Bug 952188 (CVE-2015-2695) - VUL-0: CVE-2015-2695: krb5: SPNEGO context aliasing bugs
Summary: VUL-0: CVE-2015-2695: krb5: SPNEGO context aliasing bugs
Status: RESOLVED FIXED
Alias: CVE-2015-2695
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Howard Guo
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/158282/
Whiteboard: CVSSv2:NVD:CVE-2015-2695:7.1:(AV:N/AC...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-27 12:08 UTC by Andreas Stieger
Modified: 2016-04-27 19:06 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-10-27 12:08:18 UTC 
https://github.com/krb5/krb5/commit/b51b33f2bc5d1497ddf5bd107f791c101695000d

 Fix SPNEGO context aliasing bugs [CVE-2015-2695]

The SPNEGO mechanism currently replaces its context handle with the
mechanism context handle upon establishment, under the assumption that
most GSS functions are only called after context establishment.  This
assumption is incorrect, and can lead to aliasing violations for some
programs.  Maintain the SPNEGO context structure after context
establishment and refer to it in all GSS methods.  Add initiate and
opened flags to the SPNEGO context structure for use in
gss_inquire_context() prior to context establishment.

CVE-2015-2695:

In MIT krb5 1.5 and later, applications which call
gss_inquire_context() on a partially-established SPNEGO context can
cause the GSS-API library to read from a pointer using the wrong type,
generally causing a process crash.  This bug may go unnoticed, because
the most common SPNEGO authentication scenario establishes the context
after just one call to gss_accept_sec_context().  Java server
applications using the native JGSS provider are vulnerable to this
bug.  A carefully crafted SPNEGO packet might allow the
gss_inquire_context() call to succeed with attacker-determined
results, but applications should not make access control decisions
based on gss_inquire_context() results prior to context establishment.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: several bugfixes, style changes, and edge-case
behavior changes; commit message and CVE description]

Affects SLE from SLE 11 SP1 up.
openSUSE 13.1, 13.2, Leap 42.1 and Tumbleweed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2695
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2695.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2695
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803083
Comment 1 Swamp Workflow Management 2015-10-27 23:00:15 UTC 
bugbot adjusting priority
Comment 2 Bernhard Wiedemann 2015-10-29 16:00:45 UTC 
This is an autogenerated message for OBS integration:
This bug (952188) was mentioned in
https://build.opensuse.org/request/show/341522 13.1 / krb5
https://build.opensuse.org/request/show/341525 13.2 / krb5
Comment 3 Swamp Workflow Management 2015-11-04 09:11:56 UTC 
SUSE-SU-2015:1897-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 948011,952188,952189,952190
CVE References: CVE-2015-2695,CVE-2015-2696,CVE-2015-2697
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    krb5-1.12.1-19.1
SUSE Linux Enterprise Server 12 (src):    krb5-1.12.1-19.1
SUSE Linux Enterprise Desktop 12 (src):    krb5-1.12.1-19.1
Comment 4 Swamp Workflow Management 2015-11-04 10:11:37 UTC 
SUSE-SU-2015:1898-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 952188
CVE References: CVE-2015-2695
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    krb5-1.6.3-133.49.97.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    krb5-1.6.3-133.49.97.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    krb5-1.6.3-133.49.97.1, krb5-doc-1.6.3-133.49.97.3, krb5-plugins-1.6.3-133.49.97.3
SUSE Linux Enterprise Server 11-SP4 (src):    krb5-1.6.3-133.49.97.1, krb5-doc-1.6.3-133.49.97.3, krb5-plugins-1.6.3-133.49.97.3
SUSE Linux Enterprise Server 11-SP3 (src):    krb5-1.6.3-133.49.97.1, krb5-doc-1.6.3-133.49.97.3, krb5-plugins-1.6.3-133.49.97.3
SUSE Linux Enterprise Desktop 11-SP4 (src):    krb5-1.6.3-133.49.97.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    krb5-1.6.3-133.49.97.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    krb5-1.6.3-133.49.97.1
Comment 5 Swamp Workflow Management 2015-11-06 17:12:32 UTC 
openSUSE-SU-2015:1928-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 952188,952189,952190
CVE References: CVE-2015-2695,CVE-2015-2696,CVE-2015-2697
Sources used:
openSUSE 13.2 (src):    krb5-1.12.2-15.1, krb5-mini-1.12.2-15.1
openSUSE 13.1 (src):    krb5-1.11.3-3.21.1, krb5-mini-1.11.3-3.21.1
Comment 8 Swamp Workflow Management 2015-11-16 10:12:49 UTC 
openSUSE-SU-2015:1997-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 948011,952188,952189,952190
CVE References: CVE-2015-2695,CVE-2015-2696,CVE-2015-2697
Sources used:
openSUSE Leap 42.1 (src):    krb5-1.12.1-21.1, krb5-mini-1.12.1-21.1
Comment 9 Swamp Workflow Management 2015-11-17 10:16:52 UTC 
SUSE-SU-2015:1898-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 952188
CVE References: CVE-2015-2695
Sources used:
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    krb5-1.6.3-133.49.97.1
Comment 10 Howard Guo 2015-11-20 09:07:31 UTC 
The update has been released, thus closing the bug report.
Comment 12 Howard Guo 2015-11-20 09:19:41 UTC 
will do.