Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package krb5 Hi. I was looking at upstream patches and found one memory leak and two documentation fixes I'd like to get into buster. The memory leak does not currently have a Debian bug, but according to the most recent freeze update memory leaks are permitted. The fix is simple and targeted and low-risk. The documentation updates are (by being documentation updates) low risk. diff --git a/debian/.git-dpm b/debian/.git-dpm index ec64f2d8ba..6e32aafc28 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -d2a401455564fa2a51c78a0856492dfe3329a68f -d2a401455564fa2a51c78a0856492dfe3329a68f +a243df875ff905d1c676bd726b19bafea07b628c +a243df875ff905d1c676bd726b19bafea07b628c a75eb54fd955cbf7a8ac44e527fd0e400e87844a a75eb54fd955cbf7a8ac44e527fd0e400e87844a krb5_1.17.orig.tar.gz diff --git a/debian/changelog b/debian/changelog index c50efd5470..44681a5d68 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +krb5 (1.17-3) unstable; urgency=medium + + * Fix memory leak in replay cache type none + * Merge in two upstream documentation changes + + -- Sam Hartman <hartm...@debian.org> Tue, 18 Jun 2019 08:00:29 -0400 + krb5 (1.17-2) unstable; urgency=medium * Finish removing the run kadmind debconf template which was obsoleted diff --git a/debian/patches/series b/debian/patches/series index e632445230..af6dbebb6f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,6 @@ debian-local/0005-gssapi-never-unload-mechanisms.patch debian-local/0006-Add-substpdf-target.patch debian-local/0007-Fix-pkg-config-library-include-paths.patch debian-local/0008-Use-isystem-for-include-paths.patch +upstream/0009-Remove-erroneous-text-from-kinit-man-page.patch +upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch +upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch diff --git a/debian/patches/upstream/0009-Remove-erroneous-text-from-kinit-man-page.patch b/debian/patches/upstream/0009-Remove-erroneous-text-from-kinit-man-page.patch new file mode 100644 index 0000000000..9f2b9a0130 --- /dev/null +++ b/debian/patches/upstream/0009-Remove-erroneous-text-from-kinit-man-page.patch @@ -0,0 +1,63 @@ +From d7c778325a6f690dc16213e797dbdc3a84458ae8 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris <ibouk...@gmail.com> +Date: Mon, 7 Jan 2019 21:09:34 +0200 +Subject: Remove erroneous text from kinit man page + +Commit 4c4859fa83295db5c26f47b96c719060cfd9e2b1 changed the kinit man +page to state that kinit -E (enterprise) implies -C (canonicalize). +The client does not automatically set the canonicalize option when +getting tickets for an enterprise principal, and Windows KDCs can +issue tickets for enterprise principals without canonicalizing the +principal (contrary to the implication of RFC 6806 section 5). Remove +the misleading text. + +[ghud...@mit.edu: updated RST man page and regenerated nroff file; +rewrote commit message] + +(cherry picked from commit 8e31335a7722a2f7f1722506befe4fd26d3e3f3f) + +ticket: 8779 +version_fixed: 1.17.1 + +Patch-Category: upstream +--- + doc/user/user_commands/kinit.rst | 3 +-- + src/man/kinit.man | 5 ++--- + 2 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst +index d692e2791a..e12e88a372 100644 +--- a/doc/user/user_commands/kinit.rst ++++ b/doc/user/user_commands/kinit.rst +@@ -92,8 +92,7 @@ OPTIONS + requested. + + **-E** +- treats the principal name as an enterprise name (implies the +- **-C** option). ++ treats the principal name as an enterprise name. + + **-v** + requests that the ticket-granting ticket in the cache (with the +diff --git a/src/man/kinit.man b/src/man/kinit.man +index d121cff749..a3dcfe26cc 100644 +--- a/src/man/kinit.man ++++ b/src/man/kinit.man +@@ -1,6 +1,6 @@ + .\" Man page generated from reStructuredText. + . +-.TH "KINIT" "1" " " "1.17" "MIT Kerberos" ++.TH "KINIT" "1" " " "1.18" "MIT Kerberos" + .SH NAME + kinit \- obtain and cache Kerberos ticket-granting ticket + . +@@ -113,8 +113,7 @@ KDC to reply with a different client principal from the one + requested. + .TP + \fB\-E\fP +-treats the principal name as an enterprise name (implies the +-\fB\-C\fP option). ++treats the principal name as an enterprise name. + .TP + \fB\-v\fP + requests that the ticket\-granting ticket in the cache (with the diff --git a/debian/patches/upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch b/debian/patches/upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch new file mode 100644 index 0000000000..0dde59dc9e --- /dev/null +++ b/debian/patches/upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch @@ -0,0 +1,33 @@ +From c736896c4a0e6402e4876163647e320b1fc62d21 Mon Sep 17 00:00:00 2001 +From: Corene Casper <c.cas...@dell.com> +Date: Sat, 16 Feb 2019 00:49:26 -0500 +Subject: Fix memory leak in 'none' replay cache type + +Commit 0f06098e2ab419d02e89a1ca6bc9f2828f6bdb1e fixed part of a memory +leak in the 'none' replay cache type by freeing the outer container, +but we also need to free the mutex. + +[ghud...@mit.edu: wrote commit message] + +(cherry picked from commit af2a3115cb8feb5174151b4b40223ae45aa9db17) + +ticket: 8783 +version_fixed: 1.17.1 + +Patch-Category: upstream +--- + src/lib/krb5/rcache/rc_none.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/lib/krb5/rcache/rc_none.c b/src/lib/krb5/rcache/rc_none.c +index e30aed09f1..0b2274df7f 100644 +--- a/src/lib/krb5/rcache/rc_none.c ++++ b/src/lib/krb5/rcache/rc_none.c +@@ -50,6 +50,7 @@ krb5_rc_none_noargs(krb5_context ctx, krb5_rcache rc) + static krb5_error_code KRB5_CALLCONV + krb5_rc_none_close(krb5_context ctx, krb5_rcache rc) + { ++ k5_mutex_destroy(&rc->lock); + free (rc); + return 0; + } diff --git a/debian/patches/upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch b/debian/patches/upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch new file mode 100644 index 0000000000..5f2411c98b --- /dev/null +++ b/debian/patches/upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch @@ -0,0 +1,33 @@ +From a243df875ff905d1c676bd726b19bafea07b628c Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharw...@redhat.com> +Date: Wed, 6 Mar 2019 18:01:50 -0500 +Subject: Document the double-colon behavior of DIR ccaches + +(cherry picked from commit 5ba6e02a7b96ddd15dde01db0f9aff3d65773a8e) + +ticket: 8789 +version_fixed: 1.17.1 + +Patch-Category: upstream +--- + doc/basic/ccache_def.rst | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/doc/basic/ccache_def.rst b/doc/basic/ccache_def.rst +index d147f0d7aa..53542adde9 100644 +--- a/doc/basic/ccache_def.rst ++++ b/doc/basic/ccache_def.rst +@@ -51,6 +51,13 @@ library. + requirement is for parent directory to exist and the current + process must have permissions to create the directory if it does + not exist. See :ref:`col_ccache` for details. New in release 1.10. ++ The following residual forms are supported: ++ ++ * DIR:dirname ++ * DIR::dirpath/filename - a single cache within the directory ++ ++ Switching to a ccache of the latter type causes it to become the ++ primary for the directory. + + #. **FILE** caches are the simplest and most portable. A simple flat + file format is used to store one credential after another. This is diff --git a/doc/basic/ccache_def.rst b/doc/basic/ccache_def.rst index d147f0d7aa..53542adde9 100644 --- a/doc/basic/ccache_def.rst +++ b/doc/basic/ccache_def.rst @@ -51,6 +51,13 @@ library. requirement is for parent directory to exist and the current process must have permissions to create the directory if it does not exist. See :ref:`col_ccache` for details. New in release 1.10. + The following residual forms are supported: + + * DIR:dirname + * DIR::dirpath/filename - a single cache within the directory + + Switching to a ccache of the latter type causes it to become the + primary for the directory. #. **FILE** caches are the simplest and most portable. A simple flat file format is used to store one credential after another. This is diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst index d692e2791a..e12e88a372 100644 --- a/doc/user/user_commands/kinit.rst +++ b/doc/user/user_commands/kinit.rst @@ -92,8 +92,7 @@ OPTIONS requested. **-E** - treats the principal name as an enterprise name (implies the - **-C** option). + treats the principal name as an enterprise name. **-v** requests that the ticket-granting ticket in the cache (with the diff --git a/src/lib/krb5/rcache/rc_none.c b/src/lib/krb5/rcache/rc_none.c index e30aed09f1..0b2274df7f 100644 --- a/src/lib/krb5/rcache/rc_none.c +++ b/src/lib/krb5/rcache/rc_none.c @@ -50,6 +50,7 @@ krb5_rc_none_noargs(krb5_context ctx, krb5_rcache rc) static krb5_error_code KRB5_CALLCONV krb5_rc_none_close(krb5_context ctx, krb5_rcache rc) { + k5_mutex_destroy(&rc->lock); free (rc); return 0; } diff --git a/src/man/kinit.man b/src/man/kinit.man index d121cff749..a3dcfe26cc 100644 --- a/src/man/kinit.man +++ b/src/man/kinit.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KINIT" "1" " " "1.17" "MIT Kerberos" +.TH "KINIT" "1" " " "1.18" "MIT Kerberos" .SH NAME kinit \- obtain and cache Kerberos ticket-granting ticket . @@ -113,8 +113,7 @@ KDC to reply with a different client principal from the one requested. .TP \fB\-E\fP -treats the principal name as an enterprise name (implies the -\fB\-C\fP option). +treats the principal name as an enterprise name. .TP \fB\-v\fP requests that the ticket\-granting ticket in the cache (with the unblock krb5/1.17-3