--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package libpam-krb5
[ Reason ]
Apply an upstream patch to prevent a double free if
krb5_cc_get_principal fails on the newly-acquired ticket cache.
[ Impact ]
My guess is that this isn't exploitable because I don't think
an attacker can trigger the error condition, but a user of the
module did run into it, so I'd rather be safe than sorry. It is
a double free, so if I'm wrong, it could potentially lead to
code execution or other security issues.
[ Tests ]
Passed CI tests with both Kerberos and Heimdal.
[ Risks ]
Trivial one-line patch, so the risk of updating the package
should be minimal.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock libpam-krb5/4.9-2
diff -Nru libpam-krb5-4.9/debian/changelog libpam-krb5-4.9/debian/changelog
--- libpam-krb5-4.9/debian/changelog 2020-03-30 19:46:43.000000000 -0700
+++ libpam-krb5-4.9/debian/changelog 2021-03-14 12:31:39.000000000 -0700
@@ -1,3 +1,10 @@
+libpam-krb5 (4.9-2) unstable; urgency=medium
+
+ * Apply upstream patch to avoid a double free if calling
+ krb5_cc_get_principal on the new cache fails.
+
+ -- Russ Allbery <rra@debian.org> Sun, 14 Mar 2021 12:31:39 -0700
+
libpam-krb5 (4.9-1) unstable; urgency=high
* New upstream release.
diff -Nru libpam-krb5-4.9/debian/patches/0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch libpam-krb5-4.9/debian/patches/0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch
--- libpam-krb5-4.9/debian/patches/0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch 1969-12-31 16:00:00.000000000 -0800
+++ libpam-krb5-4.9/debian/patches/0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch 2021-03-14 12:31:39.000000000 -0700
@@ -0,0 +1,40 @@
+From: Russ Allbery <rra@debian.org>
+Date: Sat, 30 Jan 2021 11:55:44 -0800
+Subject: Avoid double free of ctx->princ in a failure case
+
+When re-retrieving the authenticated principal from the current cache,
+ensure the stored principal in the authentication context is always
+either valid or NULL. Otherwise, a failure of krb5_cc_get_principal
+could result in a double free. Thanks to Michael Muehle for the
+report.
+
+Fixes #20
+---
+ module/account.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/module/account.c b/module/account.c
+index 211975a..c270c9b 100644
+--- a/module/account.c
++++ b/module/account.c
+@@ -5,7 +5,7 @@
+ * user's authorization against .k5login (or whatever equivalent we've been
+ * configured for).
+ *
+- * Copyright 2005-2009, 2014, 2020 Russ Allbery <eagle@eyrie.org>
++ * Copyright 2005-2009, 2014, 2020-2021 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011
+ * The Board of Trustees of the Leland Stanford Junior University
+ * Copyright 2005 Andres Salomon <dilinger@debian.org>
+@@ -78,8 +78,10 @@ pamk5_account(struct pam_args *args)
+ */
+ if (ctx->cache != NULL) {
+ putil_debug(args, "retrieving principal from cache");
+- if (ctx->princ != NULL)
++ if (ctx->princ != NULL) {
+ krb5_free_principal(ctx->context, ctx->princ);
++ ctx->princ = NULL;
++ }
+ retval = krb5_cc_get_principal(ctx->context, ctx->cache, &ctx->princ);
+ if (retval != 0) {
+ putil_err_krb5(args, retval, "cannot get principal from cache");
diff -Nru libpam-krb5-4.9/debian/patches/series libpam-krb5-4.9/debian/patches/series
--- libpam-krb5-4.9/debian/patches/series 1969-12-31 16:00:00.000000000 -0800
+++ libpam-krb5-4.9/debian/patches/series 2021-03-14 12:31:39.000000000 -0700
@@ -0,0 +1 @@
+0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch
--- End Message ---