Bug#798028: jessie-pu: package pykerberos/1.1.5-0.1+deb8u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#798028: jessie-pu: package pykerberos/1.1.5-0.1+deb8u1
From: Guido Günther <agx@sigxcpu.org>
Date: Fri, 4 Sep 2015 17:41:17 +0200
Message-id: <[🔎] 20150904154117.GA16192@bogon.m.sigxcpu.org>
Reply-to: Guido Günther <agx@sigxcpu.org>, 798028@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,
I'd like to fix CVE-2015-3206 (a loack (missing KDC authenticity
verification) for jessie via a point release. The debdiff is
attached. The bug is fixed in unstable as well as squeeze-lts already.

As in squeeze-lts the KDC check is disabled by default to not break existing
installations.

Cheers,
 -- Guido.


-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..490dd3d
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,42 @@
+pykerberos (1.1.5-0.1+deb8u1) jessie; urgency=medium
+ 
+  The python-kerberos checkPassword() method has been badly insecure in
+  previous releases. It used to do (and still does by default) a kinit
+  (AS-REQ) to ask a KDC for a TGT for the given user principal, and
+  interprets the success or failure of that as indicating whether the
+  password is correct. It does not, however, verify that it actually spoke
+  to a trusted KDC: an attacker may simply reply instead with an AS-REP
+  which matches the password he just gave you.
+  .
+  Imagine you were verifying a password using LDAP authentication rather
+  than Kerberos: you would, of course, use TLS in conjunction with LDAP to
+  make sure you were talking to a real, trusted LDAP server. The same
+  requirement applies here. kinit is not a password-verification service.
+  .
+  The usual way of doing this is to take the TGT you've obtained with the
+  user's password, and then obtain a ticket for a principal for which the
+  verifier has keys (e.g. a web server processing a username/password form
+  login might get a ticket for its own HTTP/host@REALM principal), which
+  it can then verify. Note that this requires that the verifier has its
+  own Kerberos identity, which is mandated by the symmetric nature of
+  Kerberos (whereas in the LDAP case, the use of public-key cryptography
+  allows anonymous verification).
+  .
+  The fact of pykerberos being susceptible to KDC spoofing attacks has
+  been filed as CVE-2015-3206.
+  .
+  With this version of the pykerberos package a new option is introduced
+  for the checkPassword() method. Setting verify to True when using
+  checkPassword() will perform a KDC verification. For this to work, you
+  need to provide a krb5.keytab file containing service principal keys for
+  the service you intend to use.
+  .
+  As the default krb5.keytab file in /etc is normally not accessible by
+  non-root users/processes, you have to make sure a custom krb5.keytab
+  file containing the correct principal keys is provided to your
+  application using the KRB5_KTNAME environment variable.
+  .
+  Note: In Debian Jessie, KDC verification support is disabled by default in
+  ordner not to break existing setups.
+ 
+ -- Guido Günther <agx@sigxcpu.org>  Sat, 22 Aug 2015 12:08:41 +0200
diff --git a/debian/changelog b/debian/changelog
index 9521150..e382a4a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+pykerberos (1.1.5-0.1+deb8u1) jessie; urgency=medium
+
+  * Add KDC authenticity verification support (CVE-2015-3206)
+    Obtained from upstream, ignoring white-space changes, URL:
+    https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c
+    (Closes: #796195)
+
+ -- Guido Günther <agx@sigxcpu.org>  Sat, 22 Aug 2015 13:48:57 +0200
+
 pykerberos (1.1.5-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/examples b/debian/examples
index de45608..10845a7 100644
--- a/debian/examples
+++ b/debian/examples
@@ -1 +1,2 @@
 bin/ftp-gss
+bin/login
diff --git a/debian/patches/Add-KDC-authenticity-verification-support-CVE-2015-3206.patch b/debian/patches/Add-KDC-authenticity-verification-support-CVE-2015-3206.patch
new file mode 100644
index 0000000..e495497
--- /dev/null
+++ b/debian/patches/Add-KDC-authenticity-verification-support-CVE-2015-3206.patch
