debdiff for CVE-2015-3206 (pykerberos)

To: Guido Günther <agx@sigxcpu.org>
Cc: debian-lts@lists.debian.org
Subject: debdiff for CVE-2015-3206 (pykerberos)
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Tue, 30 Jun 2015 21:14:14 +0000
Message-id: <[🔎] 20150630211414.Horde.rjREDAnOGrcwvneUrkKVIQ4@mail.das-netzwerkteam.de>

Hi Guido,

I just saw that you are co-maintainer of pykerberos. I realized afterI had already put my name behind the package name in dla-needed.txt.

As you are also on the LTS team, do you want to continue withuploading the package? Or shall I see to the upload and DLA? Maybe youjust want to take a quick look and let me proceed. Please let me knowyour preferences here.

I have created a .debdiff by manually rebasing the upstream fix [1]against the package in Debian squeeze. The main part of the work wasgetting rid of tons of white-space changes in that commit.

The only thing that we should consider is if we want to leave thedefault for the new "verify" option in "checkPassword()" set to True(as upstream does it) or changing it to False for reasons of backwardscompatibility (see comment at the bottom of [2]).


Greets,
Mike

[1]https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c

[2] https://security-tracker.debian.org/tracker/CVE-2015-3206
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

diff -u pykerberos-1.1+svn4895/debian/changelog pykerberos-1.1+svn4895/debian/changelog
--- pykerberos-1.1+svn4895/debian/changelog
+++ pykerberos-1.1+svn4895/debian/changelog
@@ -1,3 +1,13 @@
+pykerberos (1.1+svn4895-1+deb6u1) squeeze-lts; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Add KDC authenticity verification support (CVE-2015-3206).
+    Obtained from upstream, ignoring white-space changes, URL:
+    https://github.com/02strich/pykerberos/commit/
+       02d13860b25fab58e739f0e000bed0067b7c6f9c
+
+ -- Mike Gabriel <sunweaver@debian.org>  Tue, 30 Jun 2015 22:11:14 +0200
+
 pykerberos (1.1+svn4895-1) unstable; urgency=low
 
   * [d6e470d] fix typo in package description (Closes: #520276) - thanks to
only in patch2:
unchanged:
--- pykerberos-1.1+svn4895.orig/src/kerberosbasic.h
+++ pykerberos-1.1+svn4895/src/kerberosbasic.h
@@ -20,4 +20,4 @@
 
 #define krb5_get_err_text(context,code) error_message(code)
 
-int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm);
+int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm, unsigned char verify);
only in patch2:
unchanged:
--- pykerberos-1.1+svn4895.orig/src/kerberosbasic.c
+++ pykerberos-1.1+svn4895/src/kerberosbasic.c
@@ -26,9 +26,9 @@
 extern PyObject *BasicAuthException_class;
 static void set_basicauth_error(krb5_context context, krb5_error_code code);
 
-static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server);
+static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server, unsigned char verify);
 
-int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm)
+int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm, unsigned char verify)
 {
     krb5_context    kcontext = NULL;
     krb5_error_code code;
@@ -87,7 +87,7 @@
         goto end;
     }
 
-    code = verify_krb5_user(kcontext, client, pswd, server);
+    code = verify_krb5_user(kcontext, client, pswd, server, verify);
 
     if (code)
     {
@@ -113,10 +113,11 @@
 }
 
 /* Inspired by krb5_verify_user from Heimdal */
-static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server)
+static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server, unsigned char verify)
 {
     krb5_creds creds;
-    krb5_get_init_creds_opt gic_options;
+    krb5_get_init_creds_opt *gic_options;
+    krb5_verify_init_creds_opt vic_options;
     krb5_error_code ret;
     char *name = NULL;
 
@@ -131,17 +132,43 @@
         free(name);
     }
 
-    krb5_get_init_creds_opt_init(&gic_options);
-    ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, NULL, 0, NULL, &gic_options);
+    // verify passed in server principal if needed
+    if (verify) {
+         ret = krb5_unparse_name(context, server, &name);
+         if (ret == 0) {
+#ifdef PRINTFS
+             printf("Trying to get TGT for service %s\n", name);
+#endif
+             free(name);
+         }
+    }
+
+    // verify password
+    krb5_get_init_creds_opt_alloc(context, &gic_options);
+    ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, NULL, 0, NULL, gic_options);
     if (ret)
     {
         set_basicauth_error(context, ret);
         goto end;
     }
 
+    // verify response authenticity
+    if (verify) {
+        krb5_verify_init_creds_opt_init(&vic_options);
+        krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_options, 1);
+        ret = krb5_verify_init_creds(context, &creds, server, NULL, NULL, &vic_options);
+        if (ret) {
+            set_basicauth_error(context, ret);
+        }
+    }
+
 end:
+    // clean up
     krb5_free_cred_contents(context, &creds);
 
+    if (gic_options)
+        krb5_get_init_creds_opt_free(context, gic_options);
+
     return ret;
 }
 
only in patch2:
unchanged:
--- pykerberos-1.1+svn4895.orig/src/kerberos.c
+++ pykerberos-1.1+svn4895/src/kerberos.c
@@ -31,12 +31,13 @@
     const char *pswd;
     const char *service;
     const char *default_realm;
+    const int verify = 1;
     int result = 0;
 
-    if (!PyArg_ParseTuple(args, "ssss", &user, &pswd, &service, &default_realm))
+    if (!PyArg_ParseTuple(args, "ssssb", &user, &pswd, &service, &default_realm, &verify))
         return NULL;
 
-    result = authenticate_user_krb5pwd(user, pswd, service, default_realm);
+    result = authenticate_user_krb5pwd(user, pswd, service, default_realm, verify);
 
     if (result)
         return Py_INCREF(Py_True), Py_True;
only in patch2:
unchanged:
--- pykerberos-1.1+svn4895.orig/pysrc/kerberos.py
+++ pykerberos-1.1+svn4895/pysrc/kerberos.py
@@ -27,7 +27,7 @@
 class GSSError(KrbError):
     pass
 
-def checkPassword(user, pswd, service, default_realm):
+def checkPassword(user, pswd, service, default_realm, verify=True):
     """
     This function provides a simple way to verify that a user name and password match
     those normally used for Kerberos authentication. It does this by checking that the

Attachment: pgpH4G4Y8mtH0.pgp
Description: Digitale PGP-Signatur

Reply to:

Prev by Date: Re: Accepted unattended-upgrades 0.62.2+squeeze1 (source all) into squeeze-lts
Next by Date: squeeze-pu: package ftpd-ssl/0.17.32+0.3-1+deb6u1
Previous by thread: Re: squeeze update of libmodule-signature-perl?
Next by thread: squeeze-pu: package ftpd-ssl/0.17.32+0.3-1+deb6u1
Index(es):
- Date
- Thread