src/clients/ksu/ksu.h | 4 4 + 0 - 0 !
src/include/k5-int.h | 3 3 + 0 - 0 !
src/kadmin/ktutil/ktutil_funcs.c | 4 4 + 0 - 0 !
src/kprop/kprop_util.c | 4 4 + 0 - 0 !
src/lib/gssapi/spnego/spnego_mech.c | 3 3 + 0 - 0 !
src/lib/krb5/os/sn2princ.c | 4 4 + 0 - 0 !
src/plugins/kdb/db2/libdb2/include/db-int.h | 4 4 + 0 - 0 !
src/tests/resolve/resolve.c | 4 4 + 0 - 0 !
8 files changed, 30 insertions(+)

 debian: hurd compatibility

HURD has no MAXPATHLEN or MAXHOSTLEN.

Patch-Category: debian-local

src/build-tools/krb5-config.in | 17 10 + 7 - 0 !
1 file changed, 10 insertions(+), 7 deletions(-)

 debian: handle multi-arch paths in krb5-config

We cannot use @libdir@ because that will include the
multi-arch prefix in the built krb5-config, but we want krb5-config to
be identical on all arches so that krb5-multidev can be multi-arch:
same.  So, instead, figure out our multi-arch tripple by calling CC
directly.

Based on an approach suggested by Hugh McMaster.

Also include --deps in the usage output, since it is a valid argument.

Patch-Category: debian-local

src/include/osconf.hin | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 debian: osconf.hin path changes

Patch-Category: debian-local

src/plugins/kdb/ldap/Makefile.in | 1 1 + 0 - 0 !
src/plugins/kdb/ldap/ldap_util/Makefile.in | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+)

 debian: install ldap library in subdirectory

Debian received a request to install the internal ldap library not in
the main lib directory.

We are changing SHLIB_DIRS from the default that upstream sets in the
makefile includes; assign unconditionally the full value.

Patch-Category: debian-local

src/lib/gssapi/mechglue/g_initialize.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 gssapi: never unload mechanisms

It turns out that many GSSAPI mechanisms link to the main gss-api
library creating a circular reference. Depending on how the linker
breaks the cycle at process exit time, the linker may unload the GSS
library after unloading the mechanisms. The explicit dlclose from the
GSS library tends to cause a libdl assertion failure at that
point. So, never unload plugins. They are refcounted, so dlopen
handles will not leak, although obviously the memory from the plugin
is never reclaimed.

ticket: 7135

Patch-Category: debian-local

src/doc/Makefile.in | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 add substpdf target

Akin to substhtml, so that we can build PDF documents without
overwriting the upstream-provided versions and causing debian/rules clean
to not return to the original state.

Patch-Category: debian-local

src/build-tools/gssrpc.pc.in | 4 2 + 2 - 0 !
src/build-tools/kadm-client.pc.in | 4 2 + 2 - 0 !
src/build-tools/kadm-server.pc.in | 4 2 + 2 - 0 !
src/build-tools/kdb.pc.in | 4 2 + 2 - 0 !
src/build-tools/mit-krb5-gssapi.pc.in | 4 2 + 2 - 0 !
src/build-tools/mit-krb5.pc.in | 4 2 + 2 - 0 !
6 files changed, 12 insertions(+), 12 deletions(-)

 fix pkg-config library/include paths

Include library and include flags in pkg-config files, so they work when the
symlinks provided by libkrb5-dev are not installed.

Patch-Category: debian-local

src/build-tools/gssrpc.pc.in | 2 1 + 1 - 0 !
src/build-tools/kadm-client.pc.in | 2 1 + 1 - 0 !
src/build-tools/kadm-server.pc.in | 2 1 + 1 - 0 !
src/build-tools/kdb.pc.in | 2 1 + 1 - 0 !
src/build-tools/krb5-config.in | 2 1 + 1 - 0 !
src/build-tools/mit-krb5-gssapi.pc.in | 2 1 + 1 - 0 !
src/build-tools/mit-krb5.pc.in | 2 1 + 1 - 0 !
7 files changed, 7 insertions(+), 7 deletions(-)

 use -isystem for include paths

 This is necessary so Kerberos headers files are classified as "system headers"
 by the compiler, and thus not subject to the same strict warnings as
 other headers (which breaks compilation if -Werror is specified).
 .
 This fixes the build of folks using -Werror and including Kerberos headers
 when the latter are installed in a non-standard location (e.g.
 /usr/include/tuple/mit-krb5, as Debian is doing).
(cherry picked from commit d8520c1d1c218e3c766009abc728b207c0421232)

doc/user/user_commands/kinit.rst | 3 1 + 2 - 0 !
src/man/kinit.man | 5 2 + 3 - 0 !
2 files changed, 3 insertions(+), 5 deletions(-)

 remove erroneous text from kinit man page

Commit 4c4859fa83295db5c26f47b96c719060cfd9e2b1 changed the kinit man
page to state that kinit -E (enterprise) implies -C (canonicalize).
The client does not automatically set the canonicalize option when
getting tickets for an enterprise principal, and Windows KDCs can
issue tickets for enterprise principals without canonicalizing the
principal (contrary to the implication of RFC 6806 section 5).  Remove
the misleading text.

[ghudson@mit.edu: updated RST man page and regenerated nroff file;
rewrote commit message]

(cherry picked from commit 8e31335a7722a2f7f1722506befe4fd26d3e3f3f)

ticket: 8779
version_fixed: 1.17.1

Patch-Category: upstream

src/lib/krb5/rcache/rc_none.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fix memory leak in 'none' replay cache type

Commit 0f06098e2ab419d02e89a1ca6bc9f2828f6bdb1e fixed part of a memory
leak in the 'none' replay cache type by freeing the outer container,
but we also need to free the mutex.

[ghudson@mit.edu: wrote commit message]

(cherry picked from commit af2a3115cb8feb5174151b4b40223ae45aa9db17)

ticket: 8783
version_fixed: 1.17.1

Patch-Category: upstream

doc/basic/ccache_def.rst | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 document the double-colon behavior of dir ccaches

(cherry picked from commit 5ba6e02a7b96ddd15dde01db0f9aff3d65773a8e)

ticket: 8789
version_fixed: 1.17.1

Patch-Category: upstream

src/lib/krb5/asn.1/asn1_encode.c | 16 9 + 7 - 0 !
1 file changed, 9 insertions(+), 7 deletions(-)

 cve-2020-28196

Add recursion limit for ASN.1 indefinite lengths

The libkrb5 ASN.1 decoder supports BER indefinite lengths.  It
computes the tag length using recursion; the lack of a recursion limit
allows an attacker to overrun the stack and cause the process to
crash.  Reported by Demi Obenour.

CVE-2020-28196:

In MIT krb5 releases 1.11 and later, an unauthenticated attacker can
cause a denial of service for any client or server to which it can
send an ASN.1-encoded Kerberos message of sufficient length.

(cherry picked from commit 57415dda6cf04e73ffc3723be518eddfae599bfd)

ticket: 8959
version_fixed: 1.17.2

(cherry picked from commit 9239fa1d0124bdf3c78c20eb70873e3af2baabb1)

Patch-Category: upstream

src/kdc/kdc_preauth_ec.c | 3 2 + 1 - 0 !
src/tests/Makefile.in | 1 1 + 0 - 0 !
src/tests/t_cve-2021-36222.py | 46 46 + 0 - 0 !
3 files changed, 49 insertions(+), 1 deletion(-)

 fix kdc null deref on bad encrypted challenge

The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
to avoid further processing if the armor key is NULL.  However, this
check is bypassed by a call to k5memdup0() which overwrites retval
with 0 if the allocation succeeds.  If the armor key is NULL, a call
to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
crash.  Add a check before the k5memdup0() call to avoid overwriting
retval.

CVE-2021-36222:

In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
cause a null dereference in the KDC by sending a request containing a
PA-ENCRYPTED-CHALLENGE padata element without using FAST.

[ghudson@mit.edu: trimmed patch; added test case; edited commit
message]

(cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562)

ticket: 9007
version_fixed: 1.18.4

(cherry picked from commit c4a406095b3ea4a67ae5b8ea586cbe9abdbae76f)

Patch-Category: upstream

src/kdc/do_tgs_req.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 fix kdc null deref on tgs inner body null server

After the KDC decodes a FAST inner body, it does not check for a null
server.  Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
would typically result in an error from krb5_unparse_name(), but with
the addition of get_local_tgt() it results in a null dereference.  Add
a null check.

Reported by Joseph Sutton of Catalyst.

CVE-2021-37750:

In MIT krb5 releases 1.14 and later, an authenticated attacker can
cause a null dereference in the KDC by sending a FAST TGS request with
no server field.

ticket: 9008 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next

(cherry picked from commit d775c95af7606a51bf79547a94fa52ddd1cb7f49)

src/lib/gssapi/krb5/inq_cred.c | 4 1 + 3 - 0 !
1 file changed, 1 insertion(+), 3 deletions(-)

 fix defcred leak in krb5 gss_inquire_cred()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
management of krb5_gss_inquire_cred(), introducing defcred to act as
an owner pointer when the function must acquire a default credential.
The commit neglected to update the code to release the default cred
along the successful path.  The old code does not trigger because
cred_handle is now reassigned, so the default credential is leaked.

Reported by Pavel Bezina.

(a minimal alternative to commit 593e16448e1af23eef74689afe06a7bcc86e79c7)

ticket: 9016
version_fixed: 1.18.4

(cherry picked from commit b92be484630b38e26f5ee4bd67973fbd7627009c)

src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 41 23 + 18 - 0 !
1 file changed, 23 insertions(+), 18 deletions(-)

 use sha-256 instead of sha-1 for pkinit cms digest

[ghudson@mit.edu: edited comments]

ticket: 9055 (new)