Bug#991374: marked as done (unblock: krb5/1.18.3-6)

To: Sebastian Ramacher <sramacher@respighi.debian.org>
Subject: Bug#991374: marked as done (unblock: krb5/1.18.3-6)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 23 Jul 2021 22:09:02 +0000
Message-id: <[🔎] handler.991374.D991374.162707791216325.ackdone@bugs.debian.org>
Reply-to: 991374@bugs.debian.org
References: <E1m73I7-0005uB-4J@respighi.debian.org> <[🔎] 162690223715.508798.136145030153753188.reportbug@pleonasm.kaduk.org>

Your message dated Fri, 23 Jul 2021 22:05:11 +0000
with message-id <E1m73I7-0005uB-4J@respighi.debian.org>
and subject line unblock krb5
has caused the Debian Bug report #991374,
regarding unblock: krb5/1.18.3-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991374: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991374
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: krb5/1.18.3-6
From: Benjamin Kaduk <kaduk@mit.edu>
Date: Wed, 21 Jul 2021 14:17:17 -0700
Message-id: <[🔎] 162690223715.508798.136145030153753188.reportbug@pleonasm.kaduk.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: kaduk@mit.edu

Please unblock package krb5

Upstream krb5 recently fixed a CVE in the KDC (server) process
whereby an unauthenticated request can trigger a NULL dereference.
The krb5 maintainer notes that systemd will restart the KDC if this
happens, but of course an attacker can send a flood of such crafted
packets and effectively DoS the process.

[ Reason ]
The NULL dereference is a service crash triggerable by a remote
unauthenticated attacker, and we should not have this DoS vulnerability in the
stable release.

[ Impact ]
An unpatched KDC is vulnerable to denial of service by an unauthenticated
remote attacker.

[ Tests ]
Upstream included a unit test to verify that a malformed packet does not crash
the KDC.  Upstream also has an extensive test suite that serves as a
regression test.

[ Risks ]
The risk here is pretty minimal; the issue stems from a function that was
written in an "if-ladder" style so that any operation that might write to
"retval" has to be wrapped in a conditional so that the operation is skipped
if an error had occurred previously.  The fix is to add such a "retval == 0"
check to a function call that takes a pointer to retval as a parameter and
writes to it, causing any previous errors in the function to be ignored.
(Upstream has since re-written the function to use a more robust coding style,
but that is not a minimal fix suitable for unblock.)

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock krb5/1.18.3-6

diff -Nru krb5-1.18.3/debian/changelog krb5-1.18.3/debian/changelog
--- krb5-1.18.3/debian/changelog	2021-03-28 10:43:01.000000000 -0700
+++ krb5-1.18.3/debian/changelog	2021-07-21 11:07:07.000000000 -0700
@@ -1,3 +1,10 @@
+krb5 (1.18.3-6) unstable; urgency=high
+
+  * Pull in upstream patch to fix CVE-2021-36222 (KDC NULL dereference),
+    Closes: #991365
+
+ -- Benjamin Kaduk <kaduk@mit.edu>  Wed, 21 Jul 2021 11:07:07 -0700
+
 krb5 (1.18.3-5) unstable; urgency=medium
 
   * Update breaks on libk5crypto3 toward other internal libraries because
diff -Nru krb5-1.18.3/debian/patches/0010-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch krb5-1.18.3/debian/patches/0010-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
--- krb5-1.18.3/debian/patches/0010-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch	1969-12-31 16:00:00.000000000 -0800
+++ krb5-1.18.3/debian/patches/0010-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch	2021-07-21 11:06:53.000000000 -0700
@@ -0,0 +1,112 @@
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 7 Jul 2021 11:47:44 +1200
+Subject: Fix KDC null deref on bad encrypted challenge
+
+The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
+to avoid further processing if the armor key is NULL.  However, this
+check is bypassed by a call to k5memdup0() which overwrites retval
+with 0 if the allocation succeeds.  If the armor key is NULL, a call
+to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
+crash.  Add a check before the k5memdup0() call to avoid overwriting
+retval.
+
+CVE-2021-36222:
+
+In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
+cause a null dereference in the KDC by sending a request containing a
+PA-ENCRYPTED-CHALLENGE padata element without using FAST.
+
+[ghudson@mit.edu: trimmed patch; added test case; edited commit
+message]
+
+(cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562)
+
+ticket: 9007
+version_fixed: 1.18.4
+
+(cherry picked from commit c4a406095b3ea4a67ae5b8ea586cbe9abdbae76f)
+---
+ src/kdc/kdc_preauth_ec.c      |  3 ++-
+ src/tests/Makefile.in         |  1 +
+ src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100644 src/tests/t_cve-2021-36222.py
+
+diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
+index 7e636b3..43a9902 100644
+--- a/src/kdc/kdc_preauth_ec.c
++++ b/src/kdc/kdc_preauth_ec.c
+@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
+     }
+ 
+     /* Check for a configured FAST ec auth indicator. */
+-    realmstr = k5memdup0(realm.data, realm.length, &retval);
++    if (retval == 0)
++        realmstr = k5memdup0(realm.data, realm.length, &retval);
+     if (realmstr != NULL)
+         retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
+                                     realmstr,
+diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
+index 3f88f17..0ffbebf 100644
+--- a/src/tests/Makefile.in
++++ b/src/tests/Makefile.in
+@@ -158,6 +158,7 @@ check-pytests: unlockiter s4u2self
+ 	$(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
+ 	$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
+ 	$(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
++	$(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
+ 	$(RM) au.log
+ 	$(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
+ 	$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
+diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py
+new file mode 100644
+index 0000000..57e0499
+--- /dev/null
++++ b/src/tests/t_cve-2021-36222.py
+@@ -0,0 +1,46 @@
++import socket
++from k5test import *
++
++realm = K5Realm()
++
++# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
++# without FAST
++
++s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
++a = (hostname, realm.portbase)
++
++m = ('6A81A0' '30819D'          # [APPLICATION 10] SEQUENCE
++     'A103' '0201' '05'         #  [1] pvno = 5
++     'A203' '0201' '0A'         #  [2] msg-type = 10
++     'A30E' '300C'              #  [3] padata = SEQUENCE OF
++     '300A'                     #   SEQUENCE
++     'A104' '0202' '008A'       #    [1] padata-type = PA-ENCRYPTED-CHALLENGE
++     'A202' '0400'              #    [2] padata-value = ""
++     'A48180' '307E'            #  [4] req-body = SEQUENCE
++     'A007' '0305' '0000000000' #   [0] kdc-options = 0
++     'A120' '301E'              #   [1] cname = SEQUENCE
++     'A003' '0201' '01'         #    [0] name-type = NT-PRINCIPAL
++     'A117' '3015'              #    [1] name-string = SEQUENCE-OF
++     '1B06' '6B7262746774'      #     krbtgt
++     '1B0B' '4B5242544553542E434F4D'
++                                #     KRBTEST.COM
++     'A20D' '1B0B' '4B5242544553542E434F4D'
++                                #   [2] realm = KRBTEST.COM
++     'A320' '301E'              #   [3] sname = SEQUENCE
++     'A003' '0201' '01'         #    [0] name-type = NT-PRINCIPAL
++     'A117' '3015'              #    [1] name-string = SEQUENCE-OF
++     '1B06' '6B7262746774'      #     krbtgt
++     '1B0B' '4B5242544553542E434F4D'
++                                #     KRBTEST.COM
++     'A511' '180F' '31393934303631303036303331375A'
++                                #   [5] till = 19940610060317Z
++     'A703' '0201' '00'         #   [7] nonce = 0
++     'A808' '3006'              #   [8] etype = SEQUENCE OF
++     '020112' '020111')         #    aes256-cts aes128-cts
++
++s.sendto(bytes.fromhex(m), a)
++
++# Make sure kinit still works.
++realm.kinit(realm.user_princ, password('user'))
++
++success('CVE-2021-36222 regression test')
diff -Nru krb5-1.18.3/debian/patches/series krb5-1.18.3/debian/patches/series
--- krb5-1.18.3/debian/patches/series	2021-03-22 14:02:44.000000000 -0700
+++ krb5-1.18.3/debian/patches/series	2021-07-21 11:06:53.000000000 -0700
@@ -7,3 +7,4 @@
 debian-local/0007-Fix-pkg-config-library-include-paths.patch
 debian-local/0008-Use-isystem-for-include-paths.patch
 0009-Add-.gitignore.patch
+0010-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch

--- End Message ---

--- Begin Message ---

To: 991374-done@bugs.debian.org

Subject: unblock krb5

From: Sebastian Ramacher <sramacher@respighi.debian.org>

Date: Fri, 23 Jul 2021 22:05:11 +0000

Message-id: <E1m73I7-0005uB-4J@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#991374: unblock: krb5/1.18.3-6
  - From: Benjamin Kaduk <kaduk@mit.edu>

Prev by Date: Bug#991407: marked as done (unblock: pppoeconf/1.21+nmu2)
Next by Date: Bug#991421: marked as done (unblock: lemonldap-ng/2.0.11+ds-4)
Previous by thread: Bug#991374: unblock: krb5/1.18.3-6
Next by thread: Bug#991397: unblock: exim4/4.94.2-7
Index(es):
- Date
- Thread