[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debdiff for CVE-2015-3206 (pykerberos)

Hi Guido,

On  Mi 01 Jul 2015 09:05:36 CEST, Guido Günther wrote:

On Tue, Jun 30, 2015 at 09:14:14PM +0000, Mike Gabriel wrote:
Hi Guido,

I just saw that you are co-maintainer of pykerberos. I realized after I had
already put my name behind the package name in dla-needed.txt.

As you are also on the LTS team, do you want to continue with uploading the
package? Or shall I see to the upload and DLA? Maybe you just want to take a
quick look and let me proceed. Please let me know your preferences here.

Go ahead, you've done most of the work already. I had a look at the code
on github when triaging the bug and it looked correct then but can
break existing applications if we leave the default of verify == True
(as noted in the CVE list).

 -- Guido

I have played and tested the new "verify" option in checkPassword() just now.

It will break things in mostly all setups if verify=True is the default.


  o if /etc/krb5.keytab (or what ever $KRB5_KTNAME points to) is missing,
    then an authentication attempt against Kerberos will fail.
  o NEW: if /etc/krb5.keytab (or $KRB5_KTNAME) is not readable by a user,
    then a login attempt will end in "Permission denied". As the most common
    case is that /etc/krb5.keytab is set to 0600, authentications will always
    fail with verify=True.

Actually, I cannot imagine a generic setup, where verify=True as the default will not fail.

My proposal for pykerberos in Debian: Ship that patch, but set verify=False as the default in the Python checkPassword() function because it requires manual hand-on work to get pykerberos working with verify=True.

I'd appreciate some feedback on this before proceeding with an upload. Thanks.


mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de


Attachment: pgp6kpbWLNRKn.pgp
Description: Digitale PGP-Signatur

Reply to: