src/clients/ksu/ksu.h | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 =?utf-8?q?ticket:=20new=0a
 =?UTF-8?q?riable=20handling?=

Fix error messages from ksu

patch-name: ksu-fix-env-errors

src/include/k5-int.h | 3 3 + 0 - 0 !
src/kadmin/ktutil/ktutil_funcs.c | 4 4 + 0 - 0 !
src/lib/gssapi/spnego/spnego_mech.c | 3 3 + 0 - 0 !
src/lib/krb5/os/sn2princ.c | 4 4 + 0 - 0 !
src/plugins/kdb/db2/libdb2/include/db-int.h | 4 4 + 0 - 0 !
src/tests/resolve/resolve.c | 4 4 + 0 - 0 !
6 files changed, 22 insertions(+)

 debian: hurd compatibility

HURD has no MAXPATHLEN or MAXHOSTLEN.

Patch-Category: debian-local

src/build-tools/krb5-config.in | 14 9 + 5 - 0 !
1 file changed, 9 insertions(+), 5 deletions(-)

 debian: suppress /usr/lib in krb5-config

Handel multi-arch suppressions

Patch-Category: debian-local

src/include/osconf.hin | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 debian: osconf.hin path changes

Patch-Category: debian-local

src/plugins/kdb/ldap/Makefile.in | 1 1 + 0 - 0 !
src/plugins/kdb/ldap/ldap_util/Makefile.in | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+)

 debian: install ldap library in subdirectory

Debian received a request to install the internal ldap library not in
the main lib directory.

We are changing SHLIB_DIRS from the default that upstream sets in the
makefile includes; assign unconditionally the full value.

Patch-Category: debian-local

src/lib/gssapi/mechglue/g_initialize.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 gssapi: never unload mechanisms

It turns out that many GSSAPI mechanisms link to the main gss-api
library creating a circular reference. Depending on how the linker
breaks the cycle at process exit time, the linker may unload the GSS
library after unloading the mechanisms. The explicit dlclose from the
GSS library tends to cause a libdl assertion failure at that
point. So, never unload plugins. They are refcounted, so dlopen
handles will not leak, although obviously the memory from the plugin
is never reclaimed.

ticket: 7135

Patch-Category: debian-local

src/doc/Makefile.in | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 add substpdf target

Akin to substhtml, so that we can build PDF documents without
overwriting the upstream-provided versions and causing debian/rules clean
to not return to the original state.

Patch-Category: debian-local

doc/admin/otp.rst | 5 3 + 2 - 0 !
doc/conf.py | 3 3 + 0 - 0 !
doc/mitK5defaults.rst | 2 2 + 0 - 0 !
src/Makefile.in | 1 1 + 0 - 0 !
src/configure.in | 6 6 + 0 - 0 !
src/doc/Makefile.in | 2 2 + 0 - 0 !
src/include/Makefile.in | 2 2 + 0 - 0 !
src/include/osconf.hin | 1 1 + 0 - 0 !
src/man/Makefile.in | 2 2 + 0 - 0 !
src/plugins/preauth/otp/otp_state.c | 2 1 + 1 - 0 !
10 files changed, 23 insertions(+), 3 deletions(-)

 move otp sockets to kdc_run_dir

Some system configurations expect Unix-domain sockets to live under
/run or /var/run, and not other parts of /var where persistent
application state lives.  Define a new directory KDC_RUN_DIR using
$runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
if it's not set) and use that for the default socket path.

[ghudson@mit.edu: commit message, otp.rst formatting fix]

ticket: 7859 (new)

Patch-Category: upstream

src/configure.in | 9 9 + 0 - 0 !
src/include/Makefile.in | 4 3 + 1 - 0 !
src/include/osconf.hin | 4 2 + 2 - 0 !
3 files changed, 14 insertions(+), 3 deletions(-)

 avoid duplicate "/etc/krb5.conf" in profile path

If configure gets run with --sysconfdir=/etc, "/etc/krb5.conf" shows
up twice in the profile path, which causes its contents to be read
twice.  This can cause some confusing and possibly problematic
behavior.

Add some logic to configure.in to avoid adding the duplicate entry for
"/etc/krb5.conf".

Reported independently by Denis Vlasenko and Fredrik Tolf.

ticket: 3277
tags: pullup
target_version: 1.12.2

Patch-Category: upstream

src/configure | 303 164 + 139 - 0 !
1 file changed, 164 insertions(+), 139 deletions(-)

 autoreconf

src/lib/gssapi/mechglue/g_initialize.c | 65 54 + 11 - 0 !
1 file changed, 54 insertions(+), 11 deletions(-)

 load mechglue config files from /etc/gss/mech.d

In addition to loading /etc/gss/mech, glob for *.conf files in
/etc/gss/mech.d.  Load only config files which have changed since the
highest mtime we saw in the previous scan.  Scan at most once per
second to avoid excessive numbers of filesystem syscalls for busy
GSSAPI applications.

[ghudson@mit.edu: rewrote commit message; style changes; added
once-per-second throttle on glob/stat calls]

ticket: 7882 (new)

Patch-Category: upstream

src/lib/gssapi/mechglue/g_initialize.c | 12 11 + 1 - 0 !
1 file changed, 11 insertions(+), 1 deletion(-)

 read /etc/gss/mech when no files in mech.d

If the call to glob fails, it's still necessary to read /etc/gss/mech
if that file exists.

ticket: 7925

src/lib/gssapi/mechglue/g_initialize.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 do not loop on add_cred_from and other new methods

Several new GSS-API methods were added but GSSAPI_ADD_METHOD was
called to add them rather than GSSAPI_ADD_METHOD_NOLOOP.  This means
that the implementation from the GSS-API mechglue would be used if the
mechanism had no implementation.  As a result, the mechglue will call
into itself exhausting the call stack in an endless loop when one of
these methods is called.

ticket: 7926

src/lib/gssapi/krb5/k5unseal.c | 41 33 + 8 - 0 !
src/lib/gssapi/krb5/k5unsealiov.c | 9 8 + 1 - 0 !
2 files changed, 41 insertions(+), 9 deletions(-)

 handle invalid rfc 1964 tokens [cve-2014-4341 cve-2014-4342]
taget_version: 1.12.2
tags: pullup

src/lib/gssapi/spnego/spnego_mech.c | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 fix double-free in spnego [cve-2014-4343]

In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements,
which should be considered constant for the duration of the SPNEGO
context.  So don't free it.

CVE-2014-4343:

In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a

src/lib/gssapi/spnego/spnego_mech.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 null dereference in spnego acceptor for continuation tokens [cve-2014-4344]
target_version: 1.12.2
tags: pullup

Patch-Category: upstream

src/plugins/kdb/db2/libdb2/mpool/mpool.c | 43 20 + 23 - 0 !
src/plugins/kdb/db2/libdb2/mpool/mpool.h | 8 4 + 4 - 0 !
2 files changed, 24 insertions(+), 27 deletions(-)

 use tailq macros instead of circleq in libdb2

The optimizer in gcc 4.8.1 (but not the current gcc head revision)
breaks the queue.h CIRCLEQ macros, apparently due to an overzealous
strict aliasing deduction.  Use TAILQ macros in the libdb2 mpool code
instead.

(cherry picked from commit 26d874412983c4c9979a9f5e7bec51834ad4cda5)

ticket: 7860
version_fixed: 1.12.2
status: resolved

(cherry picked from commit c7bb9278ad12c9278f316479af56f9e952f4d650)

Patch-Category: upstream

src/kadmin/dbutil/dump.c | 2 1 + 1 - 0 !
src/lib/krb5/os/sendto_kdc.c | 4 2 + 2 - 0 !
src/tests/asn.1/trval.c | 2 1 + 1 - 0 !
3 files changed, 4 insertions(+), 4 deletions(-)

 quick and dirty fix to building -o3

This is a quick and dirty fix to pacify gcc which is over-concerned
about uninitialized variables at -O3.

This should allow Ubuntu to sync krb5 without  need for any ubuntu changes.

Patch-Category: debian-local

src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 fix ldap key data segmentation [cve-2014-4345]

For principal entries having keys with multiple kvnos (due to use of
-keepold), the LDAP KDB module makes an attempt to store all the keys
having the same kvno into a single krbPrincipalKey attribute value.
There is a fencepost error in the loop, causing currkvno to be set to
the just-processed value instead of the next kvno.  As a result, the
second and all following groups of multiple keys by kvno are each
stored in two krbPrincipalKey attribute values.  Fix the loop to use
the correct kvno value.

CVE-2014-4345:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overrun) by performing multiple cpw
-keepold operations.  An off-by-one error while copying key
information to the new database entry results in keys sharing a common

src/doc/Doxyfile.in | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 treat krb.hin as a c file for doxygen

Recent releases of doxygen appear to not map unknown extensions to
the C type; since we are processing the configure-input file krb5.hin,
explicitly map it as being a C language file for processing by doxygen.

src/build-tools/gssrpc.pc.in | 4 2 + 2 - 0 !
src/build-tools/kadm-client.pc.in | 4 2 + 2 - 0 !
src/build-tools/kadm-server.pc.in | 4 2 + 2 - 0 !
src/build-tools/kdb.pc.in | 4 2 + 2 - 0 !
src/build-tools/mit-krb5-gssapi.pc.in | 4 2 + 2 - 0 !
src/build-tools/mit-krb5.pc.in | 4 2 + 2 - 0 !
6 files changed, 12 insertions(+), 12 deletions(-)

 fix pkg-config library/include paths

Include library and include flags in pkg-config files, so they work when the
symlinks provided by libkrb5-dev are not installed.

