Debian Bug report logs -
#599237
MITKRB5-SA-2010-006 [CVE-2010-1322]
Reported by: Sam Hartman <hartmans@debian.org>
Date: Wed, 6 Oct 2010 02:12:02 UTC
Severity: grave
Tags: security
Found in version krb5/1.8.3+dfsg~beta1-1
Fixed in version krb5/1.8.3+dfsg-2
Done: Sam Hartman <hartmans@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org:
Bug#599237; Package krb5-kdc.
(Wed, 06 Oct 2010 02:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Sam Hartman <hartmans@debian.org>:
New Bug report received and forwarded.
(Wed, 06 Oct 2010 02:12:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: krb5-kdc
version: 1.8.3+dfsg~beta1-1
severity: grave
tags: security
This bug tracks a DOS in krb5-kdc greater than version 1.8. I'll upload
the official patch tomorrow.
MIT's advisory talks about arbitrary code execution and other attacks;
I'm dubious about how practical these are based on how the code is built
in Debian, but it's easier to fix promptly than to analyze.
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#599237; Package krb5-kdc.
(Fri, 08 Oct 2010 10:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dominic.hargreaves@oucs.ox.ac.uk>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>.
(Fri, 08 Oct 2010 10:00:03 GMT) (full text, mbox, link).
Message #10 received at 599237@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Oct 05, 2010 at 10:09:13PM -0400, Sam Hartman wrote:
> This bug tracks a DOS in krb5-kdc greater than version 1.8. I'll upload
> the official patch tomorrow.
>
> MIT's advisory talks about arbitrary code execution and other attacks;
> I'm dubious about how practical these are based on how the code is built
> in Debian, but it's easier to fix promptly than to analyze.
I can confirm that the patch from upstream applies and appears to work
fine on our 1.8.3+dfsg-1 based package backported to lenny.
Cheers,
Dominic.
--
Dominic Hargreaves, Systems Development and Support Team
Computing Services, University of Oxford
[signature.asc (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from Sam Hartman <hartmans@debian.org>
to control@bugs.debian.org.
(Wed, 13 Oct 2010 15:03:03 GMT) (full text, mbox, link).
Reply sent
to Sam Hartman <hartmans@debian.org>:
You have taken responsibility.
(Wed, 13 Oct 2010 21:21:16 GMT) (full text, mbox, link).
Notification sent
to Sam Hartman <hartmans@debian.org>:
Bug acknowledged by developer.
(Wed, 13 Oct 2010 21:21:16 GMT) (full text, mbox, link).
Message #17 received at 599237-close@bugs.debian.org (full text, mbox, reply):
Source: krb5
Source-Version: 1.8.3+dfsg-2
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive:
krb5-admin-server_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/krb5-admin-server_1.8.3+dfsg-2_amd64.deb
krb5-doc_1.8.3+dfsg-2_all.deb
to main/k/krb5/krb5-doc_1.8.3+dfsg-2_all.deb
krb5-kdc-ldap_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/krb5-kdc-ldap_1.8.3+dfsg-2_amd64.deb
krb5-kdc_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/krb5-kdc_1.8.3+dfsg-2_amd64.deb
krb5-multidev_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/krb5-multidev_1.8.3+dfsg-2_amd64.deb
krb5-pkinit_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/krb5-pkinit_1.8.3+dfsg-2_amd64.deb
krb5-user_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/krb5-user_1.8.3+dfsg-2_amd64.deb
krb5_1.8.3+dfsg-2.diff.gz
to main/k/krb5/krb5_1.8.3+dfsg-2.diff.gz
krb5_1.8.3+dfsg-2.dsc
to main/k/krb5/krb5_1.8.3+dfsg-2.dsc
libgssapi-krb5-2_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/libgssapi-krb5-2_1.8.3+dfsg-2_amd64.deb
libgssrpc4_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/libgssrpc4_1.8.3+dfsg-2_amd64.deb
libk5crypto3_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/libk5crypto3_1.8.3+dfsg-2_amd64.deb
libkadm5clnt-mit7_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/libkadm5clnt-mit7_1.8.3+dfsg-2_amd64.deb
libkadm5srv-mit7_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/libkadm5srv-mit7_1.8.3+dfsg-2_amd64.deb
libkdb5-4_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/libkdb5-4_1.8.3+dfsg-2_amd64.deb
libkrb5-3_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/libkrb5-3_1.8.3+dfsg-2_amd64.deb
libkrb5-dbg_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/libkrb5-dbg_1.8.3+dfsg-2_amd64.deb
libkrb5-dev_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/libkrb5-dev_1.8.3+dfsg-2_amd64.deb
libkrb53_1.8.3+dfsg-2_all.deb
to main/k/krb5/libkrb53_1.8.3+dfsg-2_all.deb
libkrb5support0_1.8.3+dfsg-2_amd64.deb
to main/k/krb5/libkrb5support0_1.8.3+dfsg-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 599237@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 13 Oct 2010 10:41:19 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit7 libkadm5clnt-mit7 libk5crypto3 libkdb5-4 libkrb5support0 libkrb53
Architecture: source all amd64
Version: 1.8.3+dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description:
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-doc - Documentation for MIT Kerberos
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-user - Basic programs to authenticate using MIT Kerberos
libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
libkadm5clnt-mit7 - MIT Kerberos runtime libraries - Administration Clients
libkadm5srv-mit7 - MIT Kerberos runtime libraries - KDC and Admin Server
libkdb5-4 - MIT Kerberos runtime libraries - Kerberos database
libkrb5-3 - MIT Kerberos runtime libraries
libkrb5-dbg - Debugging files for MIT Kerberos
libkrb5-dev - Headers and development libraries for MIT Kerberos
libkrb53 - transitional package for MIT Kerberos libraries
libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 598032 599237 599562
Changes:
krb5 (1.8.3+dfsg-2) unstable; urgency=high
.
* MITKRB5-SA-2010-006 [CVE-2010-1322]: null pointer dereference in
kdc_authdata.c leading to KDC crash, Closes: #599237
* Fix two memory leaks in krb5_get_init_creds path; one of these memory
leaks is quite common for any application such as PAM or kinit that
gets initial credentials, thanks Bastian Blank, Closes: #598032
