krb5: multiple issues

• CVE-2014-5355 (denial of service)

When a server process uses the krb5_recvauth function, an
unauthenticated remote attacker can cause a NULL dereference by sending
a zero-byte version string, or a read beyond the end of allocated
storage by sending a non-null-terminated version string. The example
user-to-user server application (uuserver) is similarly vulnerable to a
zero-length or non-null-terminated principal name string.

The krb5_recvauth function reads two version strings from the client
using krb5_read_message(), which produces a krb5_data structure
containing a length and a pointer to an octet sequence. krb5_recvaut
assumes that the data pointer is a valid C string and passes it to
strcmp() to verify the versions. If the client sends an empty octet
sequence, the data pointer will be NULL and strcmp() will dereference a
NULL pointer, causing the process to crash. If the client sends a
non-null-terminated octet sequence, strcmp() will read beyond the end of
the allocated storage, possibly causing the process to crash.

• CVE-2015-2694 (preauthentication requirement bypass)

It has been discovered that, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal’s long-term key. This ciphertext could be
used to conduct an off-line dictionary attack against the user’s password.