Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi. I'd like to get some security updates that were not serious enough
for a DSA into jessie. The security team encouraged me to make this
request, so they are in the loop, but have not reviewed the diff or the
specific set of cves fixed.
Diff produced with git diff dgit/dgit/jessie debian after looking at
git diff --numstat dgit/dgit/jessie to make sure that all the changes
outside of debian were because of new applied patches. Also confirmed
that dgit quilt-fixup shows no changes between the produced source
package and my tree.
I've confirmed this builds, but have not reviewed the diffs
line-by-line (although all these changes are shipping in stretch or
sid now) and have not finished my testing.
I'll do both of those things before uploading.
diff --git a/debian/changelog b/debian/changelog
index d90f21581b..6aa052a1c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+krb5 (1.12.1+dfsg-19+deb8u3) jessie; urgency=high
+
+ * CVE-2017-11368: Remote authenticated attackers can crash the KDC,
+Closes: #869260
+ * fix for CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), , Closes:
+#832572
+ * fix for CVE-2016-3119: remote DOS with ldap for authenticated
+attackers, Closes: #819468
+ * Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
+
+ -- Sam Hartman Sun, 13 Aug 2017 18:02:34 -0400
+
krb5 (1.12.1+dfsg-19+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff --git a/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch
b/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch
new file mode 100644
index 00..f1f5ff13a8
--- /dev/null
+++ b/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch
@@ -0,0 +1,37 @@
+From: Greg Hudson
+Date: Mon, 14 Mar 2016 17:26:34 -0400
+X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3
f7e4ca67d86a5a5b280b859072bbc5015a2ddd27
+Subject: Fix LDAP null deref on empty arg [CVE-2016-3119]
+
+In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
+if there is an empty string in the db_args array. Check for this case
+and avoid dereferencing a null pointer.
+
+CVE-2016-3119:
+
+In MIT krb5 1.6 and later, an authenticated attacker with permission
+to modify a principal entry can cause kadmind to dereference a null
+pointer by supplying an empty DB argument to the modify_principal
+command, if kadmind is configured to use the LDAP KDB module.
+
+CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
+
+(cherry picked from commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99)
+
+ticket: 8383
+version_fixed: 1.14.2
+
+(cherry picked from commit b5abd8c4872d7a024d49439342a6643f774afb1c)
+
+---
+
+--- krb5-1.12.1+dfsg.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
krb5-1.12.1+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -268,6 +268,7 @@ process_db_args(krb5_context context, ch
+ if (db_args) {
+ for (i=0; db_args[i]; ++i) {
+ arg = strtok_r(db_args[i], "=", _val);
++arg = (arg != NULL) ? arg : "";
+ if (strcmp(arg, TKTPOLICY_ARG) == 0) {
+ dptr = >tktpolicydn;
+ } else {
diff --git a/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch
b/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch
new file mode 100644
index 00..4b63bd8ee0
--- /dev/null
+++ b/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch
@@ -0,0 +1,51 @@
+From: Greg Hudson
+Date: Tue, 19 Jul 2016 11:00:28 -0400
+X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3
862d5e532d03db566ee2955f69e008a253d39dec
+Subject: Fix S4U2Self KDC crash when anon is restricted
+
+In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
+use client.princ instead of request->client; the latter is NULL when
+validating S4U2Self requests.
+
+CVE-2016-3120:
+
+In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
+to dereference a null pointer if the restrict_anonymous_to_tgt option
+is set to true, by making an S4U2Self request.
+
+ CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
+
+(cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7)
+
+ticket: 8458
+version_fixed: 1.14.3
+
+(cherry picked from commit 85c3046d42eeb821967ad5625fcb08e8c6177b1a)
+
+---
+
+--- krb5-1.12.1+dfsg.orig/src/kdc/kdc_util.c
krb5-1.12.1+dfsg/src/kdc/kdc_util.c
+@@ -688,7 +688,7 @@ validate_as_request(kdc_realm_t *kdc_act
+ return(KDC_ERR_MUST_USE_USER2USER);
+ }
+
+-if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
++if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
+ *status = "ANONYMOUS NOT ALLOWED";
+ return(KDC_ERR_POLICY);
+ }
+--- krb5-1.12.1+dfsg.orig/src/tests/t_pkinit.py