Bug 917840 (CVE-2012-1016)

Summary: CVE-2012-1016 krb5: PKINIT null pointer deref leads to DoS
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dpal, jlieskov, jplans, nalin, nathaniel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: krb5-1.10.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-03 18:18:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 917841, 917909, 917910, 924620    
Bug Blocks: 914754    

Description Vincent Danen 2013-03-04 22:01:08 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-1016 to
the following vulnerability:

Name: CVE-2012-1016
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1016
Assigned: 20120207
Reference: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7527
Reference: http://web.mit.edu/kerberos/www/krb5-1.10/
Reference: https://github.com/krb5/krb5/commit/db64ca25d661a47b996b4e2645998b5d7f0eb52c

The pkinit_server_return_padata function in
plugins/preauth/pkinit/pkinit_srv.c in the PKINIT implementation in
the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before
1.10.4 attempts to find an agility KDF identifier in inappropriate
circumstances, which allows remote attackers to cause a denial of
service (NULL pointer dereference and daemon crash) via a crafted
Draft 9 request.


External References:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=7527
http://web.mit.edu/kerberos/www/krb5-1.10/


Statement:

This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 5 as they did not include support for PKINIT.
Comment 1 Vincent Danen 2013-03-04 22:03:21 UTC 
Created krb5 tracking bugs for this issue

Affects: fedora-all [bug 917841]
Comment 2 Vincent Danen 2013-03-04 22:07:28 UTC 
It also looks as though this does not affect krb5 1.11 as there is no reference to this CVE in the changes for 1.11.1 (http://web.mit.edu/kerberos/www/krb5-1.11/), or it has not been fixed upstream on 1.11.x yet.  I've not checked to see which is the case yet.
Comment 4 Nalin Dahyabhai 2013-03-05 16:51:16 UTC 
(In reply to comment #2)
> It also looks as though this does not affect krb5 1.11 as there is no
> reference to this CVE in the changes for 1.11.1
> (http://web.mit.edu/kerberos/www/krb5-1.11/), or it has not been fixed
> upstream on 1.11.x yet.  I've not checked to see which is the case yet.

This was fixed there as http://krbdev.mit.edu/rt/Ticket/Display.html?id=7506.
Comment 5 Fedora Update System 2013-03-16 01:31:38 UTC 
krb5-1.10.2-9.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 errata-xmlrpc 2013-03-18 18:04:39 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0656 https://rhn.redhat.com/errata/RHSA-2013-0656.html
Comment 7 Fedora Update System 2013-03-22 21:08:26 UTC 
krb5-1.10.3-14.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Jan Lieskovsky 2013-03-29 16:14:40 UTC 
This issue did not affect the version of the krb5 package, as shipped with Red Hat Enterprise Linux 4.