@@ -0,0 +1,150 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Sat, 22 Aug 2015 11:51:13 +0200
+Subject: Add KDC authenticity verification support (CVE-2015-3206)
+
+Obtained from upstream, ignoring white-space changes, URL:
+https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c
+---
+ pysrc/kerberos.py   |  4 +++-
+ src/kerberos.c      |  5 +++--
+ src/kerberosbasic.c | 41 ++++++++++++++++++++++++++++++++++-------
+ src/kerberosbasic.h |  2 +-
+ 4 files changed, 41 insertions(+), 11 deletions(-)
+
+diff --git a/pysrc/kerberos.py b/pysrc/kerberos.py
+index 8c6a712..06ddd38 100644
+--- a/pysrc/kerberos.py
++++ b/pysrc/kerberos.py
+@@ -27,7 +27,7 @@ class BasicAuthError(KrbError):
+ class GSSError(KrbError):
+     pass
+ 
+-def checkPassword(user, pswd, service, default_realm):
++def checkPassword(user, pswd, service, default_realm, verify=False):
+     """
+     This function provides a simple way to verify that a user name and password match
+     those normally used for Kerberos authentication. It does this by checking that the
+@@ -49,6 +49,8 @@ def checkPassword(user, pswd, service, default_realm):
+     @param default_realm: a string containing the default realm to use if one is not
+         supplied in the user argument. Note that Kerberos realms are normally all
+         uppercase (e.g., 'EXAMPLE.COM').
++    @param verify:        a boolean flagging KDC verification to enabled or disabled
++                          (default: False).
+     @return:              True if authentication succeeds, False otherwise.
+     """
+ 
+diff --git a/src/kerberos.c b/src/kerberos.c
+index 740d9e1..af57b05 100644
+--- a/src/kerberos.c
++++ b/src/kerberos.c
+@@ -35,12 +35,13 @@ static PyObject *checkPassword(PyObject *self, PyObject *args)
+     const char *pswd = NULL;
+     const char *service = NULL;
+     const char *default_realm = NULL;
++    int verify = 0;
+     int result = 0;
+ 
+-    if (!PyArg_ParseTuple(args, "ssss", &user, &pswd, &service, &default_realm))
++    if (!PyArg_ParseTuple(args, "ssss|b", &user, &pswd, &service, &default_realm, &verify))
+         return NULL;
+ 
+-    result = authenticate_user_krb5pwd(user, pswd, service, default_realm);
++    result = authenticate_user_krb5pwd(user, pswd, service, default_realm, verify);
+ 
+     if (result)
+         return Py_INCREF(Py_True), Py_True;
+diff --git a/src/kerberosbasic.c b/src/kerberosbasic.c
+index 0c7bdd7..27d7c4f 100644
+--- a/src/kerberosbasic.c
++++ b/src/kerberosbasic.c
+@@ -26,9 +26,9 @@
+ extern PyObject *BasicAuthException_class;
+ static void set_basicauth_error(krb5_context context, krb5_error_code code);
+ 
+-static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server);
++static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server, unsigned char verify);
+ 
+-int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm)
++int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm, unsigned char verify)
+ {
+     krb5_context    kcontext = NULL;
+     krb5_error_code code;
+@@ -87,7 +87,7 @@ int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *se
+         goto end;
+     }
+ 
+-    code = verify_krb5_user(kcontext, client, pswd, server);
++    code = verify_krb5_user(kcontext, client, pswd, server, verify);
+ 
+     if (code)
+     {
+@@ -113,10 +113,11 @@ end:
+ }
+ 
+ /* Inspired by krb5_verify_user from Heimdal */
+-static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server)
++static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server, unsigned char verify)
+ {
+     krb5_creds creds;
+-    krb5_get_init_creds_opt gic_options;
++    krb5_get_init_creds_opt *gic_options;
++    krb5_verify_init_creds_opt vic_options;
+     krb5_error_code ret;
+     char *name = NULL;
+ 
+@@ -131,17 +132,43 @@ static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal pri
+         free(name);
+     }
+ 
+-    krb5_get_init_creds_opt_init(&gic_options);
+-    ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, NULL, 0, NULL, &gic_options);
++    // verify passed in server principal if needed
++    if (verify) {
++         ret = krb5_unparse_name(context, server, &name);
