| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| debian-local/0001-Debian-HURD-compatibility.patch | Debian: HURD compatibility HURD has no MAXPATHLEN or MAXHOSTNAMELEN. Thanks Pino Toscano for making the patch more robust. |
Sam Hartman <hartmans@debian.org> | no | 2011-12-26 | ||
| debian-local/0002-debian-Handle-multi-arch-paths-in-krb5-config.patch | debian: Handle multi-arch paths in krb5-config We cannot use @libdir@ because that will include the multi-arch prefix in the built krb5-config, but we want krb5-config to be identical on all arches so that krb5-multidev can be multi-arch: same. So, instead, figure out our multi-arch tripple by calling CC directly. Based on an approach suggested by Hugh McMaster. Also include --deps in the usage output, since it is a valid argument. |
Sam Hartman <hartmans@debian.org> | no | 2011-12-26 | ||
| debian-local/0003-debian-osconf.hin-path-changes.patch | debian: osconf.hin path changes | Sam Hartman <hartmans@debian.org> | no | 2011-12-26 | ||
| debian-local/0004-debian-install-ldap-library-in-subdirectory.patch | debian: install ldap library in subdirectory Debian received a request to install the internal ldap library not in the main lib directory. We are changing SHLIB_DIRS from the default that upstream sets in the makefile includes; assign unconditionally the full value. |
Sam Hartman <hartmans@debian.org> | no | 2011-12-26 | ||
| debian-local/0005-gssapi-never-unload-mechanisms.patch | gssapi: never unload mechanisms It turns out that many GSSAPI mechanisms link to the main gss-api library creating a circular reference. Depending on how the linker breaks the cycle at process exit time, the linker may unload the GSS library after unloading the mechanisms. The explicit dlclose from the GSS library tends to cause a libdl assertion failure at that point. So, never unload plugins. They are refcounted, so dlopen handles will not leak, although obviously the memory from the plugin is never reclaimed. |
Benjamin Kaduk <kaduk@mit.edu> | no | 2013-03-29 | ||
| debian-local/0006-Add-substpdf-target.patch | Add substpdf target Akin to substhtml, so that we can build PDF documents without overwriting the upstream-provided versions and causing debian/rules clean to not return to the original state. |
Ben Kaduk <kaduk@mit.edu> | no | 2013-03-29 | ||
| debian-local/0007-Fix-pkg-config-library-include-paths.patch | Fix pkg-config library/include paths Include library and include flags in pkg-config files, so they work when the symlinks provided by libkrb5-dev are not installed. |
Jelmer Vernooij <jelmer@debian.org> | no | 2014-08-27 | ||
| debian-local/0008-Use-isystem-for-include-paths.patch | Use -isystem for include paths This is necessary so Kerberos headers files are classified as "system headers" by the compiler, and thus not subject to the same strict warnings as other headers (which breaks compilation if -Werror is specified). . This fixes the build of folks using -Werror and including Kerberos headers when the latter are installed in a non-standard location (e.g. /usr/include/tuple/mit-krb5, as Debian is doing). (cherry picked from commit d8520c1d1c218e3c766009abc728b207c0421232) |
Jelmer Vernooij <jelmer@debian.org> | no | debian | 2014-09-03 | |
| 0009-Add-.gitignore.patch | Add .gitignore | Sam Hartman <hartmans@debian.org> | no | 2019-07-08 | ||
| 0010-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch | Fix KDC null deref on bad encrypted challenge The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check to avoid further processing if the armor key is NULL. However, this check is bypassed by a call to k5memdup0() which overwrites retval with 0 if the allocation succeeds. If the armor key is NULL, a call to krb5_c_fx_cf2_simple() will then dereference it, resulting in a crash. Add a check before the k5memdup0() call to avoid overwriting retval. CVE-2021-36222: In MIT krb5 releases 1.16 and later, an unauthenticated attacker can cause a null dereference in the KDC by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST. [ghudson@mit.edu: trimmed patch; added test case; edited commit message] (cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562) version_fixed: 1.18.4 (cherry picked from commit c4a406095b3ea4a67ae5b8ea586cbe9abdbae76f) |
Joseph Sutton <josephsutton@catalyst.net.nz> | no | 2021-07-07 | ||
| 0011-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch | Fix KDC null deref on TGS inner body null server After the KDC decodes a FAST inner body, it does not check for a null server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this would typically result in an error from krb5_unparse_name(), but with the addition of get_local_tgt() it results in a null dereference. Add a null check. Reported by Joseph Sutton of Catalyst. CVE-2021-37750: In MIT krb5 releases 1.14 and later, an authenticated attacker can cause a null dereference in the KDC by sending a FAST TGS request with no server field. target_version: 1.19-next target_version: 1.18-next (cherry picked from commit d775c95af7606a51bf79547a94fa52ddd1cb7f49) |
Greg Hudson <ghudson@mit.edu> | no | 2021-08-03 | ||
| 0012-Fix-defcred-leak-in-krb5-gss_inquire_cred.patch | Fix defcred leak in krb5 gss_inquire_cred() Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory management of krb5_gss_inquire_cred(), introducing defcred to act as an owner pointer when the function must acquire a default credential. The commit neglected to update the code to release the default cred along the successful path. The old code does not trigger because cred_handle is now reassigned, so the default credential is leaked. Reported by Pavel Březina. (a minimal alternative to commit 593e16448e1af23eef74689afe06a7bcc86e79c7) version_fixed: 1.18.4 (cherry picked from commit b92be484630b38e26f5ee4bd67973fbd7627009c) |
Greg Hudson <ghudson@mit.edu> | no | 2021-07-21 | ||
| 0013-Use-SHA-256-instead-of-SHA-1-for-PKINIT-CMS-digest.patch | Use SHA-256 instead of SHA-1 for PKINIT CMS digest [ghudson@mit.edu: edited comments] |
Julien Rische <jrische@redhat.com> | no | 2022-03-11 | ||
| 0014-Fix-integer-overflows-in-PAC-parsing.patch | Fix integer overflows in PAC parsing In krb5_parse_pac(), check for buffer counts large enough to threaten integer overflow in the header length and memory length calculations. Avoid potential integer overflows when checking the length of each buffer. Credit to OSS-Fuzz for discovering one of the issues. CVE-2022-42898: In MIT krb5 releases 1.8 and later, an authenticated attacker may be able to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service. A privileged attacker may similarly be able to cause a Kerberos or GSS application service to crash. On 32-bit platforms, an attacker can also cause insufficient memory to be allocated for the result, potentially leading to remote code execution in a KDC, kadmind, or GSS or Kerberos application server process. An attacker with the privileges of a cross-realm KDC may be able to extract secrets from a KDC process's memory by having them copied into the PAC of a new ticket. (cherry picked from commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583) version_fixed: 1.20.1 (cherry picked from commit b99de751dd35360c0fccac74a40f4a60dbf1ceea) |
Greg Hudson <ghudson@mit.edu> | no | 2022-10-17 | ||
| 0015-Ensure-array-count-consistency-in-kadm5-RPC.patch | Ensure array count consistency in kadm5 RPC In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the key_data array count when decoding. Otherwise when the structure is later freed, xdr_array() could iterate over the wrong number of elements, either leaking some memory or freeing uninitialized pointers. Reported by Robert Morris. CVE-2023-36054: An authenticated attacker can cause a kadmind process to crash by freeing uninitialized pointers. Remote code execution is unlikely. An attacker with control of a kadmin server can cause a kadmin client to crash by freeing uninitialized pointers. target_version: 1.21-next target_version: 1.20-next (cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd) |
Greg Hudson <ghudson@mit.edu> | no | 2023-06-21 | ||
| CVE-2024-37370 | Fix vulnerabilities in GSS message token handling In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(), verify the Extra Count field of CFX wrap tokens against the encrypted header. Reported by Jacob Champion. In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext length too short to contain the encrypted header and extra count bytes. Reported by Jacob Champion. In kg_unseal_iov_token(), separately track the header IOV length and complete token length when parsing the token's ASN.1 wrapper. This fix contains modified versions of functions from k5-der.h and util_token.c; this duplication will be cleaned up in a future commit. CVE-2024-37370: In MIT krb5 release 1.3 and later, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. CVE-2024-37371: In MIT krb5 release 1.3 and later, an attacker can cause invalid memory reads by sending message tokens with invalid length fields. (cherry picked from commit b0a2f8a5365f2eec3e27d78907de9f9d2c80505a) version_fixed: 1.21.3 (cherry picked from commit 55fbf435edbe2e92dd8101669b1ce7144bc96fef) Added k5-der.h from 1.21 so code builds For krb5 1.18, call krb5_init_context in t_invalid because it's needed in that version of krb5 to initialize the PRNG. Needed so we could run tests to confirm the fix. |
Greg Hudson <ghudson@mit.edu> | no | 2024-06-14 |