From 2484569caa84eada42a9de64783cc56e89e1515d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 21 Jul 2021 12:44:26 -0400
Subject: [PATCH] Fix defcred leak in krb5 gss_inquire_cred()

---
 ...efcred-leak-in-krb5-gss_inquire_cred.patch | 85 +++++++++++++++++++
 krb5.spec                                     |  6 +-
 2 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 Fix-defcred-leak-in-krb5-gss_inquire_cred.patch

diff --git a/Fix-defcred-leak-in-krb5-gss_inquire_cred.patch b/Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
new file mode 100644
index 0000000..9b11bc7
--- /dev/null
+++ b/Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
@@ -0,0 +1,85 @@
+From 7e6cdffd47559be61a8c26c4ed3c500c536d5368 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 16 Jul 2021 13:39:39 -0400
+Subject: [PATCH] Fix defcred leak in krb5 gss_inquire_cred()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
+management of krb5_gss_inquire_cred(), introducing defcred to act as
+an owner pointer when the function must acquire a default credential.
+The commit neglected to update the code to release the default cred
+along the successful path.  The old code does not trigger because
+cred_handle is now reassigned, so the default credential is leaked.
+
+Unify the success and failure cleanup for this function so that
+defcred is properly released on success.
+
+Reported by Pavel Březina.
+
+ticket: 9016
+tags: pullup
+target_version: 1.19-next
+target_version: 1.18-next
+
+(cherry picked from commit 593e16448e1af23eef74689afe06a7bcc86e79c7)
+---
+ src/lib/gssapi/krb5/inq_cred.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
+index a8f254110..bb63b726c 100644
+--- a/src/lib/gssapi/krb5/inq_cred.c
++++ b/src/lib/gssapi/krb5/inq_cred.c
+@@ -127,7 +127,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
+     if ((code = krb5_timeofday(context, &now))) {
+         *minor_status = code;
+         ret = GSS_S_FAILURE;
+-        goto fail;
++        goto cleanup;
+     }
+ 
+     if (cred->expire != 0) {
+@@ -158,7 +158,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
+             *minor_status = code;
+             save_error_info(*minor_status, context);
+             ret = GSS_S_FAILURE;
+-            goto fail;
++            goto cleanup;
+         }
+     }
+ 
+@@ -174,7 +174,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
+             if (ret_name)
+                 kg_release_name(context, &ret_name);
+             /* *minor_status set above */
+-            goto fail;
++            goto cleanup;
+         }
+     }
+ 
+@@ -190,20 +190,16 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
+ 
+     if (cred_usage)
+         *cred_usage = cred->usage;
+-    k5_mutex_unlock(&cred->lock);
+ 
+     if (mechanisms) {
+         *mechanisms = mechs;
+         mechs = GSS_C_NO_OID_SET;
+     }
+ 
+-    if (cred_handle == GSS_C_NO_CREDENTIAL)
+-        krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
+-
+-    krb5_free_context(context);
+     *minor_status = 0;
+-    return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
+-fail:
++    ret = (lifetime == 0) ? GSS_S_CREDENTIALS_EXPIRED : GSS_S_COMPLETE;
++
++cleanup:
+     k5_mutex_unlock(&cred->lock);
+     krb5_gss_release_cred(&tmpmin, &defcred);
+     krb5_free_context(context);
diff --git a/krb5.spec b/krb5.spec
index 48ff4fb..d27bf68 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -42,7 +42,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.19.1
-Release: %{?zdpd}14%{?dist}
+Release: %{?zdpd}15%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@@ -93,6 +93,7 @@ Patch27: Using-locking-in-MEMORY-krb5_cc_get_principal.patch
 Patch28: Fix-use-after-free-during-krad-remote_shutdown.patch
 Patch29: Clean-up-gssapi_krb5-ccache-name-functions.patch
 Patch30: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
+Patch31: Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -655,6 +656,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Wed Jul 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-15
+- Fix defcred leak in krb5 gss_inquire_cred()
+
 * Mon Jul 12 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-14
 - Fix KDC null deref on bad encrypted challenge (CVE-2021-36222)