src/clients/ksu/ksu.h | 4 4 + 0 - 0 !
src/include/k5-int.h | 6 6 + 0 - 0 !
src/kadmin/ktutil/ktutil_funcs.c | 4 4 + 0 - 0 !
src/kprop/kprop_util.c | 4 4 + 0 - 0 !
src/plugins/kdb/db2/libdb2/include/db-int.h | 4 4 + 0 - 0 !
5 files changed, 22 insertions(+)

 debian: hurd compatibility

HURD has no MAXPATHLEN or MAXHOSTNAMELEN.

Thanks Pino Toscano for making the patch more robust.

src/build-tools/krb5-config.in | 17 10 + 7 - 0 !
1 file changed, 10 insertions(+), 7 deletions(-)

 debian: handle multi-arch paths in krb5-config

We cannot use @libdir@ because that will include the
multi-arch prefix in the built krb5-config, but we want krb5-config to
be identical on all arches so that krb5-multidev can be multi-arch:
same.  So, instead, figure out our multi-arch tripple by calling CC
directly.

Based on an approach suggested by Hugh McMaster.

Also include --deps in the usage output, since it is a valid argument.

Patch-Category: debian-local

src/include/osconf.hin | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 debian: osconf.hin path changes

Patch-Category: debian-local

src/plugins/kdb/ldap/Makefile.in | 1 1 + 0 - 0 !
src/plugins/kdb/ldap/ldap_util/Makefile.in | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+)

 debian: install ldap library in subdirectory

Debian received a request to install the internal ldap library not in
the main lib directory.

We are changing SHLIB_DIRS from the default that upstream sets in the
makefile includes; assign unconditionally the full value.

Patch-Category: debian-local

src/lib/gssapi/mechglue/g_initialize.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 gssapi: never unload mechanisms

It turns out that many GSSAPI mechanisms link to the main gss-api
library creating a circular reference. Depending on how the linker
breaks the cycle at process exit time, the linker may unload the GSS
library after unloading the mechanisms. The explicit dlclose from the
GSS library tends to cause a libdl assertion failure at that
point. So, never unload plugins. They are refcounted, so dlopen
handles will not leak, although obviously the memory from the plugin
is never reclaimed.

ticket: 7135

Patch-Category: debian-local

src/doc/Makefile.in | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 add substpdf target

Akin to substhtml, so that we can build PDF documents without
overwriting the upstream-provided versions and causing debian/rules clean
to not return to the original state.

Patch-Category: debian-local

src/build-tools/gssrpc.pc.in | 4 2 + 2 - 0 !
src/build-tools/kadm-client.pc.in | 4 2 + 2 - 0 !
src/build-tools/kadm-server.pc.in | 4 2 + 2 - 0 !
src/build-tools/kdb.pc.in | 4 2 + 2 - 0 !
src/build-tools/mit-krb5-gssapi.pc.in | 4 2 + 2 - 0 !
src/build-tools/mit-krb5.pc.in | 4 2 + 2 - 0 !
6 files changed, 12 insertions(+), 12 deletions(-)

 fix pkg-config library/include paths

Include library and include flags in pkg-config files, so they work when the
symlinks provided by libkrb5-dev are not installed.

Patch-Category: debian-local

src/build-tools/gssrpc.pc.in | 2 1 + 1 - 0 !
src/build-tools/kadm-client.pc.in | 2 1 + 1 - 0 !
src/build-tools/kadm-server.pc.in | 2 1 + 1 - 0 !
src/build-tools/kdb.pc.in | 2 1 + 1 - 0 !
src/build-tools/krb5-config.in | 2 1 + 1 - 0 !
src/build-tools/mit-krb5-gssapi.pc.in | 2 1 + 1 - 0 !
src/build-tools/mit-krb5.pc.in | 2 1 + 1 - 0 !
7 files changed, 7 insertions(+), 7 deletions(-)

 use -isystem for include paths

 This is necessary so Kerberos headers files are classified as "system headers"
 by the compiler, and thus not subject to the same strict warnings as
 other headers (which breaks compilation if -Werror is specified).
 .
 This fixes the build of folks using -Werror and including Kerberos headers
 when the latter are installed in a non-standard location (e.g.
 /usr/include/tuple/mit-krb5, as Debian is doing).
(cherry picked from commit d8520c1d1c218e3c766009abc728b207c0421232)

