RT RT/krbdev.mit.edu: Ticket #6833 SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others) Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
6833
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.8.4
Target_Version
  • 1.8.4
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
  • 6827: (ghudson) SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others) [resolved]
Referred to by:
 
 Dates  
Created: Sat Dec 4 00:11:05 2010
Starts: Not set
Started: Sat Dec 4 00:11:05 2010
Last Contact: Not set
Due: Not set
Updated: Sat Dec 4 00:23:20 2010 by tlyu
 

 People  
Owner
 tlyu
Requestors
 tlyu@mit.edu
Cc
 
AdminCc
 
 

 More about Taylor Yu  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Sat Dec  4 00:11:05 2010  tlyu - Ticket created    
     
From: tlyu@mit.edu
Subject: SVN Commit


Apply patch for MITKRB5-SA-2010-007.

Fix multiple checksum handling bugs, as described in:
  CVE-2010-1324
  CVE-2010-1323
  CVE-2010-4020
  CVE-2010-4021

* Return the correct (keyed) checksums as the mandatory checksum type
  for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
  with simplified-profile key derivation or other algorithms relying
  on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
  instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
  default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
  FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
  enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.

https://github.com/krb5/krb5/commit/bac36d1fd252ac8b3cb8bfa3855f20762635cd50
Commit By: tlyu
Revision: 24560
Changed Files:
U   branches/krb5-1-8/src/lib/crypto/krb/cksumtypes.c
U   branches/krb5-1-8/src/lib/crypto/krb/dk/derive.c
U   branches/krb5-1-8/src/lib/crypto/krb/keyed_checksum_types.c
U   branches/krb5-1-8/src/lib/gssapi/krb5/util_crypt.c
U   branches/krb5-1-8/src/lib/krb5/krb/mk_safe.c
U   branches/krb5-1-8/src/lib/krb5/krb/pac.c
U   branches/krb5-1-8/src/lib/krb5/krb/preauth2.c
U   branches/krb5-1-8/src/plugins/preauth/pkinit/pkinit_srv.c


Download (untitled) 1.6k
      Sat Dec  4 00:11:05 2010  tlyu - Requestor tlyu@mit.edu added    
      Sat Dec  4 00:11:05 2010  tlyu - Status changed from new to resolved    
      Sat Dec  4 00:11:05 2010  tlyu - Target_Version 1.8.4 added    
      Sat Dec  4 00:11:05 2010  tlyu - Version_Fixed 1.8.4 added    
      Sat Dec  4 00:23:20 2010  tlyu - Ticket 6833 RefersTo ticket 6827.