Bug#702633: CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c
reopen 702633 thanks The changelog entry for krb5 1.10.1+dfsg-4+nmu1 mentions the CVE number 2013-1016; this vulnerability is actually cve-2012-1016 (note 2012 instead of 2013). I don't see a debian-security-announce mail yet, so hopefully the typo will not be promulgated there. -Ben Kaduk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702633: CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c
On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote: reopen 702633 Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain a fix for this bug? If the answer to my first question is because it's not fixed in stable yet, then the re-opening was incorrect, as the actual effect was to mark it as not fixed in _unstable_. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702633: CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c
On Tue, 19 Mar 2013, Adam D. Barratt wrote: On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote: reopen 702633 Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain a fix for this bug? The changelog entry for 1.10.1+dfsg-4+nmu1 mentions the wrong CVE number, and as such the purpoted fix for this bug is incomplete, as the documentation of the change is incorrect. Now, it may be that the package maintainer or the security team may decide that a version bump is not necessary to correct this error, but such a decision should be explicitly made (IMHO). If the answer to my first question is because it's not fixed in stable yet, then the re-opening was incorrect, as the actual effect was to mark it as not fixed in _unstable_. My action of reopening the bug reflects the contents of the package in unstable. -Ben Kaduk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#702633: CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c
Processing control commands: fixed -1 1.10.1+dfsg-4+nmu1 Bug #702633 [src:krb5] CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c Marked as fixed in versions krb5/1.10.1+dfsg-4+nmu1. -- 702633: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702633 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702633: CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c
Control: fixed -1 1.10.1+dfsg-4+nmu1 On Tue, 2013-03-19 at 16:04 -0400, Benjamin Kaduk wrote: On Tue, 19 Mar 2013, Adam D. Barratt wrote: On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote: reopen 702633 Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain a fix for this bug? The changelog entry for 1.10.1+dfsg-4+nmu1 mentions the wrong CVE number, and as such the purpoted fix for this bug is incomplete, as the documentation of the change is incorrect. Now, it may be that the package maintainer or the security team may decide that a version bump is not necessary to correct this error, but such a decision should be explicitly made (IMHO). This bug is about CVE-2012-1016. If the package contains a fix for CVE-2012-1016 then the bug is fixed, whether or not the changelog correctly indicates that. Yes, the changelog should be corrected, but that doesn't change the fact that the package includes the fix for the security issue discussed in this bug report. Regards, Adam (Not that it should matter, but with a Release Manager hat on; the maintainer / security team are of course free to disagree...) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702633: CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c
Hi Benjamin On Tue, Mar 19, 2013 at 04:04:59PM -0400, Benjamin Kaduk wrote: On Tue, 19 Mar 2013, Adam D. Barratt wrote: On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote: reopen 702633 Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain a fix for this bug? The changelog entry for 1.10.1+dfsg-4+nmu1 mentions the wrong CVE number, and as such the purpoted fix for this bug is incomplete, as the documentation of the change is incorrect. Now, it may be that the package maintainer or the security team may decide that a version bump is not necessary to correct this error, but such a decision should be explicitly made (IMHO). If the answer to my first question is because it's not fixed in stable yet, then the re-opening was incorrect, as the actual effect was to mark it as not fixed in _unstable_. My action of reopening the bug reflects the contents of the package in unstable. Thank you for noticing this. To track this I opened http://bugs.debian.org/703457 Hope that helps, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702633: CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c
tags 702633 + patch thanks Hello, After checking the source code, this part of the code does not seem to have changed between 1.10.1 and 1.10.4, so AFAIU this bug affects at least the version available in testing and unstable. The current code is: if ((rep9 != NULL rep9-choice == choice_pa_pk_as_rep_draft9_dhSignedData) || (rep != NULL rep-choice == choice_pa_pk_as_rep_dhInfo)) { /* If mutually supported KDFs were found, use the alg agility KDF */ if (rep-u.dh_Info.kdfID) { Thus, rep could be NULL which has been addressed by the following upstream patch: https://github.com/krb5/krb5/commit/cd5ff932c9d1439c961b0cf9ccff979356686aff I also prepared a NMU[0] in case it helps (it builds fine with cowbuilder but I could not test it though) and attached the diff to this email. Cheers, -- Arnaud Fontaine [0] http://people.debian.org/~arnau/packages/krb5/ diff -Nru krb5-1.10.1+dfsg/debian/changelog krb5-1.10.1+dfsg/debian/changelog --- krb5-1.10.1+dfsg/debian/changelog 2013-02-20 10:54:44.0 +0900 +++ krb5-1.10.1+dfsg/debian/changelog 2013-03-15 17:03:05.0 +0900 @@ -1,3 +1,10 @@ +krb5 (1.10.1+dfsg-4.1) unstable; urgency=high + + * Non-maintainer upload. + * KDC null pointer dereference with PKINIT, CVE-2012-1016. Closes: #702633. + + -- Arnaud Fontaine ar...@debian.org Fri, 15 Mar 2013 17:01:29 +0900 + krb5 (1.10.1+dfsg-4) unstable; urgency=high * KDC null pointer dereference with PKINIT, CVE-2013-1415 diff -Nru krb5-1.10.1+dfsg/debian/patches/0022-PKINIT-null-pointer-deref-CVE-2012-1016.patch krb5-1.10.1+dfsg/debian/patches/0022-PKINIT-null-pointer-deref-CVE-2012-1016.patch --- krb5-1.10.1+dfsg/debian/patches/0022-PKINIT-null-pointer-deref-CVE-2012-1016.patch 1970-01-01 09:00:00.0 +0900 +++ krb5-1.10.1+dfsg/debian/patches/0022-PKINIT-null-pointer-deref-CVE-2012-1016.patch 2013-03-15 16:59:56.0 +0900 @@ -0,0 +1,38 @@ +commit cd5ff932c9d1439c961b0cf9ccff979356686aff +Author: Nalin Dahyabhai na...@redhat.com +Date: Thu Dec 13 14:26:07 2012 -0500 + +PKINIT (draft9) null ptr deref [CVE-2012-1016] + +Don't check for an agility KDF identifier in the non-draft9 reply +structure when we're building a draft9 reply, because it'll be NULL. + +The KDC plugin for PKINIT can dereference a null pointer when handling +a draft9 request, leading to a crash of the KDC process. An attacker +would need to have a valid PKINIT certificate, or an unauthenticated +attacker could execute the attack if anonymous PKINIT is enabled. + +CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C + +[t...@mit.edu: reformat comment and edit log message] + +ticket: 7506 (new) +target_version: 1.11 +tags: pullup + +Index: krb5-1.10.1+dfsg/src/plugins/preauth/pkinit/pkinit_srv.c +=== +--- krb5-1.10.1+dfsg.orig/src/plugins/preauth/pkinit/pkinit_srv.c 2013-03-15 16:52:57.703154249 +0900 krb5-1.10.1+dfsg/src/plugins/preauth/pkinit/pkinit_srv.c 2013-03-15 16:58:58.971037553 +0900 +@@ -1016,8 +1016,9 @@ + rep9-choice == choice_pa_pk_as_rep_draft9_dhSignedData) || + (rep != NULL rep-choice == choice_pa_pk_as_rep_dhInfo)) { + +-/* If mutually supported KDFs were found, use the alg agility KDF */ +-if (rep-u.dh_Info.kdfID) { ++/* If we're not doing draft 9, and mutually supported KDFs were found, ++ * use the algorithm agility KDF. */ ++if (rep != NULL rep-u.dh_Info.kdfID) { + secret.data = server_key; + secret.length = server_key_len; + diff -Nru krb5-1.10.1+dfsg/debian/patches/series krb5-1.10.1+dfsg/debian/patches/series --- krb5-1.10.1+dfsg/debian/patches/series 2013-02-20 10:54:44.0 +0900 +++ krb5-1.10.1+dfsg/debian/patches/series 2013-03-15 16:52:26.0 +0900 @@ -19,3 +19,4 @@ upstream/0019-Null-pointer-deref-in-kadmind-CVE-2012-1013.patch 0020-gssapi-never-unload-mechanisms.patch 0021-PKINIT-null-pointer-deref-CVE-2013-1415.patch +0022-PKINIT-null-pointer-deref-CVE-2012-1016.patch
Bug#702633: CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c
Package: src:krb5 Version: 1.10.1+dfsg-4 Severity: serious Tags: security Dear kerberos maintainers, I noticed that your recent upload of 1.10.1+dfsg-4 fixed CVE-2013-1415, but it does not say anything about CVE-2012-1016. Those two vulnerabilities were fixed in the same upstream release 1.10.4. Could you have a look at whether this particular issue CVE-2012-1016 affects us and downgrade or close this bug as appropriate? Helmut -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org