.gitignore | 592 592 + 0 - 0 !
1 file changed, 592 insertions(+)

 add .gitignore

src/lib/kadm5/kadm_rpc_xdr.c | 11 8 + 3 - 0 !
1 file changed, 8 insertions(+), 3 deletions(-)

 ensure array count consistency in kadm5 rpc

In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
key_data array count when decoding.  Otherwise when the structure is
later freed, xdr_array() could iterate over the wrong number of
elements, either leaking some memory or freeing uninitialized
pointers.  Reported by Robert Morris.

CVE-2023-36054:

An authenticated attacker can cause a kadmind process to crash by
freeing uninitialized pointers.  Remote code execution is unlikely.
An attacker with control of a kadmin server can cause a kadmin client
to crash by freeing uninitialized pointers.

ticket: 9099 (new)
tags: pullup
target_version: 1.21-next
target_version: 1.20-next

(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd)

src/include/k5-der.h | 149 149 + 0 - 0 !
src/lib/gssapi/krb5/k5sealv3.c | 5 5 + 0 - 0 !
src/lib/gssapi/krb5/k5sealv3iov.c | 3 2 + 1 - 0 !
src/lib/gssapi/krb5/k5unsealiov.c | 80 73 + 7 - 0 !
src/tests/gssapi/t_invalid.c | 233 195 + 38 - 0 !
5 files changed, 424 insertions(+), 46 deletions(-)

 fix vulnerabilities in gss message token handling

In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
verify the Extra Count field of CFX wrap tokens against the encrypted
header.  Reported by Jacob Champion.

In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
length too short to contain the encrypted header and extra count
bytes.  Reported by Jacob Champion.

In kg_unseal_iov_token(), separately track the header IOV length and
complete token length when parsing the token's ASN.1 wrapper.  This
fix contains modified versions of functions from k5-der.h and
util_token.c; this duplication will be cleaned up in a future commit.

CVE-2024-37370:

In MIT krb5 release 1.3 and later, an attacker can modify the
plaintext Extra Count field of a confidential GSS krb5 wrap token,
causing the unwrapped token to appear truncated to the application.

CVE-2024-37371:

In MIT krb5 release 1.3 and later, an attacker can cause invalid
memory reads by sending message tokens with invalid length fields.

(cherry picked from commit b0a2f8a5365f2eec3e27d78907de9f9d2c80505a)

ticket: 9128
version_fixed: 1.21.3

(cherry picked from commit 55fbf435edbe2e92dd8101669b1ce7144bc96fef)

Added k5-der.h from 1.21 so code builds

src/kdc/ndr.c | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 cve-2024-26462 fix leak in kdc ndr encoding

If the KDC tries to encode a principal containing encode invalid UTF-8
sequences for inclusion in a PAC delegation info buffer, it will leak
a small amount of memory in enc_wchar_pointer() before failing.  Fix
the leak.

ticket: 9115 (new)
tags: pullup
target_version: 1.21-next

src/lib/kdb/kdb_log.c | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

 cve-2025-24528 prevent overflow when calculating ulog block size

In kdb_log.c:resize(), log an error and fail if the update size is
larger than the largest possible block size (2^16-1).

CVE-2025-24528:

In MIT krb5 release 1.7 and later with incremental propagation
enabled, an authenticated attacker can cause kadmind to write beyond
the end of the mapped region for the iprop log file, likely causing a
process crash.

[ghudson@mit.edu: edited commit message and added CVE description]

ticket: 9159 (new)
tags: pullup
target_version: 1.21-next