Debian Bug report logs -
#704775
krb5: KDC TGS-REQ null deref (CVE-2013-1416)
Reported by: Benjamin Kaduk <kaduk@MIT.EDU>
Date: Fri, 5 Apr 2013 18:36:01 UTC
Severity: serious
Tags: pending, security
Found in versions krb5/1.10.1+dfsg-4+nmu1, krb5/1.8.3+dfsg-4squeeze6
Fixed in version krb5/1.10.1+dfsg-5
Done: Benjamin Kaduk <kaduk@mit.edu>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#704775
; Package krb5-kdc
.
(Fri, 05 Apr 2013 18:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Benjamin Kaduk <kaduk@MIT.EDU>
:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Fri, 05 Apr 2013 18:36:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: krb5-kdc
Version: 1.10.1+dfsg-4+nmu1
Severity: serious
Upstream has patched against CVE-2013-1416; Debian should as well.
By sending an unusual but valid TGS-REQ, an authenticated remote attacker
can cause the KDC process to crash by dereferencing a null pointer.
Only krb5 releases 1.7 to 1.10 are affected; the code in question was
rewritten for 1.11.
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#704775
; Package krb5-kdc
.
(Fri, 05 Apr 2013 18:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Benjamin Kaduk <kaduk@MIT.EDU>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Fri, 05 Apr 2013 18:42:04 GMT) (full text, mbox, link).
Message #10 received at 704775@bugs.debian.org (full text, mbox, reply):
The patch is now available in the pkg-k5-afs/debian.git repository on
alioth.
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 05 Apr 2013 19:12:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#704775
; Package krb5-kdc
.
(Sat, 06 Apr 2013 19:09:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Sat, 06 Apr 2013 19:09:07 GMT) (full text, mbox, link).
Message #17 received at 704775@bugs.debian.org (full text, mbox, reply):
I'm not seeing any new kerberos releases:
http://web.mit.edu/kerberos/krb5-1.10
Is this perhaps not meant to be public knowledge yet?
Best wishes,
Mike
Message sent on
to Benjamin Kaduk <kaduk@MIT.EDU>
:
Bug#704775.
(Sat, 06 Apr 2013 19:09:16 GMT) (full text, mbox, link).
Reply sent
to Benjamin Kaduk <kaduk@mit.edu>
:
You have taken responsibility.
(Sun, 07 Apr 2013 17:06:27 GMT) (full text, mbox, link).
Notification sent
to Benjamin Kaduk <kaduk@MIT.EDU>
:
Bug acknowledged by developer.
(Sun, 07 Apr 2013 17:06:27 GMT) (full text, mbox, link).
Message #25 received at 704775-close@bugs.debian.org (full text, mbox, reply):
Source: krb5
Source-Version: 1.10.1+dfsg-5
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 704775@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benjamin Kaduk <kaduk@mit.edu> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 05 Apr 2013 14:36:50 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit8 libkadm5clnt-mit8 libk5crypto3 libkdb5-6 libkrb5support0 krb5-gss-samples krb5-locales
Architecture: source all amd64
Version: 1.10.1+dfsg-5
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Benjamin Kaduk <kaduk@mit.edu>
Description:
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-doc - Documentation for MIT Kerberos
krb5-gss-samples - MIT Kerberos GSS Sample applications
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-locales - Internationalization support for MIT Kerberos
krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-user - Basic programs to authenticate using MIT Kerberos
libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
libkadm5clnt-mit8 - MIT Kerberos runtime libraries - Administration Clients
libkadm5srv-mit8 - MIT Kerberos runtime libraries - KDC and Admin Server
libkdb5-6 - MIT Kerberos runtime libraries - Kerberos database
libkrb5-3 - MIT Kerberos runtime libraries
libkrb5-dbg - Debugging files for MIT Kerberos
libkrb5-dev - Headers and development libraries for MIT Kerberos
libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 703457 704647 704775
Changes:
krb5 (1.10.1+dfsg-5) unstable; urgency=high
.
* Import workaround for getaddrinfo bug from upstream. Described in
upstream's RT 7124, Closes: #704647
* Correct CVE number for CVE-2012-1016 in changelog and patches, Closes:
#703457
* Import upstream's fix for CVE-2013-1416, Closes: #704775
Checksums-Sha1:
96c8b1bae8895213219f4ba35f71c601b4369e92 2287 krb5_1.10.1+dfsg-5.dsc
c4c35fd67f163ed82cb1426e05854eb2bbbcbadb 135076 krb5_1.10.1+dfsg-5.debian.tar.gz
5140d04910eb7903a07f6409214cdf53dec4337f 2668656 krb5-doc_1.10.1+dfsg-5_all.deb
a5fe28590d87acc3b6cc1f95714ac828c9f165d4 1502290 krb5-locales_1.10.1+dfsg-5_all.deb
7f788cdebfc288a6fa6bba1602d8bb9046fc379f 153590 krb5-user_1.10.1+dfsg-5_amd64.deb
bc79a3ae0868e8ea8e6ff773c53cefafe167bb55 224496 krb5-kdc_1.10.1+dfsg-5_amd64.deb
3949c4adff4140439a3d237e07e12e0a402a05d5 119982 krb5-kdc-ldap_1.10.1+dfsg-5_amd64.deb
9dff1602d65cb2a8804bad82ac0c9e23a3e97926 121756 krb5-admin-server_1.10.1+dfsg-5_amd64.deb
6825190576a7d7c8478f6d4c003a9b6b3173485a 153444 krb5-multidev_1.10.1+dfsg-5_amd64.deb
91eff6975c7e88c791952e9996ef2efa2e7c2d37 39762 libkrb5-dev_1.10.1+dfsg-5_amd64.deb
8249b60cae4400b5317a02ceec55b46fe031e5b7 2203582 libkrb5-dbg_1.10.1+dfsg-5_amd64.deb
620c8bf1abb2c3534601103dca9411199892e258 82040 krb5-pkinit_1.10.1+dfsg-5_amd64.deb
445a7a74e619c46aa01c1fb5f5c262a6e28385f4 393822 libkrb5-3_1.10.1+dfsg-5_amd64.deb
cf1998eacceb08129949b7699fe0f52c2865f66c 147922 libgssapi-krb5-2_1.10.1+dfsg-5_amd64.deb
6c5b2b9401f428d22fd49690181c97a1247fcf2f 87688 libgssrpc4_1.10.1+dfsg-5_amd64.deb
f2f35c475ff3861653b27d967157e20a9a2d69cb 84860 libkadm5srv-mit8_1.10.1+dfsg-5_amd64.deb
11d472509634e7f13b6ef6e1597bf070a4bbf7ee 67854 libkadm5clnt-mit8_1.10.1+dfsg-5_amd64.deb
a25e7004e5133fe9555cfa19f181c9a2b40d223d 112238 libk5crypto3_1.10.1+dfsg-5_amd64.deb
3f4c1fcf42069a6f33209320297c29768d8825cd 66756 libkdb5-6_1.10.1+dfsg-5_amd64.deb
d6cee793d8a0e75d3d4451bb0412d4e6f20c944c 49490 libkrb5support0_1.10.1+dfsg-5_amd64.deb
1ed36cf517209bdefa4b61953763243cd2420c74 51782 krb5-gss-samples_1.10.1+dfsg-5_amd64.deb
Checksums-Sha256:
885064c3989102193a53ef38f0bd782cd46a6ad1454ba95e1dc321dbf21db7ac 2287 krb5_1.10.1+dfsg-5.dsc
54dbbae474c56777b287a6349e7aa2242d49f7732ecb7db5e3f5df3d8602ac8c 135076 krb5_1.10.1+dfsg-5.debian.tar.gz
776148edc355dce10011ccafd325facee4427dfa29fea982a97f1a49e21a42a4 2668656 krb5-doc_1.10.1+dfsg-5_all.deb
bc471183ede079e5ca004a5cf1a526a9e215950d18206b698c59d8513b28d55c 1502290 krb5-locales_1.10.1+dfsg-5_all.deb
bd9c17dafce31145452162745a9e89132600568f72fed8f68352689349ff1e12 153590 krb5-user_1.10.1+dfsg-5_amd64.deb
587ae9e0db077d752bb7ae65fe70cc6bc0a264b29eac94159da6ec1305929cb6 224496 krb5-kdc_1.10.1+dfsg-5_amd64.deb
957132c6e599d7a46a962dee0137770aac7b2c7322a461713981569f98b3e3d9 119982 krb5-kdc-ldap_1.10.1+dfsg-5_amd64.deb
0aaef30008b63b6b723ebbade1a4e1c0f0ebda84524c53f0b7678234c9bce216 121756 krb5-admin-server_1.10.1+dfsg-5_amd64.deb
b2ed8395931458689193c5245e120fc5d1c70360dd34def3cb971a0e98be7933 153444 krb5-multidev_1.10.1+dfsg-5_amd64.deb
dcd46766e1e3a1d247091a1bfe6720174e94575a0372555b6637a491750cae97 39762 libkrb5-dev_1.10.1+dfsg-5_amd64.deb
2ba351e401e4dead01eea6622fc9cff2144f51783bf77232cb40448f71bb3a1d 2203582 libkrb5-dbg_1.10.1+dfsg-5_amd64.deb
188ab7969403a1f151c7da7343b7fcf686082b71042712c60779d968fed82f11 82040 krb5-pkinit_1.10.1+dfsg-5_amd64.deb
2a1368aa9e08a6810933c14a608449ad12e559927c596ca7b5cacc6346df88d9 393822 libkrb5-3_1.10.1+dfsg-5_amd64.deb
4adacef2ccd1cf7e956afb3e6d7cfd5e109919dc06693e13a20f102a355752f8 147922 libgssapi-krb5-2_1.10.1+dfsg-5_amd64.deb
998fec6ddd85b05843168e07b642d99c31d0d32c0860321eb90fb20a91c1ecd5 87688 libgssrpc4_1.10.1+dfsg-5_amd64.deb
00fb6d46e622f7c64a6c386bbd64a4fa7c0136e948cee9a7b1c57d4c3d946a45 84860 libkadm5srv-mit8_1.10.1+dfsg-5_amd64.deb
b0b4d2e09e3d2220e7cd9765661894e9939883bb7dc324b4ac63617d221207e0 67854 libkadm5clnt-mit8_1.10.1+dfsg-5_amd64.deb
289a4f9be690ec0cc20c3e912c97eff42eb644dc9c6f94950aa5dca0d101f918 112238 libk5crypto3_1.10.1+dfsg-5_amd64.deb
db1347346ea8260fa64dc6f9e3a4db6fe2753a7f86637ea8a78847cc5d71d915 66756 libkdb5-6_1.10.1+dfsg-5_amd64.deb
6edd8a0a647b4bf277673617a0dd5a367e3448251cd80dee634758c30bae757c 49490 libkrb5support0_1.10.1+dfsg-5_amd64.deb
ef34197fd2b22b193a644f967b29477cc01d6b806f4c64f17a6b6c15f10ffc6e 51782 krb5-gss-samples_1.10.1+dfsg-5_amd64.deb
Files:
a6fea8d10d5f4abf960be1901642f65d 2287 net standard krb5_1.10.1+dfsg-5.dsc
8eeee71526d7388c2d6410c968d717f8 135076 net standard krb5_1.10.1+dfsg-5.debian.tar.gz
4ee35df987654ad27c99580bceb23ed9 2668656 doc optional krb5-doc_1.10.1+dfsg-5_all.deb
e3e59a08a086a2d7932177f20e76101e 1502290 localization standard krb5-locales_1.10.1+dfsg-5_all.deb
64d267d7388df665a2d67650bfd5c690 153590 net optional krb5-user_1.10.1+dfsg-5_amd64.deb
0298e6fdbd6bb585a65ad99be79c25d5 224496 net optional krb5-kdc_1.10.1+dfsg-5_amd64.deb
827364a7fa3bfdc44c79418ba1c2ed4e 119982 net extra krb5-kdc-ldap_1.10.1+dfsg-5_amd64.deb
394471f0a7c2b604c70bf7278452dd17 121756 net optional krb5-admin-server_1.10.1+dfsg-5_amd64.deb
2d269bef2cd57892c553738d20300197 153444 libdevel optional krb5-multidev_1.10.1+dfsg-5_amd64.deb
2d5a9f106521f806a1432155989da8d5 39762 libdevel extra libkrb5-dev_1.10.1+dfsg-5_amd64.deb
9128f8605cac84c1e4f5bdbac592ba4d 2203582 debug extra libkrb5-dbg_1.10.1+dfsg-5_amd64.deb
f8e39f0303a891ee2be34ce7e596a821 82040 net extra krb5-pkinit_1.10.1+dfsg-5_amd64.deb
a84f9bb43039381651871598014e940b 393822 libs standard libkrb5-3_1.10.1+dfsg-5_amd64.deb
ff326a69f4ea7c43822a1d54f81a1c18 147922 libs standard libgssapi-krb5-2_1.10.1+dfsg-5_amd64.deb
24bf468eb3e16a74233cea0947e6c1e8 87688 libs standard libgssrpc4_1.10.1+dfsg-5_amd64.deb
2b507930665af6db4c61e785c113a70e 84860 libs standard libkadm5srv-mit8_1.10.1+dfsg-5_amd64.deb
3bd465d142d9c71e62bdc5ce9da3dd6e 67854 libs standard libkadm5clnt-mit8_1.10.1+dfsg-5_amd64.deb
d420f07f97d2b799566b0df82e1cac6d 112238 libs standard libk5crypto3_1.10.1+dfsg-5_amd64.deb
4bd9a2b87bb8d6dd8b2edf30d34aa885 66756 libs standard libkdb5-6_1.10.1+dfsg-5_amd64.deb
21b0a17aa127efbe6d4212853bc10edf 49490 libs standard libkrb5support0_1.10.1+dfsg-5_amd64.deb
7a3254e85a2e4b56dfd2587a66b8919f 51782 net extra krb5-gss-samples_1.10.1+dfsg-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAlFhpSIACgkQ/I12czyGJg/5wgCeOCvcwm9JDz5dkFKsZyxr0FIh
EZoAn37Qh6//z8sKYMb1MG2XqKwr2dU6
=gMEB
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from Sam Hartman <hartmans@debian.org>
to control@bugs.debian.org
.
(Sun, 07 Apr 2013 17:09:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#704775
; Package krb5-kdc
.
(Mon, 08 Apr 2013 02:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Benjamin Kaduk <kaduk@MIT.EDU>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Mon, 08 Apr 2013 02:48:04 GMT) (full text, mbox, link).
Message #32 received at 704775@bugs.debian.org (full text, mbox, reply):
On Sat, 6 Apr 2013, Michael Gilbert wrote:
> I'm not seeing any new kerberos releases:
> http://web.mit.edu/kerberos/krb5-1.10
Current Kerberos Security Team policy is to not issue security advisories
for null pointer dereference crashes. We assign CVE numbers for tracking,
but do not delay publishing a fix until a new point release is available.
> Is this perhaps not meant to be public knowledge yet?
The patch is intentionally public. Note that a user must be authenticated
in order to trigger the crash.
-Ben
Marked as found in versions krb5/1.8.3+dfsg-4squeeze6.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org
.
(Fri, 12 Apr 2013 15:24:17 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#704775
; Package krb5-kdc
.
(Mon, 15 Apr 2013 17:57:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Sam Hartman <hartmans@debian.org>
:
Extra info received and forwarded to list.
(Mon, 15 Apr 2013 17:57:14 GMT) (full text, mbox, link).
Message #39 received at 704775@bugs.debian.org (full text, mbox, reply):
My recommendation is that this is not worth a DSA or stable fix for
squeeze unless some Debian user comes forward and says that they're
seeing crashes in the wild related to this.
--Sam
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#704775
; Package krb5-kdc
.
(Mon, 15 Apr 2013 22:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Tom Yu <tlyu@MIT.EDU>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Mon, 15 Apr 2013 22:42:04 GMT) (full text, mbox, link).
Message #44 received at 704775@bugs.debian.org (full text, mbox, reply):
Sam Hartman <hartmans@debian.org> writes:
> My recommendation is that this is not worth a DSA or stable fix for
> squeeze unless some Debian user comes forward and says that they're
> seeing crashes in the wild related to this.
>
> --Sam
Keep in mind that unmodified client software can trivially trigger
this vulnerability. I can do an explicit check of the trigger against
the 1.8 branch if you'd like confirmation.
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#704775
; Package krb5-kdc
.
(Mon, 15 Apr 2013 23:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sam Hartman <hartmans@debian.org>
:
Extra info received and forwarded to list.
(Mon, 15 Apr 2013 23:48:04 GMT) (full text, mbox, link).
Message #49 received at 704775@bugs.debian.org (full text, mbox, reply):
>>>>> "Tom" == Tom Yu <tlyu@MIT.EDU> writes:
Tom> Sam Hartman <hartmans@debian.org> writes:
>> My recommendation is that this is not worth a DSA or stable fix
>> for squeeze unless some Debian user comes forward and says that
>> they're seeing crashes in the wild related to this.
>>
>> --Sam
Tom> Keep in mind that unmodified client software can trivially
Tom> trigger this vulnerability. I can do an explicit check of the
Tom> trigger against the 1.8 branch if you'd like confirmation.
I understand.
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#704775
; Package krb5-kdc
.
(Wed, 17 Apr 2013 02:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Benjamin Kaduk <kaduk@MIT.EDU>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Wed, 17 Apr 2013 02:03:04 GMT) (full text, mbox, link).
Message #54 received at 704775@bugs.debian.org (full text, mbox, reply):
On Mon, 15 Apr 2013, Sam Hartman wrote:
>>>>>> "Tom" == Tom Yu <tlyu@MIT.EDU> writes:
>
> Tom> Sam Hartman <hartmans@debian.org> writes:
> >> My recommendation is that this is not worth a DSA or stable fix
> >> for squeeze unless some Debian user comes forward and says that
> >> they're seeing crashes in the wild related to this.
> >>
> >> --Sam
>
> Tom> Keep in mind that unmodified client software can trivially
> Tom> trigger this vulnerability. I can do an explicit check of the
> Tom> trigger against the 1.8 branch if you'd like confirmation.
>
> I understand.
Having seen the reproducer, I am of the opinion that this bug should get
fixed in stable.
I am planning to prepare a candidate stable upload (which may include
another bugfix if it seems appropriate) later this week for consideration.
-Ben
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#704775
; Package krb5-kdc
.
(Mon, 22 Apr 2013 00:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Benjamin Kaduk <kaduk@MIT.EDU>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Mon, 22 Apr 2013 00:06:05 GMT) (full text, mbox, link).
Message #59 received at 704775@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, 16 Apr 2013, Benjamin Kaduk wrote:
> Having seen the reproducer, I am of the opinion that this bug should get
> fixed in stable.
> I am planning to prepare a candidate stable upload (which may include another
> bugfix if it seems appropriate) later this week for consideration.
The attached handles cve-2013-1416 (this bug) and cve-2013-1415 (no debian
bug number? Fixed in testing), as well as #704647 (rdns=false is broken).
The last is not exactly a security fix, so the patch is targeted for
stable-proposed-updates. A patch without that change could be targeted
for stable-security, but we see the #704647 issue crop up regularly on the
kerberos mailing lists and it would be very nice to get it fixed as well.
-Ben
[krb5-s-p-u.patch (text/plain, ATTACHMENT)]
diff -u krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
--- krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
+++ krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
@@ -111,19 +111,12 @@
hostnames associated. */
memset(&hints, 0, sizeof(hints));
- hints.ai_family = AF_INET;
hints.ai_flags = AI_CANONNAME;
- try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
#ifdef DEBUG_REFERRALS
printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname);
#endif
- if (hints.ai_family == AF_INET) {
- /* Just in case it's an IPv6-only name. */
- hints.ai_family = 0;
- goto try_getaddrinfo_again;
- }
return KRB5_ERR_BAD_HOSTNAME;
}
remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname);
diff -u krb5-1.8.3+dfsg/debian/changelog krb5-1.8.3+dfsg/debian/changelog
--- krb5-1.8.3+dfsg/debian/changelog
+++ krb5-1.8.3+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+krb5 (1.8.3+dfsg-4squeeze7) stable-proposed-updates; urgency=high
+
+ * CVE-2013-1416 TGS-REQ null pointer dereference in KDC, Closes: #704775
+ * CVE-2013-1415 KDC null pointer dereference with PKINIT
+ * Import upstream's workaround for a getaddrinfo bug, Closes: #704647
+
+ -- Benjamin Kaduk <kaduk@mit.edu> Sun, 21 Apr 2013 15:49:14 -0400
+
krb5 (1.8.3+dfsg-4squeeze6) stable-security; urgency=high
* MITKRB5-SA-2012-001 CVE-2012-1015: KDC frees uninitialized pointer
only in patch4:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ krb5-1.8.3+dfsg/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2879,7 +2879,7 @@
pkiDebug("found kdcPkId in AS REQ\n");
is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
if (is == NULL)
- goto cleanup;
+ return retval;
status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
if (!status) {
@@ -2889,7 +2889,6 @@
}
retval = 0;
-cleanup:
X509_NAME_free(is->issuer);
ASN1_INTEGER_free(is->serial);
free(is);
only in patch4:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/kdc/do_tgs_req.c
+++ krb5-1.8.3+dfsg/src/kdc/do_tgs_req.c
@@ -1216,7 +1216,8 @@
retval = ENOMEM;
goto cleanup;
}
- strlcpy(comp1_str,comp1->data,comp1->length+1);
+ if (comp1->data != NULL)
+ memcpy(comp1_str, comp1->data, comp1->length);
if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST ||
@@ -1239,7 +1240,8 @@
retval = ENOMEM;
goto cleanup;
}
- strlcpy(temp_buf, comp2->data,comp2->length+1);
+ if (comp2->data != NULL)
+ memcpy(temp_buf, comp2->data, comp2->length);
retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms);
free(temp_buf);
if (retval) {
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#704775
; Package krb5-kdc
.
(Thu, 25 Apr 2013 13:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sam Hartman <hartmans@debian.org>
:
Extra info received and forwarded to list.
(Thu, 25 Apr 2013 13:39:04 GMT) (full text, mbox, link).
Message #64 received at 704775@bugs.debian.org (full text, mbox, reply):
OK.
Why don't you run that patch by debian-release@lists.debian.org with a
SRM tag in the subject.
If you get an ack, then I'm happy to to sign and upload.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 02 Jun 2013 08:17:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:42:50 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.