Your message dated Mon, 15 Mar 2021 10:12:25 +0000
with message-id <[email protected]>
and subject line unblock libpam-krb5
has caused the Debian Bug report #985235,
regarding unblock: libpam-krb5/4.9-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
985235: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985235
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package libpam-krb5
[ Reason ]
Apply an upstream patch to prevent a double free if
krb5_cc_get_principal fails on the newly-acquired ticket cache.
[ Impact ]
My guess is that this isn't exploitable because I don't think
an attacker can trigger the error condition, but a user of the
module did run into it, so I'd rather be safe than sorry. It is
a double free, so if I'm wrong, it could potentially lead to
code execution or other security issues.
[ Tests ]
Passed CI tests with both Kerberos and Heimdal.
[ Risks ]
Trivial one-line patch, so the risk of updating the package
should be minimal.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock libpam-krb5/4.9-2
diff -Nru libpam-krb5-4.9/debian/changelog libpam-krb5-4.9/debian/changelog
--- libpam-krb5-4.9/debian/changelog 2020-03-30 19:46:43.000000000 -0700
+++ libpam-krb5-4.9/debian/changelog 2021-03-14 12:31:39.000000000 -0700
@@ -1,3 +1,10 @@
+libpam-krb5 (4.9-2) unstable; urgency=medium
+
+ * Apply upstream patch to avoid a double free if calling
+ krb5_cc_get_principal on the new cache fails.
+
+ -- Russ Allbery <[email protected]> Sun, 14 Mar 2021 12:31:39 -0700
+
libpam-krb5 (4.9-1) unstable; urgency=high
* New upstream release.
diff -Nru
libpam-krb5-4.9/debian/patches/0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch
libpam-krb5-4.9/debian/patches/0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch
---
libpam-krb5-4.9/debian/patches/0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch
1969-12-31 16:00:00.000000000 -0800
+++
libpam-krb5-4.9/debian/patches/0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch
2021-03-14 12:31:39.000000000 -0700
@@ -0,0 +1,40 @@
+From: Russ Allbery <[email protected]>
+Date: Sat, 30 Jan 2021 11:55:44 -0800
+Subject: Avoid double free of ctx->princ in a failure case
+
+When re-retrieving the authenticated principal from the current cache,
+ensure the stored principal in the authentication context is always
+either valid or NULL. Otherwise, a failure of krb5_cc_get_principal
+could result in a double free. Thanks to Michael Muehle for the
+report.
+
+Fixes #20
+---
+ module/account.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/module/account.c b/module/account.c
+index 211975a..c270c9b 100644
+--- a/module/account.c
++++ b/module/account.c
+@@ -5,7 +5,7 @@
+ * user's authorization against .k5login (or whatever equivalent we've been
+ * configured for).
+ *
+- * Copyright 2005-2009, 2014, 2020 Russ Allbery <[email protected]>
++ * Copyright 2005-2009, 2014, 2020-2021 Russ Allbery <[email protected]>
+ * Copyright 2011
+ * The Board of Trustees of the Leland Stanford Junior University
+ * Copyright 2005 Andres Salomon <[email protected]>
+@@ -78,8 +78,10 @@ pamk5_account(struct pam_args *args)
+ */
+ if (ctx->cache != NULL) {
+ putil_debug(args, "retrieving principal from cache");
+- if (ctx->princ != NULL)
++ if (ctx->princ != NULL) {
+ krb5_free_principal(ctx->context, ctx->princ);
++ ctx->princ = NULL;
++ }
+ retval = krb5_cc_get_principal(ctx->context, ctx->cache, &ctx->princ);
+ if (retval != 0) {
+ putil_err_krb5(args, retval, "cannot get principal from cache");
diff -Nru libpam-krb5-4.9/debian/patches/series
libpam-krb5-4.9/debian/patches/series
--- libpam-krb5-4.9/debian/patches/series 1969-12-31 16:00:00.000000000
-0800
+++ libpam-krb5-4.9/debian/patches/series 2021-03-14 12:31:39.000000000
-0700
@@ -0,0 +1 @@
+0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
