Hi all,
I've been working with hartmans to get some updates to krb5 into Debian
(he is pretty busy these days, and I'm at upstream). A couple of
issues are serious enough that I think they merit being fixed in stable:
#704775 - KDC crash by authenticated user with unmodified client tools
#704647 - use of reverse DNS cannot be disabled, which breaks many
configurations
CVE-2013-1415 (KDC null pointer dereference with PKINIT) was not assigned
a Debian bug number because we imported the fix right away. It is less
serious than #704775, but the patch is very small and it seemed worth
including if an upload was to happen.
These patches are all taken from upstream, and are already in wheezy.
Per the quoted mail below (from #704775), Sam is prepared to upload the
attached debdiff given SRM approval.
Thanks,
Ben Kaduk
On Thu, 25 Apr 2013, Sam Hartman wrote:
OK.
Why don't you run that patch by debian-release@lists.debian.org with a
SRM tag in the subject.
If you get an ack, then I'm happy to to sign and upload.
diff -u krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
--- krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
+++ krb5-1.8.3+dfsg/src/lib/krb5/os/sn2princ.c
@@ -111,19 +111,12 @@
hostnames associated. */
memset(hints, 0, sizeof(hints));
-hints.ai_family = AF_INET;
hints.ai_flags = AI_CANONNAME;
-try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, hints, ai);
if (err) {
#ifdef DEBUG_REFERRALS
printf(sname_to_princ: probably punting due to bad hostname
of %s\n,hostname);
#endif
-if (hints.ai_family == AF_INET) {
-/* Just in case it's an IPv6-only name. */
-hints.ai_family = 0;
-goto try_getaddrinfo_again;
-}
return KRB5_ERR_BAD_HOSTNAME;
}
remote_host = strdup(ai-ai_canonname ? ai-ai_canonname :
hostname);
diff -u krb5-1.8.3+dfsg/debian/changelog krb5-1.8.3+dfsg/debian/changelog
--- krb5-1.8.3+dfsg/debian/changelog
+++ krb5-1.8.3+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+krb5 (1.8.3+dfsg-4squeeze7) stable-proposed-updates; urgency=high
+
+ * CVE-2013-1416 TGS-REQ null pointer dereference in KDC, Closes: #704775
+ * CVE-2013-1415 KDC null pointer dereference with PKINIT
+ * Import upstream's workaround for a getaddrinfo bug, Closes: #704647
+
+ -- Benjamin Kaduk ka...@mit.edu Sun, 21 Apr 2013 15:49:14 -0400
+
krb5 (1.8.3+dfsg-4squeeze6) stable-security; urgency=high
* MITKRB5-SA-2012-001 CVE-2012-1015: KDC frees uninitialized pointer
only in patch2:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ krb5-1.8.3+dfsg/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2879,7 +2879,7 @@
pkiDebug(found kdcPkId in AS REQ\n);
is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, p, (int)pkid_len);
if (is == NULL)
-goto cleanup;
+return retval;
status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is-issuer);
if (!status) {
@@ -2889,7 +2889,6 @@
}
retval = 0;
-cleanup:
X509_NAME_free(is-issuer);
ASN1_INTEGER_free(is-serial);
free(is);
only in patch2:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/kdc/do_tgs_req.c
+++ krb5-1.8.3+dfsg/src/kdc/do_tgs_req.c
@@ -1216,7 +1216,8 @@
retval = ENOMEM;
goto cleanup;
}
-strlcpy(comp1_str,comp1-data,comp1-length+1);
+if (comp1-data != NULL)
+memcpy(comp1_str, comp1-data, comp1-length);
if ((krb5_princ_type(kdc_context, request-server) == KRB5_NT_SRV_HST
||
krb5_princ_type(kdc_context, request-server) == KRB5_NT_SRV_INST
||
@@ -1239,7 +1240,8 @@
retval = ENOMEM;
goto cleanup;
}
-strlcpy(temp_buf, comp2-data,comp2-length+1);
+if (comp2-data != NULL)
+memcpy(temp_buf, comp2-data, comp2-length);
retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf,
realms);
free(temp_buf);
if (retval) {
