Package: libgssapi-krb5-2
Version: 1.17-3+deb10u1
Severity: normal
Tags: patch upstream
I have recently stumbled upon a resource leak in this library. Here is my
one-line patch for it. As far as I can tell the problem was introduced ten
years ago and is still present in the latest upstream version. I have tested
this patch and it does seem to plug the leak I found.
Author: Sergio Gelato <sergio.gel...@astro.su.se>
Date: Wed Jul 14 20:21:29 UTC 2021
Subject: Plug leak in krb5_gss_inquire_cred
Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 added an assignment to
cred_handle but didn't update the cleanup code accordingly. This results
in a leak on every call with GSS_C_NO_CREDENTIAL.
We solve this by analogy with the changes to krb5_gss_init_sec_context_ext()
and to the error cleanup block of krb5_gss_inquire_cred() by the same commit.
Index: krb5-1.17/src/lib/gssapi/krb5/inq_cred.c
===================================================================
--- krb5-1.17.orig/src/lib/gssapi/krb5/inq_cred.c 2019-01-08 17:02:37.000000000 +0100
+++ krb5-1.17/src/lib/gssapi/krb5/inq_cred.c 2021-07-14 22:19:40.022773499 +0200
@@ -197,8 +197,7 @@
mechs = GSS_C_NO_OID_SET;
}
- if (cred_handle == GSS_C_NO_CREDENTIAL)
- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
+ krb5_gss_release_cred(minor_status, &defcred);
krb5_free_context(context);
*minor_status = 0;
