Hi I have prepared a debdiff for unstable (and trixie and bookworm) for those two issue, it is currently testing as well on debusine:
https://debusine.debian.net/debian/developers/work-request/682925/ https://debusine.debian.net/debian/developers/work-request/683519/ https://debusine.debian.net/debian/developers/work-request/684164/ For unstable I would then upload to the delayed queue but let me know if you want to have me that cancelled then. Regards, Salvatore
diff -Nru krb5-1.22.1/debian/changelog krb5-1.22.1/debian/changelog --- krb5-1.22.1/debian/changelog 2025-11-14 16:18:38.000000000 +0100 +++ krb5-1.22.1/debian/changelog 2026-05-10 09:08:30.000000000 +0200 @@ -1,3 +1,11 @@ +krb5 (1.22.1-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix two NegoEx parsing vulnerabilities (CVE-2026-40355, CVE-2026-40356) + (Closes: #1135317) + + -- Salvatore Bonaccorso <[email protected]> Sun, 10 May 2026 09:08:30 +0200 + krb5 (1.22.1-2) unstable; urgency=medium * Release to unstable diff -Nru krb5-1.22.1/debian/patches/0013-Fix-two-NegoEx-parsing-vulnerabilities.patch krb5-1.22.1/debian/patches/0013-Fix-two-NegoEx-parsing-vulnerabilities.patch --- krb5-1.22.1/debian/patches/0013-Fix-two-NegoEx-parsing-vulnerabilities.patch 1970-01-01 01:00:00.000000000 +0100 +++ krb5-1.22.1/debian/patches/0013-Fix-two-NegoEx-parsing-vulnerabilities.patch 2026-05-10 09:05:42.000000000 +0200 @@ -0,0 +1,66 @@ +From: Greg Hudson <[email protected]> +Date: Wed, 8 Apr 2026 17:57:59 -0400 +Subject: Fix two NegoEx parsing vulnerabilities +Origin: https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f +Bug-Debian: https://bugs.debian.org/1135317 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40356 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40355 + +In parse_nego_message(), check the result of the second call to +vector_base() before dereferencing it. In parse_message(), check for +a short header_len to prevent an integer underflow when calculating +the remaining message length. + +Reported by Cem Onat Karagun. + +CVE-2026-40355: + +In MIT krb5 release 1.18 and later, if an application calls +gss_accept_sec_context() on a system with a NegoEx mechanism +registered in /etc/gss/mech, an unauthenticated remote attacker can +trigger a null pointer dereference, causing the process to terminate. + +CVE-2026-40356: + +In MIT krb5 release 1.18 and later, if an application calls +gss_accept_sec_context() on a system with a NegoEx mechanism +registered in /etc/gss/mech, an unauthenticated remote attacker can +trigger a read overrun of up to 52 bytes, possibly causing the process +to terminate. Exfiltration of the bytes read does not appear +possible. + +ticket: 9205 (new) +tags: pullup +target_version: 1.22-next +--- + src/lib/gssapi/spnego/negoex_util.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c +index edc5462e8441..a65238e57305 100644 +--- a/src/lib/gssapi/spnego/negoex_util.c ++++ b/src/lib/gssapi/spnego/negoex_util.c +@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in, + offset = k5_input_get_uint32_le(in); + count = k5_input_get_uint16_le(in); + p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len); ++ if (p == NULL) { ++ *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; ++ return GSS_S_DEFECTIVE_TOKEN; ++ } + for (i = 0; i < count; i++) { + extension_type = load_32_le(p + i * EXTENSION_LENGTH); + if (extension_type & EXTENSION_FLAG_CRITICAL) { +@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in, + msg_len = k5_input_get_uint32_le(in); + conv_id = k5_input_get_bytes(in, GUID_LENGTH); + +- if (in->status || msg_len > token_remaining || header_len > msg_len) { ++ if (in->status || msg_len > token_remaining || ++ header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) { + *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; + return GSS_S_DEFECTIVE_TOKEN; + } +-- +2.53.0 + diff -Nru krb5-1.22.1/debian/patches/series krb5-1.22.1/debian/patches/series --- krb5-1.22.1/debian/patches/series 2025-10-07 21:58:36.000000000 +0200 +++ krb5-1.22.1/debian/patches/series 2026-05-10 09:06:27.000000000 +0200 @@ -9,3 +9,4 @@ 0009-Add-.gitignore.patch 0011-Allow-kpropd-to-bind-even-if-only-loopback-is-config.patch 0012-Skip-keyring-tests-if-keyring-blocked-by-seccomp.patch +0013-Fix-two-NegoEx-parsing-vulnerabilities.patch
