Bug 55461 – heimdal: Multiple issues (5.0)

Bug 55461 - heimdal: Multiple issues (5.0)


Summary:	heimdal: Multiple issues (5.0)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 5.0
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 5.0-2-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-11-28 12:40 CET by Quality Assurance
Modified:	2022-11-30 13:28 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) NVD RedHat debian/changelog

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2022-11-28 12:40:25 CET

New Debian heimdal 7.5.0+dfsg-3+deb10u1A~5.0.2.202211281239 fixes:
This update addresses the following issues:
* The DelegationNotAllowed Kerberos feature restriction was not being applied  when processing protocol transition requests (S4U2Self), in the AD DC KDC  (CVE-2019-14870)
* Null pointer dereference on missing sname in TGS-REQ (CVE-2021-3671)
* heimdal (CVE-2021-44758)
* heap buffer overflow in GSSAPI unwrap_des() and unwrap_des3() routines of  Heimdal (CVE-2022-3437)
* Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. Versions  prior to 7.7.1 are vulnerable to a denial of service vulnerability in  Heimdal's PKI certificate validation library, affecting the KDC (via  PKINIT) and kinit (via PKINIT), as well as any third-party applications  using Heimdal's libhx509. Users should upgrade to Heimdal 7.7.1 or 7.8.  There are no known workarounds for this issue. (CVE-2022-41916)
* integer overflow vulnerabilities in PAC parsing (CVE-2022-42898)
* heimdal (CVE-2022-44640)

Comment 1 Quality Assurance

2022-11-28 13:00:11 CET

--- mirror/ftp/pool/main/h/heimdal/heimdal_7.5.0+dfsg-3A~5.0.0.202103261107.dsc
+++ apt/ucs_5.0-0-errata5.0-2/source/heimdal_7.5.0+dfsg-3+deb10u1A~5.0.2.202211281239.dsc
@@ -1,4 +1,4 @@
-7.5.0+dfsg-3A~5.0.0.202103261107 [Fri, 26 Mar 2021 11:07:38 +0100] Univention builddaemon <buildd@univention.de>:
+7.5.0+dfsg-3+deb10u1A~5.0.2.202211281239 [Mon, 28 Nov 2022 12:40:32 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-password_sync
@@ -8,6 +8,37 @@
     0098-s4-badPwdCount-02-part3
     0100-disable-prompt-when-using-pam
 
+7.5.0+dfsg-3+deb10u1 [Sat, 26 Nov 2022 17:00:54 +0100] Guilhem Moulin <guilhem@debian.org>:
+
+  * Non-maintainer upload by the LTS Security Team, with fixes for:
+    + CVE-2019-14870: The AD KDC before 7.7.1/7.8 does not apply
+      delegation_not_allowed (aka not-delegated) user attributes for S4U2Self;
+      instead the forwardable flag is set even if the impersonated client has
+      the not-delegated flag set. Closes: #946786.
+    + CVE-2021-3671: A NULL dereference was found in the way the server
+      handled a missing sname in TGS-REQ, leading to denial of service of the
+      KDC before 7.7.1/7.8. Closes: #996586.
+    + CVE-2021-44758: An initial SPNEGO token that has no acceptable
+      mechanisms causes a NULL dereference in acceptors. Closes: #1024187.
+      - Follow-up regression (FTBFS) fix: gss: Remove useless grep from
+        check-context.
+    + CVE-2022-3437: RC4 (arcfour), 1DES and 3DES3 unwrap didn't use constant
+      memcmp() and were subject to buffer overflow, potentially leaking secret
+      keys when using these ciphers. Closes: #1024187.
+    + CVE-2022-41916: The KDC and 3rd party applications using Heimdal's
+      libhx509 before 7.7.1/7.8 is subject to a denial of service
+      vulnerability due to an out of bound read in the PKI certificate
+      validation library. Closes: #1024187.
+    + CVE-2022-42898: Heimdal before 7.7.1/7.8 suffers from an integer
+      multiplication overflow when calculating how many bytes to allocate for
+      a buffer for the parsed Privilege Attribute Certificate (PAC).  64 bits
+      systems are not exploitable. Closes: #1024187.
+      - Follow-up regression fix for lib/krb5/store-int.c:_krb5_get_int64() on
+        32-bit systems.
+    + CVE-2022-44640: Invalid free() in ASN.1 codec, potentially allowing
+      remote code execution against Heimdal KDCs before 7.7.1/7.8.
+      Closes: #1024187.
+
 7.5.0+dfsg-3 [Tue, 21 May 2019 18:04:35 +1000] Brian May <bam@debian.org>:
 
   * CVE-2018-16860: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum.

<http://piuparts.knut.univention.de/5.0-2/#2421085848081113613>

Comment 2 Philipp Hahn

2022-11-29 10:36:54 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.0-2] 0e100b70ac Bug #55461: heimdal 7.5.0+dfsg-3+deb10u1A~5.0.2.202211281239
 doc/errata/staging/heimdal.yaml | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

[5.0-2] 5b14557c32 Bug #55461: heimdal 7.5.0+dfsg-3+deb10u1A~5.0.2.202211281239
 doc/errata/staging/heimdal.yaml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

Comment 3 Philipp Hahn

2022-11-30 13:28:00 CET

<https://errata.software-univention.de/#/?erratum=5.0x499>