* Install doc/CHANGES only in krb5-doc, not in all packages, saves
several megabytes on most Debian systems, Closes: #599562
Checksums-Sha1:
1513708510e893e411e7b93e0b2e4c5a2dfaec64 1575 krb5_1.8.3+dfsg-2.dsc
04ccdf7ac8e84ef97fe6effd26f2e06cebc68182 98814 krb5_1.8.3+dfsg-2.diff.gz
e43a44fa87fa7abfe380e4bc2a76b02201d429a5 2254394 krb5-doc_1.8.3+dfsg-2_all.deb
42cd5de23549fc2a7cd3687699f39658bf6278e1 1372298 libkrb53_1.8.3+dfsg-2_all.deb
3ea8b711e363c36c0d339a8522500c17663a611d 137690 krb5-user_1.8.3+dfsg-2_amd64.deb
929859442e8d9c51a986cd641bd302045748cd16 217550 krb5-kdc_1.8.3+dfsg-2_amd64.deb
26d07aa8393c94d782ddc609fe91bc029499db97 116804 krb5-kdc-ldap_1.8.3+dfsg-2_amd64.deb
fb2b277fbe799f7716d6811fc58326509e47803b 111940 krb5-admin-server_1.8.3+dfsg-2_amd64.deb
184c0877fd3b010e450e9af22d7585ce85937a66 102986 krb5-multidev_1.8.3+dfsg-2_amd64.deb
fd260c762be4c8de035e80bb4292185313ab0a75 36656 libkrb5-dev_1.8.3+dfsg-2_amd64.deb
db1b1e29272a19ef655f0e1fdb651e8ff072f540 1627294 libkrb5-dbg_1.8.3+dfsg-2_amd64.deb
2029c32aad0cfacc284c30f4878bc0af55dfbd3d 77236 krb5-pkinit_1.8.3+dfsg-2_amd64.deb
509483bd5017c9eb5e6c2e5fa8d8bef5cd2e75e6 373792 libkrb5-3_1.8.3+dfsg-2_amd64.deb
30dd0e93fb65ecc27570fbc826dfd6b94fc8c935 129718 libgssapi-krb5-2_1.8.3+dfsg-2_amd64.deb
80d4c89ed1a9fe022e632bd5b444d3e76f51509a 83466 libgssrpc4_1.8.3+dfsg-2_amd64.deb
2f5049dfcbe56fe8cb22884762d0c4844bc4ecf2 77696 libkadm5srv-mit7_1.8.3+dfsg-2_amd64.deb
1e591ab5c02986321e118a43f688622bc608ef59 63976 libkadm5clnt-mit7_1.8.3+dfsg-2_amd64.deb
3deb0a51e172dd340c101c1353db09b57a90fd3d 105408 libk5crypto3_1.8.3+dfsg-2_amd64.deb
a9e58091360248e6b876867e2413ca46393db4f3 63460 libkdb5-4_1.8.3+dfsg-2_amd64.deb
5d3f90f5584c17fd544ef52273de3e63c6dee443 45172 libkrb5support0_1.8.3+dfsg-2_amd64.deb
Checksums-Sha256:
de99937b9609d1ea49d321b1b5b56baebf6d6b11f26b7c21f513eac1d51e06af 1575 krb5_1.8.3+dfsg-2.dsc
f4bb75226af50c41646feedec69a4a4aa3f656db74f951a36e985acef0771f76 98814 krb5_1.8.3+dfsg-2.diff.gz
c292706445bbd40cebe1d13a197836b1c3f67e2d736474718a864760e2458451 2254394 krb5-doc_1.8.3+dfsg-2_all.deb
2c8eb3c3e0fc15278d22319419b9c05a12c2a4331595b2dfeee29d388a6fb441 1372298 libkrb53_1.8.3+dfsg-2_all.deb
1ad5b4a162e74c001bf921c0ac84426f3f7ee0ec2985b4489c98d9e9eebb66aa 137690 krb5-user_1.8.3+dfsg-2_amd64.deb
20b1b525f64933ddf30cd38d67712638c4f47b989b5ec12b580a81c8d95e6f04 217550 krb5-kdc_1.8.3+dfsg-2_amd64.deb
dbd485f8e3831d14271532561ae860a930b154353b134d0d257367480f8b1f94 116804 krb5-kdc-ldap_1.8.3+dfsg-2_amd64.deb
144ca299048b43e201843c64771549b797bf58a001131b8c22b83ac11e7e33f1 111940 krb5-admin-server_1.8.3+dfsg-2_amd64.deb
58272495724eba27544e247c272ab1033852eb356f8d47944d5dd77eb96b3036 102986 krb5-multidev_1.8.3+dfsg-2_amd64.deb
8d63b9fd9faa122a99065ed539fcf05c2795e2b8af02960e9ca8695601461eb5 36656 libkrb5-dev_1.8.3+dfsg-2_amd64.deb
43cbeddba36ac412fe69ace98fbf88c47759c32d46d1870527f9d891ae0e107a 1627294 libkrb5-dbg_1.8.3+dfsg-2_amd64.deb
c6fbd1fc8b60e222829de41a579ccd0ddde826fd17233f0a041c2182dee0bfc9 77236 krb5-pkinit_1.8.3+dfsg-2_amd64.deb
90b4bb94ad47005d4e3d260f558324ea27a7d72baf7baffa61c860a1d24547fc 373792 libkrb5-3_1.8.3+dfsg-2_amd64.deb
54ae01bf2435d89062af1334370a0b80823e6878300add8af1c613bac84cba15 129718 libgssapi-krb5-2_1.8.3+dfsg-2_amd64.deb
4daff2ef047f87742bd70d16d8239c392001a1adc0e45e606ab0991f34868c80 83466 libgssrpc4_1.8.3+dfsg-2_amd64.deb
85d8bc849f445eff639617b3f25b4a79ace77ff1ec11aa0fdeb91848cfcdfac8 77696 libkadm5srv-mit7_1.8.3+dfsg-2_amd64.deb
8a5d9cc5e397bdd3d13ef7b99bf2a90065578211312b209e5e4b98acc590bb33 63976 libkadm5clnt-mit7_1.8.3+dfsg-2_amd64.deb
dd3b45b49e2679171e3de1116870244ff8328813a50879caf9a56f5d4a7ca813 105408 libk5crypto3_1.8.3+dfsg-2_amd64.deb
c6566df25431c65abe0eee2f635a56b06d99d273459b6124fcc7e2e64ea6464d 63460 libkdb5-4_1.8.3+dfsg-2_amd64.deb
57dfd31740fb3476388fcd6115e389146cc0a7a2b587ee82ad2a7681bcfb1d4b 45172 libkrb5support0_1.8.3+dfsg-2_amd64.deb
Files:
6b208637412557edd7ac84face327f72 1575 net standard krb5_1.8.3+dfsg-2.dsc
832d97716605693953abd5a3d0119c1c 98814 net standard krb5_1.8.3+dfsg-2.diff.gz
151df1a2555f1ca956375124dca9ebab 2254394 doc optional krb5-doc_1.8.3+dfsg-2_all.deb
b253c4ad242bd960a13012e8914f543a 1372298 oldlibs extra libkrb53_1.8.3+dfsg-2_all.deb
3b8800f30a2bd36f868badf580b9e9e7 137690 net optional krb5-user_1.8.3+dfsg-2_amd64.deb
6fc8e334cad0a97d7d4fb83be57bf592 217550 net optional krb5-kdc_1.8.3+dfsg-2_amd64.deb
22baaa3c7f3f8dc120b361b976cc7ea0 116804 net extra krb5-kdc-ldap_1.8.3+dfsg-2_amd64.deb
7b86069b5342aebe10958d89200884ad 111940 net optional krb5-admin-server_1.8.3+dfsg-2_amd64.deb
f4f3b110f8c63866749dd80ee269fed2 102986 libdevel optional krb5-multidev_1.8.3+dfsg-2_amd64.deb
719efd17fbfd2a842220134504d7cf29 36656 libdevel extra libkrb5-dev_1.8.3+dfsg-2_amd64.deb
0a1070ef85c8018d4f28823535b87318 1627294 debug extra libkrb5-dbg_1.8.3+dfsg-2_amd64.deb
8547ea931d4bab9dbed40281765e073e 77236 net extra krb5-pkinit_1.8.3+dfsg-2_amd64.deb
b3c74b327a6ca0e9de22670bedbfdf57 373792 libs standard libkrb5-3_1.8.3+dfsg-2_amd64.deb
12d2ceec7881062a2d035edd07cb5dc1 129718 libs standard libgssapi-krb5-2_1.8.3+dfsg-2_amd64.deb
3a8446febaffcd5253840d0e9e6303a8 83466 libs standard libgssrpc4_1.8.3+dfsg-2_amd64.deb
73b6c5ef308c6b85a7a284c3611f19e6 77696 libs standard libkadm5srv-mit7_1.8.3+dfsg-2_amd64.deb
5c4b510a19b1d63edc77e5088d386633 63976 libs standard libkadm5clnt-mit7_1.8.3+dfsg-2_amd64.deb
2cdb9b837c4b52ca7e819c6184617070 105408 libs standard libk5crypto3_1.8.3+dfsg-2_amd64.deb
365bd9b39ebb280d87176e4b78bbc428 63460 libs standard libkdb5-4_1.8.3+dfsg-2_amd64.deb
6476d4c4d5a7786cc4a3f5367d81b071 45172 libs standard libkrb5support0_1.8.3+dfsg-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAky2H1EACgkQ/I12czyGJg+fzACfXGaucjBYE3hsRctH0O4DWAz3
GS0AniM+PUQrEASKqNNlDe9Fu5YIyCh9
=DsQl
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 14 Nov 2010 07:33:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:40:26 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon