Re: [SRM] krb5 changelog missing CVE
* Sam Hartman:
>>>>>> "Florian" == Florian Weimer <fw@deneb.enyo.de> writes:
>
> Florian> * Sam Hartman:
> >> Florian Weimer noticed that the krb5 changelog in squeeze was
> >> missing a CVE that was fixed in the patch applied. He proposes
> >> to make a new upload that corrects the changelog so that people
> >> who track security issues from the changelog will find the fix:
>
> Florian> Sorry, there seems to be a slight misunderstanding. The
> Florian> changelog was indeed incorrect, but even that upload never
> Florian> made it to the archive.
>
> I thought the issues were already fixed in squeeze2.
> I thought the only question was the changelog entry and documenting the
> issues.
No, the first fixed version was squeeze3. You uploaded that in
October last year, but we failed to publish it at that time.
For completeness, I'm attaching the debdiff between squeeze2 and
squeeze5.
diff -u krb5-1.8.3+dfsg/debian/changelog krb5-1.8.3+dfsg/debian/changelog
--- krb5-1.8.3+dfsg/debian/changelog
+++ krb5-1.8.3+dfsg/debian/changelog
@@ -1,3 +1,12 @@
+krb5 (1.8.3+dfsg-4squeeze5) squeeze-security; urgency=high
+
+ * CVE-2011-1529: null pointer dereference in KDC LDAP back end,
+ Closes: #629558
+ * CVE-2011-1528: assertion failure in multiple KDC back ends
+ regarding account lockout
+
+ -- Sam Hartman <hartmans@debian.org> Wed, 19 Oct 2011 11:55:43 -0400
+
krb5 (1.8.3+dfsg-4squeeze2) stable; urgency=low
* Upstream ticket 6852: permit gss_set_allowable_enctypes to restirct
diff -u krb5-1.8.3+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c krb5-1.8.3+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
--- krb5-1.8.3+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ krb5-1.8.3+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -131,6 +131,7 @@
CHECK_LDAP_HANDLE(ldap_context);
if (is_principal_in_realm(ldap_context, searchfor) != 0) {
+ st = KRB5_KDB_NOENTRY;
*more = 0;
krb5_set_error_message (context, st, "Principal does not belong to realm");
goto cleanup;
only in patch2:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
+++ krb5-1.8.3+dfsg/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
@@ -150,15 +150,25 @@
return 0;
}
+ if (entry == NULL)
+ return 0;
+
code = lookup_lockout_policy(context, entry, &max_fail,
&failcnt_interval,
&lockout_duration);
if (code != 0)
return code;
- entry->mask = 0;
+ /*
+ * Don't continue to modify the DB for an already locked account.
+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
+ * this check is unneeded, but in rare cases, we can fail with an
+ * integrity error or preauth failure before a policy check.)
+ */
+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
+ return 0;
- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry));
+ entry->mask = 0;
if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
/*
only in patch2:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/plugins/kdb/db2/lockout.c
+++ krb5-1.8.3+dfsg/src/plugins/kdb/db2/lockout.c
@@ -158,13 +158,23 @@
return 0;
}
+ if (entry == NULL)
+ return 0;
+
code = lookup_lockout_policy(context, entry, &max_fail,
&failcnt_interval,
&lockout_duration);
if (code != 0)
return code;
- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry));
+ /*
+ * Don't continue to modify the DB for an already locked account.
+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
+ * this check is unneeded, but in rare cases, we can fail with an
+ * integrity error or preauth failure before a policy check.)
+ */
+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
+ return 0;
if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
/*
Reply to: