Bug#969526: negotiate_kerberos_auth: Kerberos auth helper broken with error: "Invalid base64 token" after upgrade from 3.5.23-5+deb9u1 to 3.5.23-5+deb9u3
Control: tags -1 confirmed pending Hello Joel, Am 04.09.20 um 11:53 schrieb Joel K.: > Package: squid > Version: 3.5.23-5+deb9u3 > Severity: important > > > After upgrading from 3.5.23-5+deb9u1 to 3.5.23-5+deb9u3 the > negotiate_kerberos_auth helper is completely broken. The Kerberos code contained a typo this is why you see error messages like BH Invalid negotiate request token You can use my updated packages from https://people.debian.org/~apo/lts/squid3/stretch/ in the meantime. New official packages will follow soon. Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#969526: negotiate_kerberos_auth: Kerberos auth helper broken with error: "Invalid base64 token" after upgrade from 3.5.23-5+deb9u1 to 3.5.23-5+deb9u3
Hi Joel K., > I've checked the changelog and the diff for version deb9u3. For me it > looks like the following patch broke the auth helper. > > This patch changed the negotiate_kerberos_auth code. Also the debug > error message I've received was added "ERROR: Invalid base64 token". > > * Improve patch for CVE-2019-12529 and replace more base64 code with code > from Nettle's crypto library. > > patches/CVE-2019-12529.patch > > My C knowledge is way too bad to find the problem in the code. Sorry :) No problem, thank you for your investigation regardless. I haven't looked at this issue myself, but what I've done here is added Markus to the CC of this bug as they prepared the +deb9u2 and +deb9u3 updates and may not see this message otherwise (not quite sure who is on the recipient list of this mail): squid3 (3.5.23-5+deb9u3) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix regression when parsing icap and ecap protocols. Do not return PROTO_NONE anymore and prevent an assertion. (Closes: #965012) * Improve patch for CVE-2019-12529 and replace more base64 code with code from Nettle's crypto library. * Enable the test suite by default now. Fix test failures. -- Markus Koschany Sat, 08 Aug 2020 20:51:51 +0200 squid3 (3.5.23-5+deb9u2) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * Fix CVE-2018-19132, CVE-2019-12519, CVE-2019-12520, CVE-2019-12521, CVE-2019-12523, CVE-2019-12524, CVE-2019-12525, CVE-2019-12526, CVE-2019-12528, CVE-2019-12529, CVE-2019-13345, CVE-2019-18676, CVE-2019-18677, CVE-2019-18678, CVE-2019-18679, CVE-2019-18860, CVE-2020-11945, CVE-2020-8449 and CVE-2020-8450. Several security vulnerabilites were discovered in squid3. Due to incorrect input validation and URL request handling it was possible to bypass access restrictions which allowed access to restricted HTTP servers and to cause a denial-of-service. -- Markus Koschany Fri, 10 Jul 2020 21:58:09 +0200 Hopefully the solution will be obvious/straightforward to Markus. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#969526: negotiate_kerberos_auth: Kerberos auth helper broken with error: "Invalid base64 token" after upgrade from 3.5.23-5+deb9u1 to 3.5.23-5+deb9u3
Package: squid Version: 3.5.23-5+deb9u3 Severity: important After upgrading from 3.5.23-5+deb9u1 to 3.5.23-5+deb9u3 the negotiate_kerberos_auth helper is completely broken. My squid.conf auth helper config: # cat /etc/squid/squid.conf auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -t none -s GSS_C_NO_NAME -k /etc/krb5_HTTP.keytab auth_param negotiate children 25 idle=2 startup=2 auth_param negotiate keep_alive on I've enabled the debug option for the Kerberos auth helper (-d). The following error where logged when I tried to use the proxy and authenticate with Kerberos. # less /var/log/squid/cache.log negotiate_kerberos_auth.cc(487): pid=29509 :2020/09/04 11:26:11| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq negotiate_kerberos_auth.cc(517): pid=29509 :2020/09/04 11:26:11| negotiate_kerberos_auth: INFO: Setting replay cache type to none negotiate_kerberos_auth.cc(546): pid=29509 :2020/09/04 11:26:11| negotiate_kerberos_auth: INFO: Setting keytab to /etc/krb5_HTTP.keytab negotiate_kerberos_auth.cc(570): pid=29509 :2020/09/04 11:26:11| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_29509 negotiate_kerberos_auth.cc(610): pid=29508 :2020/09/04 11:26:24| negotiate_kerberos_auth: DEBUG: Got 'YR YI...snip...pQ==' from squid (length: 1887). negotiate_kerberos_auth.cc(664): pid=29508 :2020/09/04 11:26:24| negotiate_kerberos_auth: DEBUG: Decode 'YI...snip...pQ==' (decoded length: 1413). negotiate_kerberos_auth.cc(672): pid=29508 :2020/09/04 11:26:24| negotiate_kerberos_auth: ERROR: Invalid base64 token [YI...snip...pQ==] And now the same debug log with the old, working version 3.5.23-5+deb9u1 I used the same client and the same proxy to test the problem. Only downgraded the squid package to the old version. # less /var/log/squid/cache.log negotiate_kerberos_auth.cc(487): pid=31235 :2020/09/04 11:38:52| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq negotiate_kerberos_auth.cc(517): pid=31235 :2020/09/04 11:38:52| negotiate_kerberos_auth: INFO: Setting replay cache type to none negotiate_kerberos_auth.cc(546): pid=31235 :2020/09/04 11:38:52| negotiate_kerberos_auth: INFO: Setting keytab to /etc/krb5_HTTP.keytab negotiate_kerberos_auth.cc(570): pid=31235 :2020/09/04 11:38:52| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_31235 negotiate_kerberos_auth.cc(610): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: DEBUG: Got 'YR YI...snip...Q5eg==' from squid (length: 1887). negotiate_kerberos_auth.cc(663): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: DEBUG: Decode 'YI...snip...Q5eg==' (decoded length: 1411). negotiate_kerberos_pac.cc(376): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: INFO: Got PAC data of lengh 464 negotiate_kerberos_pac.cc(180): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: INFO: Found 1 rids negotiate_kerberos_pac.cc(188): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: Info: Got rid: 515 negotiate_kerberos_pac.cc(256): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1...snip...59 negotiate_kerberos_pac.cc(278): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs negotiate_kerberos_pac.cc(327): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: INFO: Got ExtraSid S-...snip...-1 negotiate_kerberos_pac.cc(456): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: INFO: Read 464 of 464 bytes negotiate_kerberos_auth.cc(778): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: DEBUG: Groups group=AQU...snip...AAA== group=AQ...snip...AA negotiate_kerberos_auth.cc(783): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: DEBUG: AF oY...snip...pN67 host/test-pr...@dom.tds.int If you need the complete debug log with the token, write me a mail and I'll send them direct to you. I've checked the changelog and the diff for version deb9u3. For me it looks like the following patch broke the auth helper. This patch changed the negotiate_kerberos_auth code. Also the debug error message I've received was added "ERROR: Invalid base64 token". * Improve patch for CVE-2019-12529 and replace more base64 code with code from Nettle's crypto library. patches/CVE-2019-12529.patch My C knowledge is way too bad to find the problem in the code. Sorry :) Thank you Joel K. -- System Information: Debian Release: 9.13 APT prefers oldstable-updates APT policy: (990, 'oldstable-updates'), (990, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-13-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages squid