subject:"Bug#872056\: jessie\-pu\: package krb5\/1.12.1\+dfsg\-19\+deb8u2"

Bug#872056: jessie-pu: package krb5/1.12.1+dfsg-19+deb8u2

2017-09-08 Thread Adam D. Barratt

Control: tags -1 + pending

On Sun, 2017-08-27 at 17:47 -0400, Sam Hartman wrote:
> I just uploaded the jessie update after fixing the extra comma in the
> changelog.  I did run tests covering these security updates.  I found
> that some of the tests included in make check were already failing on
> jessie and were still failing after this update.  It looks like this
> may
> be related to patches being pulled into what became the jessie
> release
> without all the corresponding testsuite changes also being pulled in.
> As an example I got a segfault in some of the profile tests and the
> GSS-API s4u tests cause a crash calling a method that doesn't seem to
> exist on the krb5 mechanism in this version.  Everything I found
> app.appears to be testsuite (rather than functional code) problems
> already in jessie and appears far from the code being touched by this
> update.

Flagged for acceptance; sorry for the delay in processing.

Regards,

Adam

Bug#872056: jessie-pu: package krb5/1.12.1+dfsg-19+deb8u2

2017-08-27 Thread Sam Hartman

I just uploaded the jessie update after fixing the extra comma in the
changelog.  I did run tests covering these security updates.  I found
that some of the tests included in make check were already failing on
jessie and were still failing after this update.  It looks like this may
be related to patches being pulled into what became the jessie release
without all the corresponding testsuite changes also being pulled in.
As an example I got a segfault in some of the profile tests and the
GSS-API s4u tests cause a crash calling a method that doesn't seem to
exist on the krb5 mechanism in this version.  Everything I found
app.appears to be testsuite (rather than functional code) problems
already in jessie and appears far from the code being touched by this
update.

--Sam

Bug#872056: jessie-pu: package krb5/1.12.1+dfsg-19+deb8u2

2017-08-27 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Sun, 2017-08-13 at 18:24 -0400, Sam Hartman wrote:
> Hi. I'd like to get some security updates that were not serious enough
> for a DSA into jessie.  The security team encouraged me to make this
> request, so they are in the loop, but have not reviewed the diff or the 
> specific set of cves fixed.
[...]
> +  *  fix for CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), , Closes:
> +#832572

As a minor point, that changelog entry appears to either be missing some
text or to contain spurious commas.

Please feel free to upload.

Regards,

Adam

Bug#872056: jessie-pu: package krb5/1.12.1+dfsg-19+deb8u2

2017-08-13 Thread Sam Hartman

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi. I'd like to get some security updates that were not serious enough
for a DSA into jessie.  The security team encouraged me to make this
request, so they are in the loop, but have not reviewed the diff or the 
specific set of cves fixed.

Diff produced with git diff dgit/dgit/jessie debian after looking at
git diff --numstat dgit/dgit/jessie to make sure that all the changes
outside of debian were because of new applied patches.  Also confirmed
that dgit quilt-fixup shows no changes between the produced source
package and my tree.

I've confirmed this builds, but have not reviewed the diffs
line-by-line (although all these changes are shipping in stretch or
sid now) and have not finished my testing.
I'll do both of those things before uploading.

diff --git a/debian/changelog b/debian/changelog
index d90f21581b..6aa052a1c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+krb5 (1.12.1+dfsg-19+deb8u3) jessie; urgency=high
+
+  * CVE-2017-11368: Remote authenticated attackers can crash the KDC,
+Closes: #869260
+  *  fix for CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), , Closes:
+#832572
+  * fix for CVE-2016-3119: remote DOS with ldap for authenticated
+attackers, Closes: #819468
+  * Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
+  
+ -- Sam Hartman   Sun, 13 Aug 2017 18:02:34 -0400
+
 krb5 (1.12.1+dfsg-19+deb8u2) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff --git a/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch 
b/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch
new file mode 100644
index 00..f1f5ff13a8
--- /dev/null
+++ b/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch
@@ -0,0 +1,37 @@
+From: Greg Hudson 
+Date: Mon, 14 Mar 2016 17:26:34 -0400
+X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3 
f7e4ca67d86a5a5b280b859072bbc5015a2ddd27
+Subject: Fix LDAP null deref on empty arg [CVE-2016-3119]
+
+In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
+if there is an empty string in the db_args array.  Check for this case
+and avoid dereferencing a null pointer.
+
+CVE-2016-3119:
+
+In MIT krb5 1.6 and later, an authenticated attacker with permission
+to modify a principal entry can cause kadmind to dereference a null
+pointer by supplying an empty DB argument to the modify_principal
+command, if kadmind is configured to use the LDAP KDB module.
+
+CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
+
+(cherry picked from commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99)
+
+ticket: 8383
+version_fixed: 1.14.2
+
+(cherry picked from commit b5abd8c4872d7a024d49439342a6643f774afb1c)
+
+---
+
+--- krb5-1.12.1+dfsg.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
 krb5-1.12.1+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -268,6 +268,7 @@ process_db_args(krb5_context context, ch
+ if (db_args) {
+ for (i=0; db_args[i]; ++i) {
+ arg = strtok_r(db_args[i], "=", _val);
++arg = (arg != NULL) ? arg : "";
+ if (strcmp(arg, TKTPOLICY_ARG) == 0) {
+ dptr = >tktpolicydn;
+ } else {
diff --git a/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch 
b/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch
new file mode 100644
index 00..4b63bd8ee0
--- /dev/null
+++ b/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch
@@ -0,0 +1,51 @@
+From: Greg Hudson 
+Date: Tue, 19 Jul 2016 11:00:28 -0400
+X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3 
862d5e532d03db566ee2955f69e008a253d39dec
+Subject: Fix S4U2Self KDC crash when anon is restricted
+
+In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
+use client.princ instead of request->client; the latter is NULL when
+validating S4U2Self requests.
+
+CVE-2016-3120:
+
+In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
+to dereference a null pointer if the restrict_anonymous_to_tgt option
+is set to true, by making an S4U2Self request.
+
+  CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
+
+(cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7)
+
+ticket: 8458
+version_fixed: 1.14.3
+
+(cherry picked from commit 85c3046d42eeb821967ad5625fcb08e8c6177b1a)
+
+---
+
+--- krb5-1.12.1+dfsg.orig/src/kdc/kdc_util.c
 krb5-1.12.1+dfsg/src/kdc/kdc_util.c
+@@ -688,7 +688,7 @@ validate_as_request(kdc_realm_t *kdc_act
+ return(KDC_ERR_MUST_USE_USER2USER);
+ }
+ 
+-if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
++if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
+ *status = "ANONYMOUS NOT ALLOWED";
+ return(KDC_ERR_POLICY);
+ }
+--- krb5-1.12.1+dfsg.orig/src/tests/t_pkinit.py

Bug#872056: jessie-pu: package krb5/1.12.1+dfsg-19+deb8u2

Bug#872056: jessie-pu: package krb5/1.12.1+dfsg-19+deb8u2

Bug#872056: jessie-pu: package krb5/1.12.1+dfsg-19+deb8u2

Bug#872056: jessie-pu: package krb5/1.12.1+dfsg-19+deb8u2

4 matches

Site Navigation

Mail list logo

Footer information