Bug#778713: unblock: krb5/1.12.1+dfsg-18
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package krb5
Upstream released a patch for CVE-2014-5355, a NULL dereference
or out-of-bounds read in krb5_recvauth(). It is not clear that any
aging is necessary; perhaps the security team will request some.
The attached debdiff includes upstream's commit message, which includes
more details about the issue.
unblock krb5/1.12.1+dfsg-18
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru krb5-1.12.1+dfsg/debian/changelog krb5-1.12.1+dfsg/debian/changelog
--- krb5-1.12.1+dfsg/debian/changelog 2015-02-03 10:33:39.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/changelog 2015-02-18 12:52:19.000000000 -0500
@@ -1,3 +1,9 @@
+krb5 (1.12.1+dfsg-18) unstable; urgency=high
+
+ * Import upstream patch for CVE-2014-5355, Closes: #778647
+
+ -- Benjamin Kaduk <kaduk@mit.edu> Wed, 18 Feb 2015 12:52:14 -0500
+
krb5 (1.12.1+dfsg-17) unstable; urgency=high
* MITKRB5-SA-2015-001
diff -Nru krb5-1.12.1+dfsg/debian/.git-dpm krb5-1.12.1+dfsg/debian/.git-dpm
--- krb5-1.12.1+dfsg/debian/.git-dpm 2015-02-03 10:33:39.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/.git-dpm 2015-02-18 12:39:54.000000000 -0500
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-769a3f26c919339002ef2936592a90d144d0e238
-769a3f26c919339002ef2936592a90d144d0e238
+200a429df2c47467eb3a0973eb7594a475cc18fe
+200a429df2c47467eb3a0973eb7594a475cc18fe
00dec38e79dd6436e9efed873df00e6ea11fdd0e
00dec38e79dd6436e9efed873df00e6ea11fdd0e
krb5_1.12.1+dfsg.orig.tar.gz
diff -Nru krb5-1.12.1+dfsg/debian/patches/series krb5-1.12.1+dfsg/debian/patches/series
--- krb5-1.12.1+dfsg/debian/patches/series 2015-02-03 10:33:39.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/patches/series 2015-02-18 12:39:54.000000000 -0500
@@ -27,3 +27,4 @@
upstream/0027-Fix-LDAP-misused-policy-name-crash-CVE-2014-5353.patch
0028-Support-keyless-principals-in-LDAP-CVE-2014-5354.patch
upstream/0029-MITKRB5-SA-2015-0001.patch
+upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch
diff -Nru krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch
--- krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch 1969-12-31 19:00:00.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch 2015-02-18 12:39:54.000000000 -0500
@@ -0,0 +1,112 @@
+From 200a429df2c47467eb3a0973eb7594a475cc18fe Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 9 Dec 2014 12:37:44 -0500
+Subject: Fix krb5_read_message handling [CVE-2014-5355]
+
+In recvauth_common, do not use strcmp against the data fields of
+krb5_data objects populated by krb5_read_message(), as there is no
+guarantee that they are C strings. Instead, create an expected
+krb5_data value and use data_eq().
+
+In the sample user-to-user server application, check that the received
+client principal name is null-terminated before using it with printf
+and krb5_parse_name.
+
+CVE-2014-5355:
+
+In MIT krb5, when a server process uses the krb5_recvauth function, an
+unauthenticated remote attacker can cause a NULL dereference by
+sending a zero-byte version string, or a read beyond the end of
+allocated storage by sending a non-null-terminated version string.
+The example user-to-user server application (uuserver) is similarly
+vulnerable to a zero-length or non-null-terminated principal name
+string.
+
+The krb5_recvauth function reads two version strings from the client
+using krb5_read_message(), which produces a krb5_data structure
+containing a length and a pointer to an octet sequence. krb5_recvauth
+assumes that the data pointer is a valid C string and passes it to
+strcmp() to verify the versions. If the client sends an empty octet
+sequence, the data pointer will be NULL and strcmp() will dereference
+a NULL pointer, causing the process to crash. If the client sends a
+non-null-terminated octet sequence, strcmp() will read beyond the end
+of the allocated storage, possibly causing the process to crash.
+
+uuserver similarly uses krb5_read_message() to read a client principal
+name, and then passes it to printf() and krb5_parse_name() without
+verifying that it is a valid C string.
+
+The krb5_recvauth function is used by kpropd and the Kerberized
+versions of the BSD rlogin and rsh daemons. These daemons are usually
+run out of inetd or in a mode which forks before processing incoming
+connections, so a process crash will generally not result in a
+complete denial of service.
+
+Thanks to Tim Uglow for discovering this issue.
+
+CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
+
+[tlyu@mit.edu: CVSS score]
+
+ticket: 8050 (new)
+target_version: 1.13.1
+tags: pullup
+
+(cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec)
+
+Patch-Category: upstream
+---
+ src/appl/user_user/server.c | 4 +++-
+ src/lib/krb5/krb/recvauth.c | 9 ++++++---
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/appl/user_user/server.c b/src/appl/user_user/server.c
+index dbff68e..b136c72 100644
+--- a/src/appl/user_user/server.c
++++ b/src/appl/user_user/server.c
+@@ -113,8 +113,10 @@ int main(argc, argv)
+ }
+ #endif
+
++ /* principal name must be sent null-terminated. */
+ retval = krb5_read_message(context, (krb5_pointer) &sock, &pname_data);
+- if (retval) {
++ if (retval || pname_data.length == 0 ||
++ pname_data.data[pname_data.length - 1] != '\0') {
+ com_err ("uu-server", retval, "reading pname");
+ return 2;
+ }
+diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
+index da836283..5adc6dd 100644
+--- a/src/lib/krb5/krb/recvauth.c
++++ b/src/lib/krb5/krb/recvauth.c
+@@ -59,6 +59,7 @@ recvauth_common(krb5_context context,
+ krb5_rcache rcache = 0;
+ krb5_octet response;
+ krb5_data null_server;
++ krb5_data d;
+ int need_error_free = 0;
+ int local_rcache = 0, local_authcon = 0;
+
+@@ -77,7 +78,8 @@ recvauth_common(krb5_context context,
+ */
+ if ((retval = krb5_read_message(context, fd, &inbuf)))
+ return(retval);
+- if (strcmp(inbuf.data, sendauth_version)) {
++ d = make_data((char *)sendauth_version, strlen(sendauth_version) + 1);
++ if (!data_eq(inbuf, d)) {
+ problem = KRB5_SENDAUTH_BADAUTHVERS;
+ response = 1;
+ }
+@@ -93,8 +95,9 @@ recvauth_common(krb5_context context,
+ */
+ if ((retval = krb5_read_message(context, fd, &inbuf)))
+ return(retval);
+- if (appl_version && strcmp(inbuf.data, appl_version)) {
+- if (!problem) {
++ if (appl_version != NULL && !problem) {
++ d = make_data(appl_version, strlen(appl_version) + 1);
++ if (!data_eq(inbuf, d)) {
+ problem = KRB5_SENDAUTH_BADAPPLVERS;
+ response = 2;
+ }
Reply to: