krb5 security update

CentOS Errata and Security Advisory CESA-2015:0439

A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor
for continuation tokens. A remote, unauthenticated attacker could use this flaw
to crash a GSSAPI-enabled server application. (CVE-2014-4344)

A buffer overflow was found in the KADM5 administration server (kadmind) when it
was used with an LDAP back end for the KDC database. A remote, authenticated
attacker could potentially use this flaw to execute arbitrary code on the system
running kadmind. (CVE-2014-4345)

A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5
library processed valid context deletion tokens. An attacker able to make an
application using the GSS-API library (libgssapi) call the
gss_process_context_token() function could use this flaw to crash that
application. (CVE-2014-5352)

If kadmind were used with an LDAP back end for the KDC database, a remote,
authenticated attacker with the permissions to set the password policy could
crash kadmind by attempting to use a named ticket policy object as a password
policy for a principal. (CVE-2014-5353)

A double-free flaw was found in the way MIT Kerberos handled invalid External
Data Representation (XDR) data. An authenticated user could use this flaw to
crash the MIT Kerberos administration server (kadmind), or other applications
using Kerberos libraries, using specially crafted XDR packets. (CVE-2014-9421)

It was found that the MIT Kerberos administration server (kadmind) incorrectly
accepted certain authentication requests for two-component server principal
names. A remote attacker able to acquire a key with a particularly named
principal (such as “kad/x”) could use this flaw to impersonate any user to
kadmind, and perform administrative actions as that user. (CVE-2014-9422)

An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS
implementation (libgssrpc) handled certain requests. An attacker could send a
specially crafted request to an application using libgssrpc to disclose a
limited portion of uninitialized memory used by that application.
(CVE-2014-9423)

Two buffer over-read flaws were found in the way MIT Kerberos handled certain
requests. A remote, unauthenticated attacker able to inject packets into a
client or server application’s GSSAPI session could use either of these flaws to
crash the application. (CVE-2014-4341, CVE-2014-4342)

A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker
able to spoof packets to appear as though they are from an GSSAPI acceptor could
use this flaw to crash a client application that uses MIT Kerberos.
(CVE-2014-4343)

Red Hat would like to thank the MIT Kerberos project for reporting the
CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, and CVE-2014-9423 issues. MIT
Kerberos project acknowledges Nico Williams for helping with the analysis of
CVE-2014-5352.

The krb5 packages have been upgraded to upstream version 1.12, which provides a
number of bug fixes and enhancements, including:

• Added plug-in interfaces for principal-to-username mapping and verifying
  authorization to user accounts.

• When communicating with a KDC over a connected TCP or HTTPS socket, the client
  gives the KDC more time to reply before it transmits the request to another
  server. (BZ#1049709, BZ#1127995)

This update also fixes multiple bugs, for example:

• The Kerberos client library did not recognize certain exit statuses that the
  resolver libraries could return when looking up the addresses of servers
  configured in the /etc/krb5.conf file or locating Kerberos servers using DNS
  service location. The library could treat non-fatal return codes as fatal
  errors. Now, the library interprets the specific return codes correctly.
  (BZ#1084068, BZ#1109102)

In addition, this update adds various enhancements. Among others:

• Added support for contacting KDCs and kpasswd servers through HTTPS proxies
  implementing the Kerberos KDC Proxy (KKDCP) protocol. (BZ#1109919)

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2015-March/027880.html

Affected packages:
krb5-devel
krb5-libs
krb5-pkinit
krb5-server
krb5-server-ldap
krb5-workstation

Upstream details at:
https://access.redhat.com/errata/RHSA-2015:0439