Bug#778713: marked as done (unblock: krb5/1.12.1+dfsg-18)

To: Mehdi Dogguy <mehdi@dogguy.org>
Subject: Bug#778713: marked as done (unblock: krb5/1.12.1+dfsg-18)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 18 Feb 2015 21:39:09 +0000
Message-id: <[🔎] handler.778713.D778713.14242952919108.ackdone@bugs.debian.org>
References: <20150218213447.GG1473@dogguy.org> <[🔎] 20150218211432.1974.34783.reportbug@glossolalia.mit.edu>

Your message dated Wed, 18 Feb 2015 22:34:47 +0100
with message-id <20150218213447.GG1473@dogguy.org>
and subject line Re: Bug#778713: unblock: krb5/1.12.1+dfsg-18
has caused the Debian Bug report #778713,
regarding unblock: krb5/1.12.1+dfsg-18
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
778713: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778713
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: krb5/1.12.1+dfsg-18
From: Benjamin Kaduk <kaduk@mit.edu>
Date: Wed, 18 Feb 2015 16:14:32 -0500
Message-id: <[🔎] 20150218211432.1974.34783.reportbug@glossolalia.mit.edu>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package krb5

Upstream released a patch for CVE-2014-5355, a NULL dereference
or out-of-bounds read in krb5_recvauth().  It is not clear that any
aging is necessary; perhaps the security team will request some.

The attached debdiff includes upstream's commit message, which includes
more details about the issue.

unblock krb5/1.12.1+dfsg-18

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru krb5-1.12.1+dfsg/debian/changelog krb5-1.12.1+dfsg/debian/changelog
--- krb5-1.12.1+dfsg/debian/changelog	2015-02-03 10:33:39.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/changelog	2015-02-18 12:52:19.000000000 -0500
@@ -1,3 +1,9 @@
+krb5 (1.12.1+dfsg-18) unstable; urgency=high
+
+  * Import upstream patch for CVE-2014-5355, Closes: #778647
+
+ -- Benjamin Kaduk <kaduk@mit.edu>  Wed, 18 Feb 2015 12:52:14 -0500
+
 krb5 (1.12.1+dfsg-17) unstable; urgency=high
 
   * MITKRB5-SA-2015-001
diff -Nru krb5-1.12.1+dfsg/debian/.git-dpm krb5-1.12.1+dfsg/debian/.git-dpm
--- krb5-1.12.1+dfsg/debian/.git-dpm	2015-02-03 10:33:39.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/.git-dpm	2015-02-18 12:39:54.000000000 -0500
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-769a3f26c919339002ef2936592a90d144d0e238
-769a3f26c919339002ef2936592a90d144d0e238
+200a429df2c47467eb3a0973eb7594a475cc18fe
+200a429df2c47467eb3a0973eb7594a475cc18fe
 00dec38e79dd6436e9efed873df00e6ea11fdd0e
 00dec38e79dd6436e9efed873df00e6ea11fdd0e
 krb5_1.12.1+dfsg.orig.tar.gz
diff -Nru krb5-1.12.1+dfsg/debian/patches/series krb5-1.12.1+dfsg/debian/patches/series
--- krb5-1.12.1+dfsg/debian/patches/series	2015-02-03 10:33:39.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/patches/series	2015-02-18 12:39:54.000000000 -0500
@@ -27,3 +27,4 @@
 upstream/0027-Fix-LDAP-misused-policy-name-crash-CVE-2014-5353.patch
 0028-Support-keyless-principals-in-LDAP-CVE-2014-5354.patch
 upstream/0029-MITKRB5-SA-2015-0001.patch
+upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch
diff -Nru krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch
--- krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch	1969-12-31 19:00:00.000000000 -0500
+++ krb5-1.12.1+dfsg/debian/patches/upstream/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch	2015-02-18 12:39:54.000000000 -0500
@@ -0,0 +1,112 @@
+From 200a429df2c47467eb3a0973eb7594a475cc18fe Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 9 Dec 2014 12:37:44 -0500
+Subject: Fix krb5_read_message handling [CVE-2014-5355]
+
+In recvauth_common, do not use strcmp against the data fields of
+krb5_data objects populated by krb5_read_message(), as there is no
+guarantee that they are C strings.  Instead, create an expected
+krb5_data value and use data_eq().
+
+In the sample user-to-user server application, check that the received
+client principal name is null-terminated before using it with printf
+and krb5_parse_name.
+
+CVE-2014-5355:
+
+In MIT krb5, when a server process uses the krb5_recvauth function, an
+unauthenticated remote attacker can cause a NULL dereference by
+sending a zero-byte version string, or a read beyond the end of
+allocated storage by sending a non-null-terminated version string.
+The example user-to-user server application (uuserver) is similarly
+vulnerable to a zero-length or non-null-terminated principal name
+string.
+
+The krb5_recvauth function reads two version strings from the client
+using krb5_read_message(), which produces a krb5_data structure
+containing a length and a pointer to an octet sequence.  krb5_recvauth
+assumes that the data pointer is a valid C string and passes it to
+strcmp() to verify the versions.  If the client sends an empty octet
+sequence, the data pointer will be NULL and strcmp() will dereference
+a NULL pointer, causing the process to crash.  If the client sends a
+non-null-terminated octet sequence, strcmp() will read beyond the end
+of the allocated storage, possibly causing the process to crash.
+
+uuserver similarly uses krb5_read_message() to read a client principal
+name, and then passes it to printf() and krb5_parse_name() without
+verifying that it is a valid C string.
+
+The krb5_recvauth function is used by kpropd and the Kerberized
+versions of the BSD rlogin and rsh daemons.  These daemons are usually
+run out of inetd or in a mode which forks before processing incoming
+connections, so a process crash will generally not result in a
+complete denial of service.
+
+Thanks to Tim Uglow for discovering this issue.
+
+CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
+
+[tlyu@mit.edu: CVSS score]
+
+ticket: 8050 (new)
+target_version: 1.13.1
+tags: pullup
+
+(cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec)
+
+Patch-Category: upstream
+---
+ src/appl/user_user/server.c | 4 +++-
+ src/lib/krb5/krb/recvauth.c | 9 ++++++---
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/appl/user_user/server.c b/src/appl/user_user/server.c
+index dbff68e..b136c72 100644
+--- a/src/appl/user_user/server.c
++++ b/src/appl/user_user/server.c
+@@ -113,8 +113,10 @@ int main(argc, argv)
+     }
+ #endif
+ 
++    /* principal name must be sent null-terminated. */
+     retval = krb5_read_message(context, (krb5_pointer) &sock, &pname_data);
+-    if (retval) {
++    if (retval || pname_data.length == 0 ||
++        pname_data.data[pname_data.length - 1] != '\0') {
+         com_err ("uu-server", retval, "reading pname");
+         return 2;
+     }
+diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
+index da836283..5adc6dd 100644
+--- a/src/lib/krb5/krb/recvauth.c
++++ b/src/lib/krb5/krb/recvauth.c
+@@ -59,6 +59,7 @@ recvauth_common(krb5_context context,
+     krb5_rcache           rcache = 0;
+     krb5_octet            response;
+     krb5_data             null_server;
++    krb5_data             d;
+     int                   need_error_free = 0;
+     int                   local_rcache = 0, local_authcon = 0;
+ 
+@@ -77,7 +78,8 @@ recvauth_common(krb5_context context,
+          */
+         if ((retval = krb5_read_message(context, fd, &inbuf)))
+             return(retval);
+-        if (strcmp(inbuf.data, sendauth_version)) {
++        d = make_data((char *)sendauth_version, strlen(sendauth_version) + 1);
++        if (!data_eq(inbuf, d)) {
+             problem = KRB5_SENDAUTH_BADAUTHVERS;
+             response = 1;
+         }
+@@ -93,8 +95,9 @@ recvauth_common(krb5_context context,
+      */
+     if ((retval = krb5_read_message(context, fd, &inbuf)))
+         return(retval);
+-    if (appl_version && strcmp(inbuf.data, appl_version)) {
+-        if (!problem) {
++    if (appl_version != NULL && !problem) {
++        d = make_data(appl_version, strlen(appl_version) + 1);
++        if (!data_eq(inbuf, d)) {
+             problem = KRB5_SENDAUTH_BADAPPLVERS;
+             response = 2;
+         }

--- End Message ---

--- Begin Message ---

To: Benjamin Kaduk <kaduk@mit.edu>, 778713-done@bugs.debian.org

Subject: Re: Bug#778713: unblock: krb5/1.12.1+dfsg-18

From: Mehdi Dogguy <mehdi@dogguy.org>

Date: Wed, 18 Feb 2015 22:34:47 +0100

Message-id: <20150218213447.GG1473@dogguy.org>

In-reply-to: <[🔎] 20150218211432.1974.34783.reportbug@glossolalia.mit.edu>

References: <[🔎] 20150218211432.1974.34783.reportbug@glossolalia.mit.edu>
On Wed, Feb 18, 2015 at 04:14:32PM -0500, Benjamin Kaduk <kaduk@mit.edu> wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package krb5
> 

Unblocked.

Regards,

-- 
Mehdi Dogguy
--- End Message ---

Reply to:

References:
- Bug#778713: unblock: krb5/1.12.1+dfsg-18
  - From: Benjamin Kaduk <kaduk@mit.edu>

Prev by Date: Bug#771208: unblock: busybox/1:1.22.0-14
Next by Date: Bug#771208: unblock: busybox/1:1.22.0-14
Previous by thread: Bug#778713: unblock: krb5/1.12.1+dfsg-18
Next by thread: Bug#771208: unblock: busybox/1:1.22.0-14
Index(es):
- Date
- Thread