Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package krb5 Upstream released a patch for CVE-2014-5355, a NULL dereference or out-of-bounds read in krb5_recvauth(). It is not clear that any aging is necessary; perhaps the security team will request some. The attached debdiff includes upstream's commit message, which includes more details about the issue. unblock krb5/1.12.1+dfsg-18 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru krb5-1.12.1+dfsg/debian/changelog krb5-1.12.1+dfsg/debian/changelog --- krb5-1.12.1+dfsg/debian/changelog 2015-02-03 10:33:39.000000000 -0500 +++ krb5-1.12.1+dfsg/debian/changelog 2015-02-18 12:52:19.000000000 -0500 @@ -1,3 +1,9 @@ +krb5 (1.12.1+dfsg-18) unstable; urgency=high + + * Import upstream patch for CVE-2014-5355, Closes: #778647 + + -- Benjamin Kaduk <ka...@mit.edu> Wed, 18 Feb 2015 12:52:14 -0500 + krb5 (1.12.1+dfsg-17) unstable; urgency=high * MITKRB5-SA-2015-001 diff -Nru krb5-1.12.1+dfsg/debian/.git-dpm krb5-1.12.1+dfsg/debian/.git-dpm --- krb5-1.12.1+dfsg/debian/.git-dpm 2015-02-03 10:33:39.000000000 -0500 +++ krb5-1.12.1+dfsg/debian/.git-dpm 2015-02-18 12:39:54.000000000 -0500 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -769a3f26c919339002ef2936592a90d144d0e238 -769a3f26c919339002ef2936592a90d144d0e238 +200a429df2c47467eb3a0973eb7594a475cc18fe +200a429df2c47467eb3a0973eb7594a475cc18fe 00dec38e79dd6436e9efed873df00e6ea11fdd0e 00dec38e79dd6436e9efed873df00e6ea11fdd0e krb5_1.12.1+dfsg.orig.tar.gz diff -Nru krb5-1.12.1+dfsg/debian/patches/series krb5-1.12.1+dfsg/debian/patches/series --- krb5-1.12.1+dfsg/debian/patches/series 2015-02-03 10:33:39.000000000 -0500 +++ krb5-1.12.1+dfsg/debian/patches/series 2015-02-18 12:39:54.000000000 -0500 @@ -27,3 +27,4 @@ upstream/0027-Fix-LDAP-misused-policy-name-crash-CVE-2014-5353.patch 0028-Support-keyless-principals-in-LDAP-CVE-2014-5354.patch upstream/0029-MITKRB5-SA-2015-0001.patch +upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch diff -Nru krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch --- krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch 1969-12-31 19:00:00.000000000 -0500 +++ krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch 2015-02-18 12:39:54.000000000 -0500 @@ -0,0 +1,112 @@ +From 200a429df2c47467eb3a0973eb7594a475cc18fe Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghud...@mit.edu> +Date: Tue, 9 Dec 2014 12:37:44 -0500 +Subject: Fix krb5_read_message handling [CVE-2014-5355] + +In recvauth_common, do not use strcmp against the data fields of +krb5_data objects populated by krb5_read_message(), as there is no +guarantee that they are C strings. Instead, create an expected +krb5_data value and use data_eq(). + +In the sample user-to-user server application, check that the received +client principal name is null-terminated before using it with printf +and krb5_parse_name. + +CVE-2014-5355: + +In MIT krb5, when a server process uses the krb5_recvauth function, an +unauthenticated remote attacker can cause a NULL dereference by +sending a zero-byte version string, or a read beyond the end of +allocated storage by sending a non-null-terminated version string. +The example user-to-user server application (uuserver) is similarly +vulnerable to a zero-length or non-null-terminated principal name +string. + +The krb5_recvauth function reads two version strings from the client +using krb5_read_message(), which produces a krb5_data structure +containing a length and a pointer to an octet sequence. krb5_recvauth +assumes that the data pointer is a valid C string and passes it to +strcmp() to verify the versions. If the client sends an empty octet +sequence, the data pointer will be NULL and strcmp() will dereference +a NULL pointer, causing the process to crash. If the client sends a +non-null-terminated octet sequence, strcmp() will read beyond the end +of the allocated storage, possibly causing the process to crash. + +uuserver similarly uses krb5_read_message() to read a client principal +name, and then passes it to printf() and krb5_parse_name() without +verifying that it is a valid C string. + +The krb5_recvauth function is used by kpropd and the Kerberized +versions of the BSD rlogin and rsh daemons. These daemons are usually +run out of inetd or in a mode which forks before processing incoming +connections, so a process crash will generally not result in a +complete denial of service. + +Thanks to Tim Uglow for discovering this issue. + +CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C + +[t...@mit.edu: CVSS score] + +ticket: 8050 (new) +target_version: 1.13.1 +tags: pullup + +(cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec) + +Patch-Category: upstream +--- + src/appl/user_user/server.c | 4 +++- + src/lib/krb5/krb/recvauth.c | 9 ++++++--- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/appl/user_user/server.c b/src/appl/user_user/server.c +index dbff68e..b136c72 100644 +--- a/src/appl/user_user/server.c ++++ b/src/appl/user_user/server.c +@@ -113,8 +113,10 @@ int main(argc, argv) + } + #endif + ++ /* principal name must be sent null-terminated. */ + retval = krb5_read_message(context, (krb5_pointer) &sock, &pname_data); +- if (retval) { ++ if (retval || pname_data.length == 0 || ++ pname_data.data[pname_data.length - 1] != '\0') { + com_err ("uu-server", retval, "reading pname"); + return 2; + } +diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c +index da836283..5adc6dd 100644 +--- a/src/lib/krb5/krb/recvauth.c ++++ b/src/lib/krb5/krb/recvauth.c +@@ -59,6 +59,7 @@ recvauth_common(krb5_context context, + krb5_rcache rcache = 0; + krb5_octet response; + krb5_data null_server; ++ krb5_data d; + int need_error_free = 0; + int local_rcache = 0, local_authcon = 0; + +@@ -77,7 +78,8 @@ recvauth_common(krb5_context context, + */ + if ((retval = krb5_read_message(context, fd, &inbuf))) + return(retval); +- if (strcmp(inbuf.data, sendauth_version)) { ++ d = make_data((char *)sendauth_version, strlen(sendauth_version) + 1); ++ if (!data_eq(inbuf, d)) { + problem = KRB5_SENDAUTH_BADAUTHVERS; + response = 1; + } +@@ -93,8 +95,9 @@ recvauth_common(krb5_context context, + */ + if ((retval = krb5_read_message(context, fd, &inbuf))) + return(retval); +- if (appl_version && strcmp(inbuf.data, appl_version)) { +- if (!problem) { ++ if (appl_version != NULL && !problem) { ++ d = make_data(appl_version, strlen(appl_version) + 1); ++ if (!data_eq(inbuf, d)) { + problem = KRB5_SENDAUTH_BADAPPLVERS; + response = 2; + }