpoted "fix" for this bug is incomplete, as the 
> documentation of the change is incorrect.  Now, it may be that the package 
> maintainer or the security team may decide that a version bump is not 
> necessary to correct this error, but such a decision should be explicitly 
> made (IMHO).

This bug is about CVE-2012-1016. If the package contains a fix for
CVE-2012-1016 then the bug is fixed, whether or not the changelog
correctly indicates that.

Yes, the changelog should be corrected, but that doesn't change the fact
that the package includes the fix for the security issue discussed in
this bug report.

Regards,

Adam
(Not that it should matter, but with a Release Manager hat on; the
maintainer / security team are of course free to disagree...)

Marked as fixed in versions krb5/1.10.1+dfsg-4+nmu1. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 702633-submit@bugs.debian.org. (Tue, 19 Mar 2013 20:18:12 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#702633; Package src:krb5. (Tue, 19 Mar 2013 21:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Tue, 19 Mar 2013 21:18:04 GMT) (full text, mbox, link).

Message #48 received at 702633@bugs.debian.org (full text, mbox, reply):

Hi Benjamin

On Tue, Mar 19, 2013 at 04:04:59PM -0400, Benjamin Kaduk wrote:
> On Tue, 19 Mar 2013, Adam D. Barratt wrote:
> 
> >On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote:
> >>reopen 702633
> >
> >Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain
> >a fix for this bug?
> 
> The changelog entry for 1.10.1+dfsg-4+nmu1 mentions the wrong CVE
> number, and as such the purpoted "fix" for this bug is incomplete,
> as the documentation of the change is incorrect.  Now, it may be
> that the package maintainer or the security team may decide that a
> version bump is not necessary to correct this error, but such a
> decision should be explicitly made (IMHO).
> 
> >If the answer to my first question is "because it's not fixed in stable
> >yet", then the re-opening was incorrect, as the actual effect was to
> >mark it as not fixed in _unstable_.
> 
> My action of reopening the bug reflects the contents of the package
> in unstable.

Thank you for noticing this. To track this I opened
http://bugs.debian.org/703457

Hope that helps,

Salvatore

Marked Bug as done Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Fri, 05 Apr 2013 01:15:08 GMT) (full text, mbox, link).

Notification sent to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer. (Fri, 05 Apr 2013 01:15:09 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#702633; Package src:krb5. (Sun, 21 Apr 2013 23:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Benjamin Kaduk <kaduk@MIT.EDU>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Sun, 21 Apr 2013 23:39:04 GMT) (full text, mbox, link).

Message #57 received at 702633@bugs.debian.org (full text, mbox, reply):

The check which introduced the bug for cve-2012-1016 was brought in when 
pkinit agility was introduced, upstream's commit 
3725d22140c23a376dd79b69d130be8e2b91005f on 19 Sept 2011.  The first 
release to include this code was krb5-1.10; the 1.8 version in squeeze is 
too old for this bug.

-Ben Kaduk

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 07:48:55 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:37:53 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c

Debian Bug report logs - #702633
CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c

Vulmon Search

About

Products

Connect

CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c

Debian Bug report logs - #702633 CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c

Vulmon Search

About

Products

Connect

Debian Bug report logs - #702633
CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c