Bug#930686: unblock: krb5/1.17-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package krb5
Hi. I was looking at upstream patches and found one memory leak and
two documentation fixes I'd like to get into buster.
The memory leak does not currently have a Debian bug, but according to
the most recent freeze update memory leaks are permitted. The fix is
simple and targeted and low-risk.
The documentation updates are (by being documentation updates) low risk.
diff --git a/debian/.git-dpm b/debian/.git-dpm
index ec64f2d8ba..6e32aafc28 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-d2a401455564fa2a51c78a0856492dfe3329a68f
-d2a401455564fa2a51c78a0856492dfe3329a68f
+a243df875ff905d1c676bd726b19bafea07b628c
+a243df875ff905d1c676bd726b19bafea07b628c
a75eb54fd955cbf7a8ac44e527fd0e400e87844a
a75eb54fd955cbf7a8ac44e527fd0e400e87844a
krb5_1.17.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index c50efd5470..44681a5d68 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+krb5 (1.17-3) unstable; urgency=medium
+
+ * Fix memory leak in replay cache type none
+ * Merge in two upstream documentation changes
+
+ -- Sam Hartman <hartmans@debian.org> Tue, 18 Jun 2019 08:00:29 -0400
+
krb5 (1.17-2) unstable; urgency=medium
* Finish removing the run kadmind debconf template which was obsoleted
diff --git a/debian/patches/series b/debian/patches/series
index e632445230..af6dbebb6f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,6 @@ debian-local/0005-gssapi-never-unload-mechanisms.patch
debian-local/0006-Add-substpdf-target.patch
debian-local/0007-Fix-pkg-config-library-include-paths.patch
debian-local/0008-Use-isystem-for-include-paths.patch
+upstream/0009-Remove-erroneous-text-from-kinit-man-page.patch
+upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch
+upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch
diff --git a/debian/patches/upstream/0009-Remove-erroneous-text-from-kinit-man-page.patch b/debian/patches/upstream/0009-Remove-erroneous-text-from-kinit-man-page.patch
new file mode 100644
index 0000000000..9f2b9a0130
--- /dev/null
+++ b/debian/patches/upstream/0009-Remove-erroneous-text-from-kinit-man-page.patch
@@ -0,0 +1,63 @@
+From d7c778325a6f690dc16213e797dbdc3a84458ae8 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Mon, 7 Jan 2019 21:09:34 +0200
+Subject: Remove erroneous text from kinit man page
+
+Commit 4c4859fa83295db5c26f47b96c719060cfd9e2b1 changed the kinit man
+page to state that kinit -E (enterprise) implies -C (canonicalize).
+The client does not automatically set the canonicalize option when
+getting tickets for an enterprise principal, and Windows KDCs can
+issue tickets for enterprise principals without canonicalizing the
+principal (contrary to the implication of RFC 6806 section 5). Remove
+the misleading text.
+
+[ghudson@mit.edu: updated RST man page and regenerated nroff file;
+rewrote commit message]
+
+(cherry picked from commit 8e31335a7722a2f7f1722506befe4fd26d3e3f3f)
+
+ticket: 8779
+version_fixed: 1.17.1
+
+Patch-Category: upstream
+---
+ doc/user/user_commands/kinit.rst | 3 +--
+ src/man/kinit.man | 5 ++---
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst
+index d692e2791a..e12e88a372 100644
+--- a/doc/user/user_commands/kinit.rst
++++ b/doc/user/user_commands/kinit.rst
+@@ -92,8 +92,7 @@ OPTIONS
+ requested.
+
+ **-E**
+- treats the principal name as an enterprise name (implies the
+- **-C** option).
++ treats the principal name as an enterprise name.
+
+ **-v**
+ requests that the ticket-granting ticket in the cache (with the
+diff --git a/src/man/kinit.man b/src/man/kinit.man
+index d121cff749..a3dcfe26cc 100644
+--- a/src/man/kinit.man
++++ b/src/man/kinit.man
+@@ -1,6 +1,6 @@
+ .\" Man page generated from reStructuredText.
+ .
+-.TH "KINIT" "1" " " "1.17" "MIT Kerberos"
++.TH "KINIT" "1" " " "1.18" "MIT Kerberos"
+ .SH NAME
+ kinit \- obtain and cache Kerberos ticket-granting ticket
+ .
+@@ -113,8 +113,7 @@ KDC to reply with a different client principal from the one
+ requested.
+ .TP
+ \fB\-E\fP
+-treats the principal name as an enterprise name (implies the
+-\fB\-C\fP option).
++treats the principal name as an enterprise name.
+ .TP
+ \fB\-v\fP
+ requests that the ticket\-granting ticket in the cache (with the
diff --git a/debian/patches/upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch b/debian/patches/upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch
new file mode 100644
index 0000000000..0dde59dc9e
--- /dev/null
+++ b/debian/patches/upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch
@@ -0,0 +1,33 @@
+From c736896c4a0e6402e4876163647e320b1fc62d21 Mon Sep 17 00:00:00 2001
+From: Corene Casper <C.Casper@Dell.com>
+Date: Sat, 16 Feb 2019 00:49:26 -0500
+Subject: Fix memory leak in 'none' replay cache type
+
+Commit 0f06098e2ab419d02e89a1ca6bc9f2828f6bdb1e fixed part of a memory
+leak in the 'none' replay cache type by freeing the outer container,
+but we also need to free the mutex.
