Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
This is the same no-dsasecurity fix and memory leak fix I submitted to bullseye.
[ Impact ]
Authenticated attackers can crash the KDC.
Independently there is a memory leak that a user reported as bothering them.
[ Tests ]
I've run autopkgtests against buster to confirm that the code
generally works. This is an upstream patch that there are tests for
at least on upstream trunk to confirm the DOS has been fixed.
[ Risks ]
(Discussion of the risks involved. E.g. code is trivial or
comxlex, alternatives available.)
[ Cxecklist ]
[x] *all* changes are documented in the d/changelog
[ ] I reviewed all changes and I approve them
[ ] attach debdiff against the package in (old)stable
diff --git a/debian/.git-dpm b/debian/.git-dpm
index a67f6f6c72..fcd6a7f36e 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-e860e33ab6bda2e20c3671ba34b114ad81219622
-e860e33ab6bda2e20c3671ba34b114ad81219622
+668523c82a2446609f3eab8688c8837c59b97de2
+668523c82a2446609f3eab8688c8837c59b97de2
a75eb54fd955cbf7a8ac44e527fd0e400e87844a
a75eb54fd955cbf7a8ac44e527fd0e400e87844a
krb5_1.17.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 9b8237f05e..45d55810ea 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+krb5 (1.17-3+deb10u3) buster; urgency=high
+
+ * Fix KDC null dereference crash on FAST request with no server field,
+ CVE-2021-37750, Closes: #992607
+ * Fix memory leak in krb5_gss_inquire_cred, Closes: #991140
+
+
+ -- Sam Hartman <hartm...@debian.org> Sun, 29 Aug 2021 16:23:02 -0600
+
krb5 (1.17-3+deb10u2) buster-security; urgency=high
* Import upstream patch for CVE-2021-36222, Closes: #991365
diff --git
a/debian/patches/0014-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
b/debian/patches/0014-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
new file mode 100644
index 0000000000..223bcb0e25
--- /dev/null
+++ b/debian/patches/0014-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
@@ -0,0 +1,45 @@
+From d2ced8994880ee278f92f4277e1a90ed0835208f Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghud...@mit.edu>
+Date: Tue, 3 Aug 2021 01:15:27 -0400
+Subject: Fix KDC null deref on TGS inner body null server
+
+After the KDC decodes a FAST inner body, it does not check for a null
+server. Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
+would typically result in an error from krb5_unparse_name(), but with
+the addition of get_local_tgt() it results in a null dereference. Add
+a null check.
+
+Reported by Joseph Sutton of Catalyst.
+
+CVE-2021-37750:
+
+In MIT krb5 releases 1.14 and later, an authenticated attacker can
+cause a null dereference in the KDC by sending a FAST TGS request with
+no server field.
+
+ticket: 9008 (new)
+tags: pullup
+target_version: 1.19-next
+target_version: 1.18-next
+
+(cherry picked from commit d775c95af7606a51bf79547a94fa52ddd1cb7f49)
+---
+ src/kdc/do_tgs_req.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index 587342a6c9..622b48fc53 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -201,6 +201,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
+ status = "FIND_FAST";
+ goto cleanup;
+ }
++ if (sprinc == NULL) {
++ status = "NULL_SERVER";
++ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
++ goto cleanup;
++ }
+
+ errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
+ &local_tgt, &local_tgt_storage);
diff --git
a/debian/patches/0015-Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
b/debian/patches/0015-Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
new file mode 100644
index 0000000000..95467220b9
--- /dev/null
+++ b/debian/patches/0015-Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
@@ -0,0 +1,42 @@
+From 668523c82a2446609f3eab8688c8837c59b97de2 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghud...@mit.edu>
+Date: Wed, 21 Jul 2021 13:44:30 -0400
+Subject: Fix defcred leak in krb5 gss_inquire_cred()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
+management of krb5_gss_inquire_cred(), introducing defcred to act as
+an owner pointer when the function must acquire a default credential.
+The commit neglected to update the code to release the default cred
+along the successful path. The old code does not trigger because
+cred_handle is now reassigned, so the default credential is leaked.
+
+Reported by Pavel Březina.
+
+(a minimal alternative to commit 593e16448e1af23eef74689afe06a7bcc86e79c7)
+
+ticket: 9016
+version_fixed: 1.18.4
+
+(cherry picked from commit b92be484630b38e26f5ee4bd67973fbd7627009c)
+---
+ src/lib/gssapi/krb5/inq_cred.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
+index a8f2541102..cd8384d08c 100644
+--- a/src/lib/gssapi/krb5/inq_cred.c
++++ b/src/lib/gssapi/krb5/inq_cred.c
+@@ -197,9 +197,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name,
lifetime_ret,
+ mechs = GSS_C_NO_OID_SET;
+ }
+
+- if (cred_handle == GSS_C_NO_CREDENTIAL)
+- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
+-
++ krb5_gss_release_cred(minor_status, &defcred);
+ krb5_free_context(context);
+ *minor_status = 0;
+ return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
diff --git a/debian/patches/series b/debian/patches/series
index 78a30e7503..a5e368e5e9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,5 @@ upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch
upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch
upstream/0012-CVE-2020-28196.patch
upstream/0013-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
+0014-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
+0015-Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 587342a6c9..622b48fc53 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -201,6 +201,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
status = "FIND_FAST";
goto cleanup;
}
+ if (sprinc == NULL) {
+ status = "NULL_SERVER";
+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto cleanup;
+ }
errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
&local_tgt, &local_tgt_storage);
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
index a8f2541102..cd8384d08c 100644
--- a/src/lib/gssapi/krb5/inq_cred.c
+++ b/src/lib/gssapi/krb5/inq_cred.c
@@ -197,9 +197,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name,
lifetime_ret,
mechs = GSS_C_NO_OID_SET;
}
- if (cred_handle == GSS_C_NO_CREDENTIAL)
- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
-
+ krb5_gss_release_cred(minor_status, &defcred);
krb5_free_context(context);
*minor_status = 0;
return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
