Bug 152773 - CAN-2004-0642to0644,0772,0971,1189 Multiple Kerberos vulnerabilities
Summary: CAN-2004-0642to0644,0772,0971,1189 Multiple Kerberos vulnerabilities
Keywords:
Status: CLOSED DUPLICATE of bug 154276
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: krb5
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL:
Whiteboard: 1, LEGACY, rh73, rh90, verify-rhl9, v...
: 152731 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-08-31 13:27 UTC by David Lawrence
Modified: 2007-04-18 17:22 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-06-17 07:04:14 UTC
Embargoed:


Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:26:57 UTC
From: https://rhn.redhat.com/errata/RHSA-2004-350.html

Several double-free bugs were found in the Kerberos 5 KDC and libraries. A
remote attacker could potentially exploit these flaws to execuate arbitrary
code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CAN-2004-0642 and CAN-2004-0643 to these issues.



------- Additional Comments From marcdeslauriers 2004-09-01 15:33:59 ----

RHAS 2.1 advisory:

https://rhn.redhat.com/errata/RHSA-2004-448.html




------- Additional Comments From dwb7.edu 2004-09-02 05:49:02 ----

Obsoletes 1726



------- Additional Comments From marcdeslauriers 2004-09-02 13:44:24 ----

The following was posted in bug 2041 by mistake:

From Dave Botsch  2004-09-02 05:49 :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Built packages for RH7.3:

sha1sum -b *.rpm
ef5ab48ad356a944c7cc3ba923c9dbb50ef83c5e *krb5-1.2.4-13.legacy.7x.src.rpm
810bb9ffba0ceeffdfe8622077680cd4a27a0152
*krb5-devel-1.2.4-13.legacy.7x.i386.rpm
113cbd9f47f9d141fddb5b6ae9a03deb000a3a35 *krb5-libs-1.2.4-13.legacy.7x.i386.rpm
1a2402efd13a1dff6c5c7935de846c2b3da12595
*krb5-server-1.2.4-13.legacy.7x.i386.rpm
2a7ea85868b70f76f990903a9a8a6223f6ed9e48
*krb5-workstation-1.2.4-13.legacy.7x.i386.rpm

download from 
http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/krb5

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBN0C9SY7s7uPf/IURAmaKAKCyzN/UHhzpTtFiUjI4ds5Z8VGrAACfXKUb
nqqbHP2Jd+RAuTAPmPzNKbY=
=8qto
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-09-02 13:46:23 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on Dave's packages for 7.3:

ef5ab48ad356a944c7cc3ba923c9dbb50ef83c5e *krb5-1.2.4-13.legacy.7x.src.rpm

- - Source is unchanged from previous
- - Patch files are good
- - Spec file is good
- - Builds, installs and runs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBN7DkLMAs/0C4zNoRAvCRAJ9dzQgZ4iFFRi8DcXbK9WOoxZzMBgCfcvxJ
pU8tKY/tVP+C9ITQFKIuNE8=
=/gmt
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-09-02 14:16:40 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA for rh9:

Changelog:
* Thu Sep 02 2004 Marc Deslauriers <marcdeslauriers> 1.2.7-16.legacy
- - apply patches for MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003
- - disabled patch32 (Obsoleted by MITKRB5-SA-2004-002 patch)

59d80f0e4ff7ea1f4ba94b5efc3fbd148c6d70d2  krb5-1.2.7-16.legacy.src.rpm
c095c4d8c2fa42fc76af78ea95d678561c53ca66  krb5-devel-1.2.7-16.legacy.i386.rpm
8dbd92f9791f02f4aef8e764846e970c4d73077f  krb5-libs-1.2.7-16.legacy.i386.rpm
18041a175cb20b9f5ed3dd7caa0f863dfec7bd76  krb5-server-1.2.7-16.legacy.i386.rpm
9fe14d984b453693a236c02d04288d58336a1ae0  krb5-workstation-1.2.7-16.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/krb5-1.2.7-16.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/krb5-devel-1.2.7-16.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/krb5-libs-1.2.7-16.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/krb5-server-1.2.7-16.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/krb5-workstation-1.2.7-16.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBN7fcLMAs/0C4zNoRAgfoAKC2eLzj2fq9GTsACGjTpxCs0Uu4iQCfWApE
PkEGsEzbLN8iLtY1qw8IrzI=
=06SU
-----END PGP SIGNATURE-----




------- Additional Comments From mattdm 2004-09-03 09:11:59 ----

Marc's RH9 packages look good to me -- the patches and sources match the
upstream, the spec file seems file, and everything seems to work.

(How does this work? Do I add the REVIEWED keyword? Remove the QA one? Add PUBLISH?)



------- Additional Comments From michal 2004-09-05 11:27:53 ----

At least for krb5-1.2.4-13.legacy.7x.src.rpm I fail to see patch44,
i.e. MITKRB5-SA-2004-001-an_to_ln-1.2.txt, applied anywhere.  Moreover
that patch file in src.rpm is clearly corrupted by mail and it needs 
's/^- --/--/' before it will get accepted by patch program and 

pushd src/lib/krb5/os
%patch44 -p0 -b .anlc_2004-001
popd

in a spec file to be applied.  I do not see anything in spec comments
suggesting that this is not needed anymore.  Is this brought from
RHSA-2004-448?  If yes then Nalin should be told.

I did not check how this looks in krb5-1.2.7-16.legacy.src.rpm.



------- Additional Comments From marcdeslauriers 2004-09-05 16:40:03 ----

krb5-1.2.4-13.legacy.7x.src.rpm really is broken. Good catch Michal. I missed
that when I QA'd it.




------- Additional Comments From dwb7.edu 2004-09-07 16:20:00 ----

Whups... missed actually applying Patch #44

Patch on rh7.3 seems to like that patch just fine (and it applies w. little fuss).

Rebuilding the rpms as I type this.



------- Additional Comments From mattdm 2004-09-07 16:30:02 ----

doh! -- missed that too. sorry.



------- Additional Comments From dwb7.edu 2004-09-07 16:31:10 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Built new packages for RH7.3:

sha1sum -b *.rpm
1f0ba7abfab47917f282d7aa08eff2b3caacc620 *krb5-1.2.4-14.legacy.7x.src.rpm
d54eab102e8027c7fd92d74d76f127dde0178e6a
*krb5-devel-1.2.4-14.legacy.7x.i386.rpm
c4cc18dfcbb1bbf2392e05709c348108d9b8763c *krb5-libs-1.2.4-14.legacy.7x.i386.rpm
a6e28b798c644f1ec53c255c4a233ec2cb1465a5
*krb5-server-1.2.4-14.legacy.7x.i386.rpm
9b85746f25d0fc730ae6adecb3f61e036bfaba8e
*krb5-workstation-1.2.4-14.legacy.7x.i386.rpm

download from 
http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/krb5

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBPm5kSY7s7uPf/IURAhjzAKDg8O4k9Doa76De4dGiI4gUYo0S0gCgpYuG
iqHL3Y/Nd+y89kc/rFqQ40Y=
=I61w
-----END PGP SIGNATURE-----




------- Additional Comments From simon 2004-09-09 10:11:44 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
Tested on Redhat 7.3 
 
1f0ba7abfab47917f282d7aa08eff2b3caacc620 krb5-1.2.4-14.legacy.7x.src.rpm 
d54eab102e8027c7fd92d74d76f127dde0178e6a 
krb5-devel-1.2.4-14.legacy.7x.i386.rpm 
c4cc18dfcbb1bbf2392e05709c348108d9b8763c krb5-libs-1.2.4-14.legacy.7x.i386.rpm 
a6e28b798c644f1ec53c255c4a233ec2cb1465a5 
krb5-server-1.2.4-14.legacy.7x.i386.rpm 
9b85746f25d0fc730ae6adecb3f61e036bfaba8e 
krb5-workstation-1.2.4-14.legacy.7x.i386.rpm 
 
checksums of source package(s) - OK 
Patches - OK 
SPEC file - OK 
BUILD - OK 
INSTALL - OK 
 
I'm using the libs for authentication via PHP, and it seems to work OK 
I have not installed or tested the server or workstation rpms, but they do 
build fine. 
 
I vote we push this to updates-testing to get some more feedback, or this 
might end up getting locked 
up in Bugzilla for a while, as I'm not sure how many people make full use of 
Kerberos and can QA it completely. 
 
+PUBLISH 
 
- - Si 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFBQLiqMLOCzgCQslsRAvfZAJ4xAc1sRzH3AxJIWeQmKZRfp2IaDACdFMnr 
zjZSnr8noB0aHQCGCqG4Bp8= 
=HtDZ 
-----END PGP SIGNATURE----- 



------- Additional Comments From dwb7.edu 2004-09-22 06:35:04 ----

Tom Yu posted about memory leaks intro'ed by the double free patch:

http://mailman.mit.edu/pipermail/kerberos/2004-September/006350.html




------- Additional Comments From ckelley 2004-10-21 11:37:20 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
1f0ba7abfab47917f282d7aa08eff2b3caacc620  krb5-1.2.4-14.legacy.7x.src.rpm
 
 - SPEC file looks good
 - MITKRB5-SA-2004-001-an_to_ln-1.2.txt is quite large, but checks with
   original MIT published patch
 - 2004-002-k524d_patch_1.2.5.txt is trivial and good
 - 2004-002-patch_1.2.7.txt matches MIT version
 - 2004-003-patch_1.2.8.txt matches MIT version
 - SRPM builds fine
 - Built rpms fuzzily match redhat's 1.2.4-11
 
PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBeCwAyQ+yTHz+jJkRAi6qAKCExJo/K/W2MyHVqsNg8O0c4y0/vwCfc7bx
wC3Uzp+jmZGOfR0r9lNGx3g=
=HaBa
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-21 16:41:29 ----

I think we should release soon, even with the memory leaks...other distro's
haven't updated their packages for the memory leak and I don't see a patch
anywhere...we can always fix this at another time if a patch crops up.

Still need QA for the rh9 packages.




------- Additional Comments From deisenst 2005-02-15 03:44:43 ----

I would QA this if I ran RH9, but I don't.  

Am wondering if we'll get anyone to QA this?



------- Additional Comments From pekkas 2005-02-15 03:58:48 ----

Well, well, well.. I guess we now have new vulnerabilities to watch out for :)

 http://rhn.redhat.com/errata/RHSA-2005-012.html

CAN-2004-0971
CAN-2004-1189

Maybe the CAN-2004-0772 can also be fixed at the same time (Red Hat apparently
didn't); some vendors have done so..



------- Additional Comments From pekkas 2005-02-26 04:24:34 ----

We need to decide how to go forward here.  A suggestion:
 * FC1: update to 1.3.6, fixing all the vulns
 * RHL9: just rebuild RHEL3 update (which includes new features etc as well)
   - alternative: just take the security patches out of that
 * RHL73: take the RHEL21 patches and apply them to the latest from RHL9;
     however, don't include "KRB5_AC_ENABLE_DNS" which was added in RHEL21
   - alternative: include KRB5_AC_ENABLE_DNS as RHEL21 does.

I'll submit the packages for RHL73 and RHL9 for testing -- I don't use krb5 myself..



------- Additional Comments From pekkas 2005-02-26 06:50:50 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RPMs for RHL73 and RHL9
 - RHL73 based on 1.2.4-11, plus most patches from RHEL21 (no dns patch)
 - RHL9 just a rebuild of RHEL3 latest with a different version number

Available at: http://staff.csc.fi/psavola/fl/

a233d6cef65bbbb5b8622c0aa69260b637759a90  krb5-1.2.4-15.legacy.src.rpm
dea93161506fbd9e7230ddcc81243094ceb8f3b3  krb5-devel-1.2.4-15.legacy.i386.rpm
f2311e2618911b012ab45a9096890b33b77eed1f  krb5-libs-1.2.4-15.legacy.i386.rpm
6e985e637d778c4f0798a19576582409159709f0  krb5-server-1.2.4-15.legacy.i386.rpm
8565678a9ac7c300de724574bfb4be63a5d25e1b  krb5-workstation-1.2.4-15.legacy.i386.rpm

564f1f8a00f2d7c55ad288487bd52713ad1dd4f6  krb5-1.2.7-38.1.legacy.src.rpm
fcc05a3f2bb11359cd72bd0ed42e41ba19f15b63  krb5-debuginfo-1.2.7-38.1.legacy.i386.rpm
be04293c5a198b8701fbf8eb37de2c28aa36db17  krb5-devel-1.2.7-38.1.legacy.i386.rpm
6b4791d330d269bc13963dc827eaad64edae572a  krb5-libs-1.2.7-38.1.legacy.i386.rpm
5db2ddfaf3defd18d756e4af0fd07b448f1ba5b8  krb5-server-1.2.7-38.1.legacy.i386.rpm
7a2d3f0af1be5b35685f48f152b3be83a700552f 
krb5-workstation-1.2.7-38.1.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCIKjUGHbTkzxSL7QRAsEOAKCn+TgLA5nWD6ct1rBW9hYSlly+bwCeMQwi
4TFGlvCHJs7XVnyOg7aAwaI=
=Nq8P
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2005-03-01 06:00:22 ----

*** Bug 2267 has been marked as a duplicate of this bug. ***



------- Additional Comments From marcdeslauriers 2005-03-02 18:24:59 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for fc1:

Changelog:
* Wed Mar 02 2005 Marc Deslauriers <marcdeslauriers> 1.3.4-5.1.legacy
- - Added security patches for CAN-2004-0971 and CAN-2004-1189

397741c8b7c5781f72446c6469f72c111aa02d76  krb5-1.3.4-5.1.legacy.src.rpm
4c18d2d31fe39fa080b367541828ab275fc298de  krb5-devel-1.3.4-5.1.legacy.i386.rpm
c4d844011b87060fc77c543e9c76bea742717706  krb5-libs-1.3.4-5.1.legacy.i386.rpm
669ca1bd5dafd901258f1dcc67e3a28f6939272d  krb5-server-1.3.4-5.1.legacy.i386.rpm
ffc0544369a667fa8b9d062a12e76dd278c00935  krb5-workstation-1.3.4-5.1.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/1/krb5-1.3.4-5.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/krb5-devel-1.3.4-5.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/krb5-libs-1.3.4-5.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/krb5-server-1.3.4-5.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/krb5-workstation-1.3.4-5.1.legacy.i386.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCJpGMLMAs/0C4zNoRAtO2AJoChNn36dvNLcrMsi2UDmO4lfrZQgCfWYSq
oiYM/uoI4F7EhdIuLB4+qh8=
=1iXW
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2005-03-02 21:09:10 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for FC1 w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes OK
 - patches verified to match upstream
 
+PUBLISH FC1
 
397741c8b7c5781f72446c6469f72c111aa02d76  krb5-1.3.4-5.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCJrgIGHbTkzxSL7QRAv5cAKDOZz4GDCQQXnlpCy4KH3id/HhQrwCglCR+
LzxcGvOtyHlBE7yO+iwgzXs=
=dM6V
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-03-06 05:06:08 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the packages in comment 19:

7.3:

a233d6cef65bbbb5b8622c0aa69260b637759a90  krb5-1.2.4-15.legacy.src.rpm

- - Source files match previous version
- - New patch files match RHEL
- - New patch file selection is good
- - Spec file changes are good

+PUBLISH

9:

564f1f8a00f2d7c55ad288487bd52713ad1dd4f6  krb5-1.2.7-38.1.legacy.src.rpm

- - Decision to rebuild RHEL is good, no significant changes
- - Source files match RHEL
- - Spec file changes are good

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCKxxSLMAs/0C4zNoRAjEhAJ9FZ9qlADf2lONd0Tbx04fihqJcEACeJF9Z
Ufx9EpMD2I/XQdMMtFCQ/PY=
=6Wc3
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-03-06 05:07:35 ----

These are ready to go.




------- Additional Comments From marcdeslauriers 2005-03-06 14:28:39 ----

These packages were pushed to updates-testing



------- Bug moved to this database by dkl 2005-03-30 18:26 -------

This bug previously known as bug 2040 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2040
Originally filed under the Fedora Legacy product and Package request component.
Bug blocks bug(s) 1726.

Unknown priority P2. Setting to default priority "normal".
Unknown severity major. Setting to default severity "normal".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was deisner.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.



Comment 1 Marc Deslauriers 2005-04-05 23:08:19 UTC
*** Bug 152731 has been marked as a duplicate of this bug. ***

Comment 2 Eric Jon Rostetter 2005-06-03 19:50:56 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 7.3
 
Packages: krb5-devel-1.2.4-16.legacy.i386.rpm
          krb5-libs-1.2.4-16.legacy.i386.rpm
          krb5-server-1.2.4-16.legacy.i386.rpm
          krb5-workstation-1.2.4-16.legacy.i386.rpm
           
Signatures and checksums all okay.
 
Installed on two RHL 7.3 machines without problems/errors. Ran some very
simple tests which all looked good.  Saw no obvious problems or issues.
 
Vote for release. ++VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFCoLQK4jZRbknHoPIRAhSQAJwOHRZLPYyNHD7GICb2bVQ/iCZduQCgnBuu
jVhStL0xFVqcBQSQe0CTTgY=
=0KAw
-----END PGP SIGNATURE-----

Comment 3 Pekka Savola 2005-06-16 12:34:47 UTC
One verify, timeouts in 4 weeks (unless superceded by then).

Comment 4 Pekka Savola 2005-06-17 07:04:14 UTC
Newer krb5 packages are pending being built to updates-testing, better continue
tracking this in #154276..

*** This bug has been marked as a duplicate of 154276 ***


Note You need to log in before you can comment on or make changes to this bug.