+
+[ghudson@mit.edu: wrote commit message]
+
+(cherry picked from commit af2a3115cb8feb5174151b4b40223ae45aa9db17)
+
+ticket: 8783
+version_fixed: 1.17.1
+
+Patch-Category: upstream
+---
+ src/lib/krb5/rcache/rc_none.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/lib/krb5/rcache/rc_none.c b/src/lib/krb5/rcache/rc_none.c
+index e30aed09f1..0b2274df7f 100644
+--- a/src/lib/krb5/rcache/rc_none.c
++++ b/src/lib/krb5/rcache/rc_none.c
+@@ -50,6 +50,7 @@ krb5_rc_none_noargs(krb5_context ctx, krb5_rcache rc)
+ static krb5_error_code KRB5_CALLCONV
+ krb5_rc_none_close(krb5_context ctx, krb5_rcache rc)
+ {
++ k5_mutex_destroy(&rc->lock);
+ free (rc);
+ return 0;
+ }
diff --git a/debian/patches/upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch b/debian/patches/upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch
new file mode 100644
index 0000000000..5f2411c98b
--- /dev/null
+++ b/debian/patches/upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch
@@ -0,0 +1,33 @@
+From a243df875ff905d1c676bd726b19bafea07b628c Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 6 Mar 2019 18:01:50 -0500
+Subject: Document the double-colon behavior of DIR ccaches
+
+(cherry picked from commit 5ba6e02a7b96ddd15dde01db0f9aff3d65773a8e)
+
+ticket: 8789
+version_fixed: 1.17.1
+
+Patch-Category: upstream
+---
+ doc/basic/ccache_def.rst | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/doc/basic/ccache_def.rst b/doc/basic/ccache_def.rst
+index d147f0d7aa..53542adde9 100644
+--- a/doc/basic/ccache_def.rst
++++ b/doc/basic/ccache_def.rst
+@@ -51,6 +51,13 @@ library.
+ requirement is for parent directory to exist and the current
+ process must have permissions to create the directory if it does
+ not exist. See :ref:`col_ccache` for details. New in release 1.10.
++ The following residual forms are supported:
++
++ * DIR:dirname
++ * DIR::dirpath/filename - a single cache within the directory
++
++ Switching to a ccache of the latter type causes it to become the
++ primary for the directory.
+
+ #. **FILE** caches are the simplest and most portable. A simple flat
+ file format is used to store one credential after another. This is
diff --git a/doc/basic/ccache_def.rst b/doc/basic/ccache_def.rst
index d147f0d7aa..53542adde9 100644
--- a/doc/basic/ccache_def.rst
+++ b/doc/basic/ccache_def.rst
@@ -51,6 +51,13 @@ library.
requirement is for parent directory to exist and the current
process must have permissions to create the directory if it does
not exist. See :ref:`col_ccache` for details. New in release 1.10.
+ The following residual forms are supported:
+
+ * DIR:dirname
+ * DIR::dirpath/filename - a single cache within the directory
+
+ Switching to a ccache of the latter type causes it to become the
+ primary for the directory.
#. **FILE** caches are the simplest and most portable. A simple flat
file format is used to store one credential after another. This is
diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst
index d692e2791a..e12e88a372 100644
--- a/doc/user/user_commands/kinit.rst
+++ b/doc/user/user_commands/kinit.rst
@@ -92,8 +92,7 @@ OPTIONS
requested.
**-E**
- treats the principal name as an enterprise name (implies the
- **-C** option).
+ treats the principal name as an enterprise name.
**-v**
requests that the ticket-granting ticket in the cache (with the
diff --git a/src/lib/krb5/rcache/rc_none.c b/src/lib/krb5/rcache/rc_none.c
index e30aed09f1..0b2274df7f 100644
--- a/src/lib/krb5/rcache/rc_none.c
+++ b/src/lib/krb5/rcache/rc_none.c
@@ -50,6 +50,7 @@ krb5_rc_none_noargs(krb5_context ctx, krb5_rcache rc)
static krb5_error_code KRB5_CALLCONV
krb5_rc_none_close(krb5_context ctx, krb5_rcache rc)
{
+ k5_mutex_destroy(&rc->lock);
free (rc);
return 0;
}
diff --git a/src/man/kinit.man b/src/man/kinit.man
index d121cff749..a3dcfe26cc 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KINIT" "1" " " "1.17" "MIT Kerberos"
+.TH "KINIT" "1" " " "1.18" "MIT Kerberos"
.SH NAME
kinit \- obtain and cache Kerberos ticket-granting ticket
.
@@ -113,8 +113,7 @@ KDC to reply with a different client principal from the one
requested.
.TP
\fB\-E\fP
-treats the principal name as an enterprise name (implies the
-\fB\-C\fP option).
+treats the principal name as an enterprise name.
.TP
\fB\-v\fP
requests that the ticket\-granting ticket in the cache (with the
unblock krb5/1.17-3
Reply to: