Version in base suite: 1.21.3-5

Base version: krb5_1.21.3-5
Target version: krb5_1.21.3-5+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/k/krb5/krb5_1.21.3-5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/k/krb5/krb5_1.21.3-5+deb13u1.dsc

 changelog                                            |    8 ++
 patches/Fix-two-NegoEx-parsing-vulnerabilities.patch |   66 +++++++++++++++++++
 patches/series                                       |    1 
 3 files changed, 75 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpofgswp0r/krb5_1.21.3-5.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpofgswp0r/krb5_1.21.3-5+deb13u1.dsc: no acceptable signature found
diff -Nru krb5-1.21.3/debian/changelog krb5-1.21.3/debian/changelog
--- krb5-1.21.3/debian/changelog	2025-02-23 17:12:14.000000000 +0000
+++ krb5-1.21.3/debian/changelog	2026-05-10 07:16:51.000000000 +0000
@@ -1,3 +1,11 @@
+krb5 (1.21.3-5+deb13u1) trixie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix two NegoEx parsing vulnerabilities (CVE-2026-40355, CVE-2026-40356)
+    (Closes: #1135317)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 10 May 2026 09:16:51 +0200
+
 krb5 (1.21.3-5) unstable; urgency=medium
 
   * Non-maintainer upload with maintainer agreement.
diff -Nru krb5-1.21.3/debian/patches/Fix-two-NegoEx-parsing-vulnerabilities.patch krb5-1.21.3/debian/patches/Fix-two-NegoEx-parsing-vulnerabilities.patch
--- krb5-1.21.3/debian/patches/Fix-two-NegoEx-parsing-vulnerabilities.patch	1970-01-01 00:00:00.000000000 +0000
+++ krb5-1.21.3/debian/patches/Fix-two-NegoEx-parsing-vulnerabilities.patch	2026-05-10 07:15:48.000000000 +0000
@@ -0,0 +1,66 @@
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 8 Apr 2026 17:57:59 -0400
+Subject: Fix two NegoEx parsing vulnerabilities
+Origin: https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f
+Bug-Debian: https://bugs.debian.org/1135317
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40356
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-40355
+
+In parse_nego_message(), check the result of the second call to
+vector_base() before dereferencing it.  In parse_message(), check for
+a short header_len to prevent an integer underflow when calculating
+the remaining message length.
+
+Reported by Cem Onat Karagun.
+
+CVE-2026-40355:
+
+In MIT krb5 release 1.18 and later, if an application calls
+gss_accept_sec_context() on a system with a NegoEx mechanism
+registered in /etc/gss/mech, an unauthenticated remote attacker can
+trigger a null pointer dereference, causing the process to terminate.
+
+CVE-2026-40356:
+
+In MIT krb5 release 1.18 and later, if an application calls
+gss_accept_sec_context() on a system with a NegoEx mechanism
+registered in /etc/gss/mech, an unauthenticated remote attacker can
+trigger a read overrun of up to 52 bytes, possibly causing the process
+to terminate.  Exfiltration of the bytes read does not appear
+possible.
+
+ticket: 9205 (new)
+tags: pullup
+target_version: 1.22-next
+---
+ src/lib/gssapi/spnego/negoex_util.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c
+index edc5462e8441..a65238e57305 100644
+--- a/src/lib/gssapi/spnego/negoex_util.c
++++ b/src/lib/gssapi/spnego/negoex_util.c
+@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in,
+     offset = k5_input_get_uint32_le(in);
+     count = k5_input_get_uint16_le(in);
+     p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len);
++    if (p == NULL) {
++        *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
++        return GSS_S_DEFECTIVE_TOKEN;
++    }
+     for (i = 0; i < count; i++) {
+         extension_type = load_32_le(p + i * EXTENSION_LENGTH);
+         if (extension_type & EXTENSION_FLAG_CRITICAL) {
+@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in,
+     msg_len = k5_input_get_uint32_le(in);
+     conv_id = k5_input_get_bytes(in, GUID_LENGTH);
+ 
+-    if (in->status || msg_len > token_remaining || header_len > msg_len) {
++    if (in->status || msg_len > token_remaining ||
++        header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) {
+         *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
+         return GSS_S_DEFECTIVE_TOKEN;
+     }
+-- 
+2.53.0
+
diff -Nru krb5-1.21.3/debian/patches/series krb5-1.21.3/debian/patches/series
--- krb5-1.21.3/debian/patches/series	2025-02-23 17:12:14.000000000 +0000
+++ krb5-1.21.3/debian/patches/series	2026-05-10 07:15:54.000000000 +0000
@@ -11,3 +11,4 @@
 0012-Skip-keyring-tests-if-keyring-blocked-by-seccomp.patch
 0012-Replace-ssl.wrap_socket-for-tests.patch
 CVE-2025-24528.patch
+Fix-two-NegoEx-parsing-vulnerabilities.patch