++         if (ret == 0) {
++#ifdef PRINTFS
++             printf("Trying to get TGT for service %s\n", name);
++#endif
++             free(name);
++         }
++    }
++
++    // verify password
++    krb5_get_init_creds_opt_alloc(context, &gic_options);
++    ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, NULL, 0, NULL, gic_options);
+     if (ret)
+     {
+         set_basicauth_error(context, ret);
+         goto end;
+     }
+ 
++    // verify response authenticity
++    if (verify) {
++        krb5_verify_init_creds_opt_init(&vic_options);
++        krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_options, 1);
++        ret = krb5_verify_init_creds(context, &creds, server, NULL, NULL, &vic_options);
++        if (ret) {
++            set_basicauth_error(context, ret);
++        }
++    }
++
+ end:
++    // clean up
+     krb5_free_cred_contents(context, &creds);
+ 
++    if (gic_options)
++        krb5_get_init_creds_opt_free(context, gic_options);
++
+     return ret;
+ }
+ 
+diff --git a/src/kerberosbasic.h b/src/kerberosbasic.h
+index 0a91455..f3cfce5 100644
+--- a/src/kerberosbasic.h
++++ b/src/kerberosbasic.h
+@@ -20,4 +20,4 @@
+ 
+ #define krb5_get_err_text(context,code) error_message(code)
+ 
+-int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm);
++int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm, unsigned char verify);
diff --git a/debian/patches/Include-bin-login-an-example-script-allowing-the-user.patch b/debian/patches/Include-bin-login-an-example-script-allowing-the-user.patch
new file mode 100644
index 0000000..d1b796a
--- /dev/null
+++ b/debian/patches/Include-bin-login-an-example-script-allowing-the-user.patch
@@ -0,0 +1,63 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Sat, 22 Aug 2015 11:53:34 +0200
+Subject: Include bin/login, an example script allowing the user
+
+to test the functionality of the new verify flag.
+---
+ bin/login | 47 +++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 47 insertions(+)
+ create mode 100644 bin/login
+
+diff --git a/bin/login b/bin/login
+new file mode 100644
+index 0000000..d9becaa
+--- /dev/null
++++ b/bin/login
+@@ -0,0 +1,47 @@
++#!/usr/bin/env python
++##
++# Copyright (c) 2008 Jelmer Vernooij <jelmer@samba.org>
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++# http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++"""A sample script showing how to verify a user with username and password."""
++
++import argparse
++import getpass
++import kerberos
++import sys
++
++
++def main():
++    # construct arg parser
++    parser = argparse.ArgumentParser(description='Verify Kerberos login.')
++    parser.add_argument('--service', default='', help='the service to authenticate as')
++    parser.add_argument('--default_realm', default='', help='the realm to use if none is provided in the username')
++    parser.add_argument('--verify', default=False, action='store_true', help='enable KDC verification support')
++    parser.add_argument('user', metavar='user', help='the username to verify')
++    args = parser.parse_args()
++
++    print args.service
++
++    # get the password
++    password = getpass.getpass('Password: ')
++
++    # verify
++    try:
++        kerberos.checkPassword(args.user, password, args.service, args.default_realm, args.verify)
++        print "Successfully verified"
++    except kerberos.BasicAuthError as e:
++        print "{0} ({1})".format(*e.args)
++
++if __name__ == "__main__":
++    main()
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..e8d5a68
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+Add-KDC-authenticity-verification-support-CVE-2015-3206.patch
+Include-bin-login-an-example-script-allowing-the-user.patch

Reply to:

Prev by Date: Bug#796598: marked as done (nmu: wmail_2.0-3, wmdate_0.7-4)
Next by Date: Bug#791317: marked as done (yaml-cpp: library transition may be needed when GCC 5 is the default)
Previous by thread: Bug#796598: marked as done (nmu: wmail_2.0-3, wmdate_0.7-4)
Next by thread: Bug#791317: marked as done (yaml-cpp: library transition may be needed when GCC 5 is the default)
Index(es):
- Date
- Thread