Patch-Category: debian-local

src/build-tools/krb5-config.in | 14 3 + 11 - 0 !
1 file changed, 3 insertions(+), 11 deletions(-)

 fix krb5-config paths

Include library and include flags in krb5-config, so they
work when the symlinks provided by libkrb5-dev are not
installed.

Patch-Category: debian-local

src/build-tools/gssrpc.pc.in | 2 1 + 1 - 0 !
src/build-tools/kadm-client.pc.in | 2 1 + 1 - 0 !
src/build-tools/kadm-server.pc.in | 2 1 + 1 - 0 !
src/build-tools/kdb.pc.in | 2 1 + 1 - 0 !
src/build-tools/krb5-config.in | 2 1 + 1 - 0 !
src/build-tools/mit-krb5-gssapi.pc.in | 2 1 + 1 - 0 !
src/build-tools/mit-krb5.pc.in | 2 1 + 1 - 0 !
7 files changed, 7 insertions(+), 7 deletions(-)

 use -isystem for include paths

 This is necessary so Kerberos headers files are classified as "system headers"
 by the compiler, and thus not subject to the same strict warnings as
 other headers (which breaks compilation if -Werror is specified).
 .
 This fixes the build of folks using -Werror and including Kerberos headers
 when the latter are installed in a non-standard location (e.g.
 /usr/include/tuple/mit-krb5, as Debian is doing).

src/lib/kadm5/srv/svr_principal.c | 21 18 + 3 - 0 !
1 file changed, 18 insertions(+), 3 deletions(-)

 return only new keys in randkey [cve-2014-5351]

In kadmind's randkey operation, if a client specifies the keepold
flag, do not include the preserved old keys in the response.

CVE-2014-5351:

An authenticated remote attacker can retrieve the current keys for a
service principal when generating a new set of keys for that
principal.  The attacker needs to be authenticated as a user who has
the elevated privilege for randomizing the keys of other principals.

Normally, when a Kerberos administrator randomizes the keys of a
service principal, kadmind returns only the new keys.  This prevents
an administrator who lacks legitimate privileged access to a service
from forging tickets to authenticate to that service.  If the
"keepold" flag to the kadmin randkey RPC operation is true, kadmind
retains the old keys in the KDC database as intended, but also
unexpectedly returns the old keys to the client, which exposes the
service to ticket forgery attacks from the administrator.

A mitigating factor is that legitimate clients of the affected service
will start failing to authenticate to the service once they begin to
receive service tickets encrypted in the new keys.  The affected
service will be unable to decrypt the newly issued tickets, possibly
alerting the legitimate administrator of the affected service.

CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C

[tlyu@mit.edu: CVE description and CVSS score]

ticket: 8018 (new)
target_version: 1.13
tags: pullup

(cherry picked from commit af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca)
Patch-Category: upstream

src/lib/apputils/net-server.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 fix build on systems without rtm_old*

For example, FreeBSD has removed RTM_OLDADD and RTM_OLDDEL from its API
in March 2014, with the message:
Garbage collect long time obsoleted (or never used) stuff from routing API

Only attempt to define behavior for these cases if they are defined.

(cherry picked from commit fd352d41a79013114708e99510b6be3836200237)

ticket: 7955
version_fixed: 1.12.2
status: resolved

(cherry picked from commit 37f87c189ff050c01282f3d8da7bc97fe8a9ea92)
Patch-Category: upstream

src/lib/apputils/net-server.c | 35 0 + 35 - 0 !
1 file changed, 35 deletions(-)

 remove rtm_type_name()

It has been unused since 2009 when Ken decided that the routing log
messages were too verbose (commit 91fc077c96926dd60).

(cherry picked from commit bcc91c8d8b3d5b775cfde1ee461d7e0394070852)

There was a slight conflict because commit
3a8eaa43045fb242739ad9729bb66f915be209b9 had #if 0'd this function, but
that commit is too large for the current purpose.

Patch-Category: upstream

src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 fix ldap misused policy name crash [cve-2014-5353]

In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
successfully with no results, return KRB5_KDB_NOENTRY instead of
returning success with a zeroed-out policy object.  This fixes a null
dereference when an admin attempts to use an LDAP ticket policy name
as a password policy name.

CVE-2014-5353:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal.  The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals.

Queries to LDAP scoped to the krbPwdPolicy object class will correctly
not return entries of other classes, such as ticket policy objects, but
may return success with no returned elements if an object with the

src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 23 17 + 6 - 0 !
1 file changed, 17 insertions(+), 6 deletions(-)

 kadmind with ldap backend crashes when putting keyless entries

(cherry picked from commit 04038bf3633c4b909b5ded3072dc88c8c419bf16)
Some of the "other fixes" to krb5_encode_krbsecretkey() do not apply on
the 1.12 branch.  The patch needed to be modified slightly to account
for the absence of commit 1825455ede7e61ab934b16262fb5b12b78a52f1a
on the 1.12 branch upon which this branch is based.  The tests added
to exercise this fuctionality do pass, even with the modified form
of the commit.

Patch-category: upstream

src/kadmin/server/kadm_rpc_svc.c | 12 3 + 9 - 0 !
src/lib/gssapi/krb5/context_time.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/export_sec_context.c | 5 5 + 0 - 0 !
src/lib/gssapi/krb5/gssapiP_krb5.h | 1 1 + 0 - 0 !
src/lib/gssapi/krb5/gssapi_krb5.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/inq_context.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/k5seal.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/k5sealiov.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/k5unseal.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/k5unsealiov.c | 2 1 + 1 - 0 !
src/lib/gssapi/krb5/lucid_context.c | 5 5 + 0 - 0 !
src/lib/gssapi/krb5/prf.c | 4 4 + 0 - 0 !
src/lib/gssapi/krb5/process_context_token.c | 17 12 + 5 - 0 !
src/lib/gssapi/krb5/wrap_size_limit.c | 2 1 + 1 - 0 !
src/lib/gssapi/mechglue/mglueP.h | 1 0 + 1 - 0 !
src/lib/kadm5/kadm_rpc_xdr.c | 2 2 + 0 - 0 !
src/lib/rpc/auth_gssapi_misc.c | 1 0 + 1 - 0 !
src/lib/rpc/svc_auth_gss.c | 25 2 + 23 - 0 !
18 files changed, 42 insertions(+), 47 deletions(-)

 mitkrb5-sa-2015-0001

Topic: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token

CVE-2014-5352: gss_process_context_token() incorrectly frees context

CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      9.0

Access Vector:          Network
Access Complexity:      Low
Authentication:         Single
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  7.0

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

CVE-2014-9421: kadmind doubly frees partial deserialization results

CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      9.0
CVSSv2 Temporal Score:  7.0

CVE-2014-9422: kadmind incorrectly validates server principal name

CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      6.1
CVSSv2 Temporal Score:  4.8

CVE-2014-9423: libgssrpc server applications leak uninitialized bytes

CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C
CVSSv2 Base Score:      5.0
CVSSv2 Temporal Score:  4.4

Patch-Category: upstream

src/appl/user_user/server.c | 4 3 + 1 - 0 !
src/lib/krb5/krb/recvauth.c | 9 6 + 3 - 0 !
2 files changed, 9 insertions(+), 4 deletions(-)

 fix krb5_read_message handling [cve-2014-5355]

In recvauth_common, do not use strcmp against the data fields of
krb5_data objects populated by krb5_read_message(), as there is no
guarantee that they are C strings.  Instead, create an expected
krb5_data value and use data_eq().

In the sample user-to-user server application, check that the received
client principal name is null-terminated before using it with printf
and krb5_parse_name.

CVE-2014-5355:

In MIT krb5, when a server process uses the krb5_recvauth function, an
unauthenticated remote attacker can cause a NULL dereference by
sending a zero-byte version string, or a read beyond the end of
allocated storage by sending a non-null-terminated version string.
The example user-to-user server application (uuserver) is similarly
vulnerable to a zero-length or non-null-terminated principal name
string.

The krb5_recvauth function reads two version strings from the client
using krb5_read_message(), which produces a krb5_data structure
containing a length and a pointer to an octet sequence.  krb5_recvauth
assumes that the data pointer is a valid C string and passes it to
strcmp() to verify the versions.  If the client sends an empty octet
sequence, the data pointer will be NULL and strcmp() will dereference
a NULL pointer, causing the process to crash.  If the client sends a
non-null-terminated octet sequence, strcmp() will read beyond the end
of the allocated storage, possibly causing the process to crash.

uuserver similarly uses krb5_read_message() to read a client principal
name, and then passes it to printf() and krb5_parse_name() without
verifying that it is a valid C string.

The krb5_recvauth function is used by kpropd and the Kerberized
versions of the BSD rlogin and rsh daemons.  These daemons are usually
run out of inetd or in a mode which forks before processing incoming
connections, so a process crash will generally not result in a
complete denial of service.

Thanks to Tim Uglow for discovering this issue.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

[tlyu@mit.edu: CVSS score]

ticket: 8050 (new)
target_version: 1.13.1
tags: pullup

(cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec)

Patch-Category: upstream