Bug#985235: marked as done (unblock: libpam-krb5/4.9-2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 15 Mar 2021 10:12:25 +0000
with message-id <E1lLkD3-0002hx-C8@respighi.debian.org>
and subject line unblock libpam-krb5
has caused the Debian Bug report #985235,
regarding unblock: libpam-krb5/4.9-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
985235: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985235
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libpam-krb5/4.9-2
• From: Russ Allbery <rra@debian.org>
• Date: Sun, 14 Mar 2021 14:54:26 -0700
• Message-id: <[🔎] 161575886630.68266.15544714690820453272.reportbug@wanderer.eyrie.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libpam-krb5

[ Reason ]
Apply an upstream patch to prevent a double free if
krb5_cc_get_principal fails on the newly-acquired ticket cache.

[ Impact ]
My guess is that this isn't exploitable because I don't think
an attacker can trigger the error condition, but a user of the
module did run into it, so I'd rather be safe than sorry.  It is
a double free, so if I'm wrong, it could potentially lead to
code execution or other security issues.

[ Tests ]
Passed CI tests with both Kerberos and Heimdal.

[ Risks ]
Trivial one-line patch, so the risk of updating the package
should be minimal.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock libpam-krb5/4.9-2

diff -Nru libpam-krb5-4.9/debian/changelog libpam-krb5-4.9/debian/changelog
--- libpam-krb5-4.9/debian/changelog	2020-03-30 19:46:43.000000000 -0700
+++ libpam-krb5-4.9/debian/changelog	2021-03-14 12:31:39.000000000 -0700
@@ -1,3 +1,10 @@
+libpam-krb5 (4.9-2) unstable; urgency=medium
+
+  * Apply upstream patch to avoid a double free if calling
+    krb5_cc_get_principal on the new cache fails.
+
+ -- Russ Allbery <rra@debian.org>  Sun, 14 Mar 2021 12:31:39 -0700
+
 libpam-krb5 (4.9-1) unstable; urgency=high
 
   * New upstream release.
diff -Nru libpam-krb5-4.9/debian/patches/0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch libpam-krb5-4.9/debian/patches/0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch
--- libpam-krb5-4.9/debian/patches/0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch	1969-12-31 16:00:00.000000000 -0800
+++ libpam-krb5-4.9/debian/patches/0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch	2021-03-14 12:31:39.000000000 -0700
@@ -0,0 +1,40 @@
+From: Russ Allbery <rra@debian.org>
+Date: Sat, 30 Jan 2021 11:55:44 -0800
+Subject: Avoid double free of ctx->princ in a failure case
+
+When re-retrieving the authenticated principal from the current cache,
+ensure the stored principal in the authentication context is always
+either valid or NULL.  Otherwise, a failure of krb5_cc_get_principal
+could result in a double free.  Thanks to Michael Muehle for the
+report.
+
+Fixes #20
+---
+ module/account.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/module/account.c b/module/account.c
+index 211975a..c270c9b 100644
+--- a/module/account.c
++++ b/module/account.c
+@@ -5,7 +5,7 @@
+  * user's authorization against .k5login (or whatever equivalent we've been
+  * configured for).
+  *
+- * Copyright 2005-2009, 2014, 2020 Russ Allbery <eagle@eyrie.org>
++ * Copyright 2005-2009, 2014, 2020-2021 Russ Allbery <eagle@eyrie.org>
+  * Copyright 2011
+  *     The Board of Trustees of the Leland Stanford Junior University
+  * Copyright 2005 Andres Salomon <dilinger@debian.org>
+@@ -78,8 +78,10 @@ pamk5_account(struct pam_args *args)
+      */
+     if (ctx->cache != NULL) {
+         putil_debug(args, "retrieving principal from cache");
+-        if (ctx->princ != NULL)
++        if (ctx->princ != NULL) {
+             krb5_free_principal(ctx->context, ctx->princ);
++            ctx->princ = NULL;
++        }
+         retval = krb5_cc_get_principal(ctx->context, ctx->cache, &ctx->princ);
+         if (retval != 0) {
+             putil_err_krb5(args, retval, "cannot get principal from cache");
diff -Nru libpam-krb5-4.9/debian/patches/series libpam-krb5-4.9/debian/patches/series
--- libpam-krb5-4.9/debian/patches/series	1969-12-31 16:00:00.000000000 -0800
+++ libpam-krb5-4.9/debian/patches/series	2021-03-14 12:31:39.000000000 -0700
@@ -0,0 +1 @@
+0001-Avoid-double-free-of-ctx-princ-in-a-failure-case.patch

--- End Message ---

--- Begin Message ---

• To: 985235-done@bugs.debian.org
• Subject: unblock libpam-krb5
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Mon, 15 Mar 2021 10:12:25 +0000
• Message-id: <E1lLkD3-0002hx-C8@respighi.debian.org>

Unblocked.

--- End Message ---