Bug#783557: marked as done (CVE-2015-2694 in krb5-otp, krb5-pkinit)

[Debian Bug Tracking System]

Your message dated Wed, 13 May 2015 19:22:48 +0000
with message-id <e1yscey-00032e...@franck.debian.org>
and subject line Bug#783557: fixed in krb5 1.12.1+dfsg-20
has caused the Debian Bug report #783557,
regarding CVE-2015-2694 in krb5-otp, krb5-pkinit
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
783557: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783557
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: krb5
Version: 1.12.1+dfsg-19
Tags: security

Two errors in krb5-otp and krb5-pkinit can interact to allow an attacker
to get a ciphertext in a long-term (potentially password-derived) key
without properly pre-authenticating, allowing for an offline brute-force
attack.

It is believed that both components must be present to trigger the bug;
upstream's commit message for the fix (included below) is written on the
assumption that the OTP functionality is part of the base KDC, but in
Debian we provide it in a separate package, krb5-otp.

-Ben

Prevent requires_preauth bypass [CVE-2015-2694]

In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
the request is successfully verified.  In the PKINIT kdcpreauth
module, don't respond with code 0 on empty input or an unconfigured
realm.  Together these bugs could cause the KDC preauth framework to
erroneously treat a request as pre-authenticated.

CVE-2015-2694:

In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal's long-term key.  This ciphertext could be
used to conduct an off-line dictionary attack against the user's
password.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C

--- End Message ---

--- Begin Message ---

Source: krb5
Source-Version: 1.12.1+dfsg-20

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Benjamin Kaduk <ka...@mit.edu> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 13 May 2015 14:40:36 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev 
libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-doc libkrb5-3 
libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit9 libkadm5clnt-mit9 libk5crypto3 
libkdb5-7 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: source all amd64
Version: 1.12.1+dfsg-20
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <hartm...@debian.org>
Changed-By: Benjamin Kaduk <ka...@mit.edu>
Description:
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - Documentation for MIT Kerberos
 krb5-gss-samples - MIT Kerberos GSS Sample applications
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-locales - Internationalization support for MIT Kerberos
 krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
 krb5-otp   - OTP plugin for MIT Kerberos
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit9 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit9 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-7  - MIT Kerberos runtime libraries - Kerberos database
 libkrad-dev - MIT Kerberos RADIUS Library Development
 libkrad0   - MIT Kerberos runtime libraries - RADIUS library
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 783557
Changes:
 krb5 (1.12.1+dfsg-20) unstable; urgency=high
 .
   * Import upstream patch for CVE-2015-2694, Closes: #783557
   * Bump Standards-Version to 3.9.6 (no changes needed)
Checksums-Sha1:
 dfd5de0a66cf0ecfa919ad365e78dcb4eac6c302 3173 krb5_1.12.1+dfsg-20.dsc
 41d5fde83622d7e331c1c45fc9a7546d2edc7e6c 113708 
krb5_1.12.1+dfsg-20.debian.tar.xz
 135d61383468e8008f0b5b069aa4ba2230af364c 4687166 
krb5-doc_1.12.1+dfsg-20_all.deb
 fe86221199ee7b2e99c3a0d8ab9edf71ad1057e0 2648242 
krb5-locales_1.12.1+dfsg-20_all.deb
 e8bdaa8dde1912c0106d24eab318cf488abc41cc 136914 
krb5-user_1.12.1+dfsg-20_amd64.deb
 999dfa2f3ee5c9704bf19f4a288a1a198b0a9084 209066 
krb5-kdc_1.12.1+dfsg-20_amd64.deb
 7d777ad5b74393b86701377d80f8fe7f674aeb15 110708 
krb5-kdc-ldap_1.12.1+dfsg-20_amd64.deb
 848a4117f4d62e72acf7f163d44bf549a1b94999 113144 
krb5-admin-server_1.12.1+dfsg-20_amd64.deb
 df9c2f6781756d25fcd876733200cebd3f2b7782 144588 
krb5-multidev_1.12.1+dfsg-20_amd64.deb
 88cf93d3d9abd86a7a98ea03bd3a4c0c930c4737 42184 
libkrb5-dev_1.12.1+dfsg-20_amd64.deb
 34fc89b53c67974dac9f34abce07912526c5b6c8 1422948 
libkrb5-dbg_1.12.1+dfsg-20_amd64.deb
 209153e01768b39ca3eb50dae7e9b6cb0c59f688 83398 
krb5-pkinit_1.12.1+dfsg-20_amd64.deb
 5e2e764788b4d253561ca94e73b101832bcd963c 47810 
krb5-otp_1.12.1+dfsg-20_amd64.deb
 c619bca5c9064ff28877b6cf7cd48390526ff23b 302960 
libkrb5-3_1.12.1+dfsg-20_amd64.deb
 d358afae4358ddd973169c0f2baa16debe3e9c1d 150380 
libgssapi-krb5-2_1.12.1+dfsg-20_amd64.deb
 043a27fe3a649339516f2e09f66ca3da0891fe02 85836 
libgssrpc4_1.12.1+dfsg-20_amd64.deb
 bc634bdf2ee7779bac892fd4449c39593d15726a 82574 
libkadm5srv-mit9_1.12.1+dfsg-20_amd64.deb
 fa0e754e5217f0ed84004aa76420355cfbf06e49 67898 
libkadm5clnt-mit9_1.12.1+dfsg-20_amd64.deb
 0d389a3d407e9d7ecd45fe03d927aaf6eaa0cbf0 114566 
libk5crypto3_1.12.1+dfsg-20_amd64.deb
 3b40bdea0e67ba891bdcd7790bd0bbbe2fe49f0f 68090 
libkdb5-7_1.12.1+dfsg-20_amd64.deb
 8f2ea37df2b1657c8e902f7b8f0fc33914d717c5 58604 
libkrb5support0_1.12.1+dfsg-20_amd64.deb
 7a7fa68991b9896f22c7be953e7221181e413679 52226 
libkrad0_1.12.1+dfsg-20_amd64.deb
 1c0ba774c55fbd716d7744f85d118f10357dcd99 55474 
krb5-gss-samples_1.12.1+dfsg-20_amd64.deb
 0a2973fe8c034dc1e5df6b3999159598939cc3c8 42658 
libkrad-dev_1.12.1+dfsg-20_amd64.deb
Checksums-Sha256:
 c5a9e7069dda3c6696f7d651d82842b12af60c50948be2ce3c4b889761114e65 3173 
krb5_1.12.1+dfsg-20.dsc
 7b050ce7d9039fc6cb86e7dd2f321549d5de64b75afef0c712bbf9e7c957795d 113708 
krb5_1.12.1+dfsg-20.debian.tar.xz
 61774c1d40b8fb2f92821fb09745773468630c30a8cb414a3676136f758f0eef 4687166 
krb5-doc_1.12.1+dfsg-20_all.deb
 72e961a0a804452106b0df58661481237d6a73b4b090b0504103d993afc56111 2648242 
krb5-locales_1.12.1+dfsg-20_all.deb
 2a96e3336b5a134742893ea65a06d45ffaeae802aa521c0b5404ebeaba5327a5 136914 
krb5-user_1.12.1+dfsg-20_amd64.deb
 fe41884dedaefad7c3d612d17b1cdb7a1bd58b160eb8701571e6016149d9f02b 209066 
krb5-kdc_1.12.1+dfsg-20_amd64.deb
 72884420705d5d6fe3c3e80e60a201e13c2a144b7386e6d3d5c0dc31a64666ae 110708 
krb5-kdc-ldap_1.12.1+dfsg-20_amd64.deb
 37f6a78f1481f9baa1f54176e8b7c56f0a369c3e0b8d9d1fda3635f06a83ebd7 113144 
krb5-admin-server_1.12.1+dfsg-20_amd64.deb
 641a47d6065c88320ab309ddb91940fdea958da3a2cc4fcac9a66ecf92c953cc 144588 
krb5-multidev_1.12.1+dfsg-20_amd64.deb
 840b18ae80a73a840c5be6fbb55a21cc476ef9204a6d044f1a0f751a50fbb9ad 42184 
libkrb5-dev_1.12.1+dfsg-20_amd64.deb
 0134c7adffe00e96d5d70c2d0cf9ee9cedb4488f87bbdb007b82d42ccda935be 1422948 
libkrb5-dbg_1.12.1+dfsg-20_amd64.deb
 f55b37b2a93f8616cc756805b7ad1c6d5352ab895a9f7978a4943cf8c89fd3ad 83398 
krb5-pkinit_1.12.1+dfsg-20_amd64.deb
 54f4aad4756be6597dd065570b1bbfeba20adc1d0de2b2d49a46736c38bb70df 47810 
krb5-otp_1.12.1+dfsg-20_amd64.deb
 88b140966b57629a483120133d401482fd1ec6fa5ed7783a9f273d6464eb853d 302960 
libkrb5-3_1.12.1+dfsg-20_amd64.deb
 4f999e69a4a50b767f0f5fd86b3fe59f216faf8b3bcb941d905cae2ff0d252a0 150380 
libgssapi-krb5-2_1.12.1+dfsg-20_amd64.deb
 4d8e352968b4e41186ed786d1b9fc9438565df4093dc5d5b235692b13b534944 85836 
libgssrpc4_1.12.1+dfsg-20_amd64.deb
 7c66e96475826500b0031d494e366e7e9c70f9c91578d7da46dc7da442eb2514 82574 
libkadm5srv-mit9_1.12.1+dfsg-20_amd64.deb
 c5d7759d5fe381df67a27dab74d85dc2c415a90836fb1bb0ef477d836ea9f62b 67898 
libkadm5clnt-mit9_1.12.1+dfsg-20_amd64.deb
 4d3c2a9e85ed793a882b1525d3ed0c52a76609023c0da74ffaa3c4bf2a6addee 114566 
libk5crypto3_1.12.1+dfsg-20_amd64.deb
 148a5762d25de39f3ceae0ccc5eb0d2502386450ea6fd1ccf8210555f6742076 68090 
libkdb5-7_1.12.1+dfsg-20_amd64.deb
 811a4cbf507f4d0f5e2b377dec751824380e854b91c469e94d124c22a62d1639 58604 
libkrb5support0_1.12.1+dfsg-20_amd64.deb
 43d9f7ec715bc39c5572752492c0af5b0ac43946260f2d7cd846645b6731b333 52226 
libkrad0_1.12.1+dfsg-20_amd64.deb
 6fa3d9fb4cae34ee068639b927223482e9ffc8f0e587ff2b361e24d067957dcd 55474 
krb5-gss-samples_1.12.1+dfsg-20_amd64.deb
 5a89841743aa242ae5d7bc8700fc04a410420400d8b787c659228c8326a52e49 42658 
libkrad-dev_1.12.1+dfsg-20_amd64.deb
Files:
 ab22aca977bd13a984575e754e7ae92e 3173 net standard krb5_1.12.1+dfsg-20.dsc
 88388ee3191061ae14d07ba9e8fda0cb 113708 net standard 
krb5_1.12.1+dfsg-20.debian.tar.xz
 2b4b7a5377676ee82e7655b40b4714f3 4687166 doc optional 
krb5-doc_1.12.1+dfsg-20_all.deb
 0c232c18c334bd562189f8103afbc5b2 2648242 localization standard 
krb5-locales_1.12.1+dfsg-20_all.deb
 62e457b361c5f066457cb729349647c5 136914 net optional 
krb5-user_1.12.1+dfsg-20_amd64.deb
 c1daa08c66d6d7bc3b5e93134d73d902 209066 net optional 
krb5-kdc_1.12.1+dfsg-20_amd64.deb
 b9fad7c569ab36fd3c45a47cd997d089 110708 net extra 
krb5-kdc-ldap_1.12.1+dfsg-20_amd64.deb
 14bae60722032764a924833606cf09fb 113144 net optional 
krb5-admin-server_1.12.1+dfsg-20_amd64.deb
 8297e6b4ce516939fe1a366aebcb71d2 144588 libdevel optional 
krb5-multidev_1.12.1+dfsg-20_amd64.deb
 11d28e902e52447b8acb9cd841343332 42184 libdevel extra 
libkrb5-dev_1.12.1+dfsg-20_amd64.deb
 048f93397b79f4643d78b0a27cd46d5a 1422948 debug extra 
libkrb5-dbg_1.12.1+dfsg-20_amd64.deb
 5571db329a4a3e755546c5b75c8afbdb 83398 net extra 
krb5-pkinit_1.12.1+dfsg-20_amd64.deb
 48f118497f05c84262c1d9e19dfde3bf 47810 net extra 
krb5-otp_1.12.1+dfsg-20_amd64.deb
 1b24daa151a4cdf1cb661834021aba79 302960 libs standard 
libkrb5-3_1.12.1+dfsg-20_amd64.deb
 4722d41f4248c0813e521532a585fe48 150380 libs standard 
libgssapi-krb5-2_1.12.1+dfsg-20_amd64.deb
 397a894943092147d55336cac60d37d7 85836 libs standard 
libgssrpc4_1.12.1+dfsg-20_amd64.deb
 aa5abf0ff5c673c9da1279d772f4787d 82574 libs standard 
libkadm5srv-mit9_1.12.1+dfsg-20_amd64.deb
 6481be35df98693459dd5ade5dbe5f7a 67898 libs standard 
libkadm5clnt-mit9_1.12.1+dfsg-20_amd64.deb
 00f8239369a7fe18e34162814a237425 114566 libs standard 
libk5crypto3_1.12.1+dfsg-20_amd64.deb
 e26dcd0288b6f458534ee8aeb9b827de 68090 libs standard 
libkdb5-7_1.12.1+dfsg-20_amd64.deb
 af39ed1b15ab43e6166f2a07dc1550cb 58604 libs standard 
libkrb5support0_1.12.1+dfsg-20_amd64.deb
 1bf21a0290e11367092b0928c21ce1e2 52226 libs standard 
libkrad0_1.12.1+dfsg-20_amd64.deb
 7624eccedbc43f7007acbabd7dc80eb4 55474 net extra 
krb5-gss-samples_1.12.1+dfsg-20_amd64.deb
 bf10f53e4dc891f2e9a4190c4fce1fc2 42658 libdevel extra 
libkrad-dev_1.12.1+dfsg-20_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGgBAEBCgAGBQJVU50zAAoJECjZpvNk63USYR0MH37S1QhczPUx9BKmvTaDBknV
FMW1wljA6HpfMi6/QDINEp7oVI1glEY073bzd0AeXajoUkdUUSZlCdoE+DtES/1T
PMKmFB2qHcWIxUxJBHjeMMKViYl/DcUICnljDFszD40b1G2o/Ogu8BaFGEHH1BJQ
0ieGeJ0uNZ8Wg+nvu2FYpB/6b8T0SBjbc29kt33lu0mTTKv0jv17+pka+bkl18LI
kab0VFd4oWzAM5Epfirbzg89/NrD40Oz8ITgsLcSMTgoGGpZyKY1wQ35cb5dSfkj
kpbJ68rK5zMyE2hiDori0o6vF3Dd+NpeItqd7oE4vEc+VD14Ufq4QuYtrGRq+Oyt
zB8DDn5qpDSJLHdX1CgYF7Fk8348xmruSktibnXvaCv9xR1AHC7Yh5QlpY+x4N3A
cyDMk12x3uCfOK6coattkNmFsA53zbo4XQviGTl2ATAfuVtqLQBXxkJp8c0N4257
tC0HDojaJYG7X+SIqTo5hcVLQJvyoddGU5ORQ5dI8ait5N0=
=iu4F
-----END PGP SIGNATURE-----

--- End Message ---