[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debdiff for CVE-2015-3206 (pykerberos)

Hi Mike,
On Thu, Jul 02, 2015 at 09:05:52AM +0000, Mike Gabriel wrote:
> Hi Guido,
> On  Mi 01 Jul 2015 09:05:36 CEST, Guido Günther wrote:
> >On Tue, Jun 30, 2015 at 09:14:14PM +0000, Mike Gabriel wrote:
> >>Hi Guido,
> >>
> >>I just saw that you are co-maintainer of pykerberos. I realized after I had
> >>already put my name behind the package name in dla-needed.txt.
> >>
> >>As you are also on the LTS team, do you want to continue with uploading the
> >>package? Or shall I see to the upload and DLA? Maybe you just want to take a
> >>quick look and let me proceed. Please let me know your preferences here.
> >
> >Go ahead, you've done most of the work already. I had a look at the code
> >on github when triaging the bug and it looked correct then but can
> >break existing applications if we leave the default of verify == True
> >(as noted in the CVE list).
> >
> >Cheers,
> > -- Guido
> I have played and tested the new "verify" option in checkPassword() just now.
> It will break things in mostly all setups if verify=True is the default.
> Reasons:
>   o if /etc/krb5.keytab (or what ever $KRB5_KTNAME points to) is missing,
>     then an authentication attempt against Kerberos will fail.
>   o NEW: if /etc/krb5.keytab (or $KRB5_KTNAME) is not readable by a user,
>     then a login attempt will end in "Permission denied". As the most common
>     case is that /etc/krb5.keytab is set to 0600, authentications will always
>     fail with verify=True.

Yeah, that's basically what I meant by "break existing applications" but
you describe better in far more detail.

I'd go for false by default too. We should also add a note which
explains principal to add to /etc/krb5.keytab to get verify=True

 -- Guido

Reply to: