summary refs log tree commit diff
path: root/gnu/packages
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-11-08 23:05:11 -0500
committerMark H Weaver <mhw@netris.org>2015-11-13 12:42:47 -0500
commitff45a00e798350676ca7a4cf1cac349cc0b4c1f6 (patch)
tree516c980bab196807f9e1dc97a88db273796a62d4 /gnu/packages
parent4d53c29e6ca0fb432e92c298f9537c688fbbc10e (diff)
downloadguix-ff45a00e798350676ca7a4cf1cac349cc0b4c1f6.tar.gz
gnu: mit-krb5: Add fixes for CVE-2015-{2695,2696,2697,2698}.
* gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch,
  gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch,
  gnu/packages/patches/mit-krb5-CVE-2015-2696.patch,
  gnu/packages/patches/mit-krb5-CVE-2015-2697.patch,
  gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch,
  gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/mit-krb5.scm (mit-krb5)[native-inputs]: Add patches.
Diffstat (limited to 'gnu/packages')
-rw-r--r--gnu/packages/mit-krb5.scm14
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch569
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch65
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2696.patch736
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2697.patch55
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch43
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch132
7 files changed, 1613 insertions, 1 deletions
diff --git a/gnu/packages/mit-krb5.scm b/gnu/packages/mit-krb5.scm
index 76d8b2473e..16bef8d97d 100644
--- a/gnu/packages/mit-krb5.scm
+++ b/gnu/packages/mit-krb5.scm
@@ -42,7 +42,19 @@
     (build-system gnu-build-system)
     (native-inputs
      `(("bison" ,bison)
-       ("perl" ,perl)))
+       ("perl" ,perl)
+
+       ;; Include the patches as native-inputs.
+       ,@(map (lambda (label)
+                (let ((input-name (string-append "patch/" label))
+                      (file-name  (string-append name "-" label ".patch")))
+                  `(,input-name ,(search-patch file-name))))
+              '("CVE-2015-2695-pt1"
+                "CVE-2015-2695-pt2"
+                "CVE-2015-2696"
+                "CVE-2015-2697"
+                "CVE-2015-2698-pt1"
+                "CVE-2015-2698-pt2"))))
     (arguments
      `(#:modules ((ice-9 ftw)
                   (ice-9 match)
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch
new file mode 100644
index 0000000000..0f5603e228
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch
@@ -0,0 +1,569 @@
+Copied from Debian.
+
+From b813d5811432faed844a2dfd3daecde914978f2c Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@twosigma.com>
+Date: Mon, 14 Sep 2015 12:27:52 -0400
+Subject: Fix SPNEGO context aliasing bugs [CVE-2015-2695]
+
+The SPNEGO mechanism currently replaces its context handle with the
+mechanism context handle upon establishment, under the assumption that
+most GSS functions are only called after context establishment.  This
+assumption is incorrect, and can lead to aliasing violations for some
+programs.  Maintain the SPNEGO context structure after context
+establishment and refer to it in all GSS methods.  Add initiate and
+opened flags to the SPNEGO context structure for use in
+gss_inquire_context() prior to context establishment.
+
+CVE-2015-2695:
+
+In MIT krb5 1.5 and later, applications which call
+gss_inquire_context() on a partially-established SPNEGO context can
+cause the GSS-API library to read from a pointer using the wrong type,
+generally causing a process crash.  This bug may go unnoticed, because
+the most common SPNEGO authentication scenario establishes the context
+after just one call to gss_accept_sec_context().  Java server
+applications using the native JGSS provider are vulnerable to this
+bug.  A carefully crafted SPNEGO packet might allow the
+gss_inquire_context() call to succeed with attacker-determined
+results, but applications should not make access control decisions
+based on gss_inquire_context() results prior to context establishment.
+
+    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+[ghudson@mit.edu: several bugfixes, style changes, and edge-case
+behavior changes; commit message and CVE description]
+
+ticket: 8244
+target_version: 1.14
+tags: pullup
+
+(cherry picked from commit b51b33f2bc5d1497ddf5bd107f791c101695000d)
+Patch-Category: upstream
+---
+ src/lib/gssapi/spnego/gssapiP_spnego.h |   2 +
+ src/lib/gssapi/spnego/spnego_mech.c    | 254 ++++++++++++++++++++++++---------
+ 2 files changed, 192 insertions(+), 64 deletions(-)
+
+diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h
+index bc23f56..8e05736 100644
+--- a/src/lib/gssapi/spnego/gssapiP_spnego.h
++++ b/src/lib/gssapi/spnego/gssapiP_spnego.h
+@@ -102,6 +102,8 @@ typedef struct {
+ 	int firstpass;
+ 	int mech_complete;
+ 	int nego_done;
++	int initiate;
++	int opened;
+ 	OM_uint32 ctx_flags;
+ 	gss_name_t internal_name;
+ 	gss_OID actual_mech;
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 6e39c37..a1072b0 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -104,7 +104,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t,
+ 				      gss_cred_usage_t, gss_OID_set *);
+ static void release_spnego_ctx(spnego_gss_ctx_id_t *);
+ static void check_spnego_options(spnego_gss_ctx_id_t);
+-static spnego_gss_ctx_id_t create_spnego_ctx(void);
++static spnego_gss_ctx_id_t create_spnego_ctx(int);
+ static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf);
+ static int put_input_token(unsigned char **, gss_buffer_t, unsigned int);
+ static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int);
+@@ -442,7 +442,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx)
+ }
+ 
+ static spnego_gss_ctx_id_t
+-create_spnego_ctx(void)
++create_spnego_ctx(int initiate)
+ {
+ 	spnego_gss_ctx_id_t spnego_ctx = NULL;
+ 	spnego_ctx = (spnego_gss_ctx_id_t)
+@@ -465,6 +465,8 @@ create_spnego_ctx(void)
+ 	spnego_ctx->mic_rcvd = 0;
+ 	spnego_ctx->mech_complete = 0;
+ 	spnego_ctx->nego_done = 0;
++	spnego_ctx->opened = 0;
++	spnego_ctx->initiate = initiate;
+ 	spnego_ctx->internal_name = GSS_C_NO_NAME;
+ 	spnego_ctx->actual_mech = GSS_C_NO_OID;
+ 
+@@ -630,7 +632,7 @@ init_ctx_new(OM_uint32 *minor_status,
+ 	OM_uint32 ret;
+ 	spnego_gss_ctx_id_t sc = NULL;
+ 
+-	sc = create_spnego_ctx();
++	sc = create_spnego_ctx(1);
+ 	if (sc == NULL)
+ 		return GSS_S_FAILURE;
+ 
+@@ -647,10 +649,7 @@ init_ctx_new(OM_uint32 *minor_status,
+ 		ret = GSS_S_FAILURE;
+ 		goto cleanup;
+ 	}
+-	/*
+-	 * The actual context is not yet determined, set the output
+-	 * context handle to refer to the spnego context itself.
+-	 */
++
+ 	sc->ctx_handle = GSS_C_NO_CONTEXT;
+ 	*ctx = (gss_ctx_id_t)sc;
+ 	sc = NULL;
+@@ -1091,16 +1090,11 @@ cleanup:
+ 	}
+ 	gss_release_buffer(&tmpmin, &mechtok_out);
+ 	if (ret == GSS_S_COMPLETE) {
+-		/*
+-		 * Now, switch the output context to refer to the
+-		 * negotiated mechanism's context.
+-		 */
+-		*context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle;
++		spnego_ctx->opened = 1;
+ 		if (actual_mech != NULL)
+ 			*actual_mech = spnego_ctx->actual_mech;
+ 		if (ret_flags != NULL)
+ 			*ret_flags = spnego_ctx->ctx_flags;
+-		release_spnego_ctx(&spnego_ctx);
+ 	} else if (ret != GSS_S_CONTINUE_NEEDED) {
+ 		if (spnego_ctx != NULL) {
+ 			gss_delete_sec_context(&tmpmin,
+@@ -1344,7 +1338,7 @@ acc_ctx_hints(OM_uint32 *minor_status,
+ 	if (ret != GSS_S_COMPLETE)
+ 		goto cleanup;
+ 
+-	sc = create_spnego_ctx();
++	sc = create_spnego_ctx(0);
+ 	if (sc == NULL) {
+ 		ret = GSS_S_FAILURE;
+ 		goto cleanup;
+@@ -1426,7 +1420,7 @@ acc_ctx_new(OM_uint32 *minor_status,
+ 		gss_release_buffer(&tmpmin, &sc->DER_mechTypes);
+ 		assert(mech_wanted != GSS_C_NO_OID);
+ 	} else
+-		sc = create_spnego_ctx();
++		sc = create_spnego_ctx(0);
+ 	if (sc == NULL) {
+ 		ret = GSS_S_FAILURE;
+ 		*return_token = NO_TOKEN_SEND;
+@@ -1809,13 +1803,12 @@ cleanup:
+ 			ret = GSS_S_FAILURE;
+ 	}
+ 	if (ret == GSS_S_COMPLETE) {
+-		*context_handle = (gss_ctx_id_t)sc->ctx_handle;
++		sc->opened = 1;
+ 		if (sc->internal_name != GSS_C_NO_NAME &&
+ 		    src_name != NULL) {
+ 			*src_name = sc->internal_name;
+ 			sc->internal_name = GSS_C_NO_NAME;
+ 		}
+-		release_spnego_ctx(&sc);
+ 	} else if (ret != GSS_S_CONTINUE_NEEDED) {
+ 		if (sc != NULL) {
+ 			gss_delete_sec_context(&tmpmin, &sc->ctx_handle,
+@@ -2128,8 +2121,13 @@ spnego_gss_unwrap(
+ 		gss_qop_t *qop_state)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_unwrap(minor_status,
+-			context_handle,
++			sc->ctx_handle,
+ 			input_message_buffer,
+ 			output_message_buffer,
+ 			conf_state,
+@@ -2149,8 +2147,13 @@ spnego_gss_wrap(
+ 		gss_buffer_t output_message_buffer)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap(minor_status,
+-		    context_handle,
++		    sc->ctx_handle,
+ 		    conf_req_flag,
+ 		    qop_req,
+ 		    input_message_buffer,
+@@ -2167,8 +2170,14 @@ spnego_gss_process_context_token(
+ 				const gss_buffer_t token_buffer)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	/* SPNEGO doesn't have its own context tokens. */
++	if (!sc->opened)
++		return (GSS_S_DEFECTIVE_TOKEN);
++
+ 	ret = gss_process_context_token(minor_status,
+-					context_handle,
++					sc->ctx_handle,
+ 					token_buffer);
+ 
+ 	return (ret);
+@@ -2192,19 +2201,9 @@ spnego_gss_delete_sec_context(
+ 	if (*ctx == NULL)
+ 		return (GSS_S_COMPLETE);
+ 
+-	/*
+-	 * If this is still an SPNEGO mech, release it locally.
+-	 */
+-	if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) {
+-		(void) gss_delete_sec_context(minor_status,
+-				    &(*ctx)->ctx_handle,
+-				    output_token);
+-		(void) release_spnego_ctx(ctx);
+-	} else {
+-		ret = gss_delete_sec_context(minor_status,
+-				    context_handle,
+-				    output_token);
+-	}
++	(void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle,
++				      output_token);
++	(void) release_spnego_ctx(ctx);
+ 
+ 	return (ret);
+ }
+@@ -2216,8 +2215,13 @@ spnego_gss_context_time(
+ 			OM_uint32	*time_rec)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_context_time(minor_status,
+-			    context_handle,
++			    sc->ctx_handle,
+ 			    time_rec);
+ 	return (ret);
+ }
+@@ -2229,9 +2233,20 @@ spnego_gss_export_sec_context(
+ 			    gss_buffer_t interprocess_token)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle;
++
++	/* We don't currently support exporting partially established
++	 * contexts. */
++	if (!sc->opened)
++		return GSS_S_UNAVAILABLE;
++
+ 	ret = gss_export_sec_context(minor_status,
+-				    context_handle,
++				    &sc->ctx_handle,
+ 				    interprocess_token);
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT) {
++		release_spnego_ctx(&sc);
++		*context_handle = GSS_C_NO_CONTEXT;
++	}
+ 	return (ret);
+ }
+ 
+@@ -2241,11 +2256,12 @@ spnego_gss_import_sec_context(
+ 	const gss_buffer_t	interprocess_token,
+ 	gss_ctx_id_t		*context_handle)
+ {
+-	OM_uint32 ret;
+-	ret = gss_import_sec_context(minor_status,
+-				    interprocess_token,
+-				    context_handle);
+-	return (ret);
++	/*
++	 * Until we implement partial context exports, there are no SPNEGO
++	 * exported context tokens, only tokens for underlying mechs.  So just
++	 * return an error for now.
++	 */
++	return GSS_S_UNAVAILABLE;
+ }
+ #endif /* LEAN_CLIENT */
+ 
+@@ -2262,16 +2278,48 @@ spnego_gss_inquire_context(
+ 			int		*opened)
+ {
+ 	OM_uint32 ret = GSS_S_COMPLETE;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (src_name != NULL)
++		*src_name = GSS_C_NO_NAME;
++	if (targ_name != NULL)
++		*targ_name = GSS_C_NO_NAME;
++	if (lifetime_rec != NULL)
++		*lifetime_rec = 0;
++	if (mech_type != NULL)
++		*mech_type = (gss_OID)gss_mech_spnego;
++	if (ctx_flags != NULL)
++		*ctx_flags = 0;
++	if (locally_initiated != NULL)
++		*locally_initiated = sc->initiate;
++	if (opened != NULL)
++		*opened = sc->opened;
++
++	if (sc->ctx_handle != GSS_C_NO_CONTEXT) {
++		ret = gss_inquire_context(minor_status, sc->ctx_handle,
++					  src_name, targ_name, lifetime_rec,
++					  mech_type, ctx_flags, NULL, NULL);
++	}
+ 
+-	ret = gss_inquire_context(minor_status,
+-				context_handle,
+-				src_name,
+-				targ_name,
+-				lifetime_rec,
+-				mech_type,
+-				ctx_flags,
+-				locally_initiated,
+-				opened);
++	if (!sc->opened) {
++		/*
++		 * We are still doing SPNEGO negotiation, so report SPNEGO as
++		 * the OID.  After negotiation is complete we will report the
++		 * underlying mechanism OID.
++		 */
++		if (mech_type != NULL)
++			*mech_type = (gss_OID)gss_mech_spnego;
++
++		/*
++		 * Remove flags we don't support with partially-established
++		 * contexts.  (Change this to keep GSS_C_TRANS_FLAG if we add
++		 * support for exporting partial SPNEGO contexts.)
++		 */
++		if (ctx_flags != NULL) {
++			*ctx_flags &= ~GSS_C_PROT_READY_FLAG;
++			*ctx_flags &= ~GSS_C_TRANS_FLAG;
++		}
++	}
+ 
+ 	return (ret);
+ }
+@@ -2286,8 +2334,13 @@ spnego_gss_wrap_size_limit(
+ 	OM_uint32	*max_input_size)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap_size_limit(minor_status,
+-				context_handle,
++				sc->ctx_handle,
+ 				conf_req_flag,
+ 				qop_req,
+ 				req_output_size,
+@@ -2304,8 +2357,13 @@ spnego_gss_get_mic(
+ 		gss_buffer_t message_token)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_get_mic(minor_status,
+-		    context_handle,
++		    sc->ctx_handle,
+ 		    qop_req,
+ 		    message_buffer,
+ 		    message_token);
+@@ -2321,8 +2379,13 @@ spnego_gss_verify_mic(
+ 		gss_qop_t *qop_state)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_verify_mic(minor_status,
+-			    context_handle,
++			    sc->ctx_handle,
+ 			    msg_buffer,
+ 			    token_buffer,
+ 			    qop_state);
+@@ -2337,8 +2400,14 @@ spnego_gss_inquire_sec_context_by_oid(
+ 		gss_buffer_set_t *data_set)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	/* There are no SPNEGO-specific OIDs for this function. */
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_UNAVAILABLE);
++
+ 	ret = gss_inquire_sec_context_by_oid(minor_status,
+-			    context_handle,
++			    sc->ctx_handle,
+ 			    desired_object,
+ 			    data_set);
+ 	return (ret);
+@@ -2407,8 +2476,15 @@ spnego_gss_set_sec_context_option(
+ 		const gss_buffer_t value)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle;
++
++	/* There are no SPNEGO-specific OIDs for this function, and we cannot
++	 * construct an empty SPNEGO context with it. */
++	if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_UNAVAILABLE);
++
+ 	ret = gss_set_sec_context_option(minor_status,
+-			    context_handle,
++			    &sc->ctx_handle,
+ 			    desired_object,
+ 			    value);
+ 	return (ret);
+@@ -2425,8 +2501,13 @@ spnego_gss_wrap_aead(OM_uint32 *minor_status,
+ 		     gss_buffer_t output_message_buffer)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap_aead(minor_status,
+-			    context_handle,
++			    sc->ctx_handle,
+ 			    conf_req_flag,
+ 			    qop_req,
+ 			    input_assoc_buffer,
+@@ -2447,8 +2528,13 @@ spnego_gss_unwrap_aead(OM_uint32 *minor_status,
+ 		       gss_qop_t *qop_state)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_unwrap_aead(minor_status,
+-			      context_handle,
++			      sc->ctx_handle,
+ 			      input_message_buffer,
+ 			      input_assoc_buffer,
+ 			      output_payload_buffer,
+@@ -2467,8 +2553,13 @@ spnego_gss_wrap_iov(OM_uint32 *minor_status,
+ 		    int iov_count)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap_iov(minor_status,
+-			   context_handle,
++			   sc->ctx_handle,
+ 			   conf_req_flag,
+ 			   qop_req,
+ 			   conf_state,
+@@ -2486,8 +2577,13 @@ spnego_gss_unwrap_iov(OM_uint32 *minor_status,
+ 		      int iov_count)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_unwrap_iov(minor_status,
+-			     context_handle,
++			     sc->ctx_handle,
+ 			     conf_state,
+ 			     qop_state,
+ 			     iov,
+@@ -2505,8 +2601,13 @@ spnego_gss_wrap_iov_length(OM_uint32 *minor_status,
+ 			   int iov_count)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_wrap_iov_length(minor_status,
+-				  context_handle,
++				  sc->ctx_handle,
+ 				  conf_req_flag,
+ 				  qop_req,
+ 				  conf_state,
+@@ -2523,8 +2624,13 @@ spnego_gss_complete_auth_token(
+ 		gss_buffer_t input_message_buffer)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_UNAVAILABLE);
++
+ 	ret = gss_complete_auth_token(minor_status,
+-				      context_handle,
++				      sc->ctx_handle,
+ 				      input_message_buffer);
+ 	return (ret);
+ }
+@@ -2776,8 +2882,13 @@ spnego_gss_pseudo_random(OM_uint32 *minor_status,
+ 			 gss_buffer_t prf_out)
+ {
+ 	OM_uint32 ret;
++	spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context;
++
++	if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++		return (GSS_S_NO_CONTEXT);
++
+ 	ret = gss_pseudo_random(minor_status,
+-				context,
++				sc->ctx_handle,
+ 				prf_key,
+ 				prf_in,
+ 				desired_output_len,
+@@ -2918,7 +3029,12 @@ spnego_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ 		       gss_qop_t qop_req, gss_iov_buffer_desc *iov,
+ 		       int iov_count)
+ {
+-    return gss_get_mic_iov(minor_status, context_handle, qop_req, iov,
++    spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++    if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++	    return (GSS_S_NO_CONTEXT);
++
++    return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov,
+ 			   iov_count);
+ }
+ 
+@@ -2927,7 +3043,12 @@ spnego_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
+ 			  gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
+ 			  int iov_count)
+ {
+-    return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov,
++    spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++    if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++	    return (GSS_S_NO_CONTEXT);
++
++    return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov,
+ 			      iov_count);
+ }
+ 
+@@ -2936,7 +3057,12 @@ spnego_gss_get_mic_iov_length(OM_uint32 *minor_status,
+ 			      gss_ctx_id_t context_handle, gss_qop_t qop_req,
+ 			      gss_iov_buffer_desc *iov, int iov_count)
+ {
+-    return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov,
++    spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle;
++
++    if (sc->ctx_handle == GSS_C_NO_CONTEXT)
++	    return (GSS_S_NO_CONTEXT);
++
++    return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov,
+ 				  iov_count);
+ }
+ 
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch
new file mode 100644
index 0000000000..aa9fcfa0dd
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch
@@ -0,0 +1,65 @@
+Copied from Debian.
+
+From 18c512ebdcc5cacc777e9dbcc6817f83c301ad93 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 4 Nov 2015 21:29:10 -0500
+Subject: Fix SPNEGO context import
+
+The patches for CVE-2015-2695 did not implement a SPNEGO
+gss_import_sec_context() function, under the erroneous belief than an
+exported SPNEGO context would be tagged with the underlying context
+mechanism.  Implement it now to allow SPNEGO contexts to be
+successfully exported and imported after establishment.
+
+ticket: 8273
+(cherry picked from commit fbb565f913c52eba9bea82f1694aba7a8c90e93d)
+
+Patch-Category: upstream
+---
+ src/lib/gssapi/spnego/spnego_mech.c | 33 +++++++++++++++++++++++++++------
+ 1 file changed, 27 insertions(+), 6 deletions(-)
+
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index a1072b0..02284a1 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -2256,12 +2256,33 @@ spnego_gss_import_sec_context(
+ 	const gss_buffer_t	interprocess_token,
+ 	gss_ctx_id_t		*context_handle)
+ {
+-	/*
+-	 * Until we implement partial context exports, there are no SPNEGO
+-	 * exported context tokens, only tokens for underlying mechs.  So just
+-	 * return an error for now.
+-	 */
+-	return GSS_S_UNAVAILABLE;
++	OM_uint32 ret, tmpmin;
++	gss_ctx_id_t mctx;
++	spnego_gss_ctx_id_t sc;
++	int initiate, opened;
++
++	ret = gss_import_sec_context(minor_status, interprocess_token, &mctx);
++	if (ret != GSS_S_COMPLETE)
++		return ret;
++
++	ret = gss_inquire_context(&tmpmin, mctx, NULL, NULL, NULL, NULL, NULL,
++				  &initiate, &opened);
++	if (ret != GSS_S_COMPLETE || !opened) {
++		/* We don't currently support importing partially established
++		 * contexts. */
++		(void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER);
++		return GSS_S_FAILURE;
++	}
++
++	sc = create_spnego_ctx(initiate);
++	if (sc == NULL) {
++		(void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER);
++		return GSS_S_FAILURE;
++	}
++	sc->ctx_handle = mctx;
++	sc->opened = 1;
++	*context_handle = (gss_ctx_id_t)sc;
++	return GSS_S_COMPLETE;
+ }
+ #endif /* LEAN_CLIENT */
+ 
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2696.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2696.patch
new file mode 100644
index 0000000000..7b4b1d71ab
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2696.patch
@@ -0,0 +1,736 @@
+Copied from Debian.
+
+From ebea85358bc72ec20c53130d83acb93f95853b76 Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@twosigma.com>
+Date: Mon, 14 Sep 2015 12:28:36 -0400
+Subject: Fix IAKERB context aliasing bugs [CVE-2015-2696]
+
+The IAKERB mechanism currently replaces its context handle with the
+krb5 mechanism handle upon establishment, under the assumption that
+most GSS functions are only called after context establishment.  This
+assumption is incorrect, and can lead to aliasing violations for some
+programs.  Maintain the IAKERB context structure after context
+establishment and add new IAKERB entry points to refer to it with that
+type.  Add initiate and established flags to the IAKERB context
+structure for use in gss_inquire_context() prior to context
+establishment.
+
+CVE-2015-2696:
+
+In MIT krb5 1.9 and later, applications which call
+gss_inquire_context() on a partially-established IAKERB context can
+cause the GSS-API library to read from a pointer using the wrong type,
+generally causing a process crash.  Java server applications using the
+native JGSS provider are vulnerable to this bug.  A carefully crafted
+IAKERB packet might allow the gss_inquire_context() call to succeed
+with attacker-determined results, but applications should not make
+access control decisions based on gss_inquire_context() results prior
+to context establishment.
+
+    CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+[ghudson@mit.edu: several bugfixes, style changes, and edge-case
+behavior changes; commit message and CVE description]
+
+ticket: 8244
+target_version: 1.14
+tags: pullup
+
+(cherry picked from commit e04f0283516e80d2f93366e0d479d13c9b5c8c2a)
+Patch-Category: upstream
+---
+ src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++
+ src/lib/gssapi/krb5/gssapi_krb5.c  | 105 +++++++++--
+ src/lib/gssapi/krb5/iakerb.c       | 351 +++++++++++++++++++++++++++++++++----
+ 3 files changed, 529 insertions(+), 41 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
+index a0e8625..05dc321 100644
+--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
+@@ -620,6 +620,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext
+ );
+ #endif /* LEAN_CLIENT */
+ 
++OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid
++(OM_uint32*,       /* minor_status */
++ const gss_ctx_id_t,
++ /* context_handle */
++ const gss_OID,    /* desired_object */
++ gss_buffer_set_t* /* data_set */
++);
++
++OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option
++(OM_uint32*,       /* minor_status */
++ gss_ctx_id_t*,    /* context_handle */
++ const gss_OID,    /* desired_object */
++ const gss_buffer_t/* value */
++);
++
+ OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token
+ (OM_uint32*,       /* minor_status */
+  gss_ctx_id_t,     /* context_handle */
+@@ -1301,6 +1316,105 @@ OM_uint32 KRB5_CALLCONV
+ krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token,
+                      gss_cred_id_t *cred_handle);
+ 
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_process_context_token(OM_uint32 *minor_status,
++                                 const gss_ctx_id_t context_handle,
++                                 const gss_buffer_t token_buffer);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                        OM_uint32 *time_rec);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_inquire_context(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, gss_name_t *src_name,
++                           gss_name_t *targ_name, OM_uint32 *lifetime_rec,
++                           gss_OID *mech_type, OM_uint32 *ctx_flags,
++                           int *locally_initiated, int *opened);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                   gss_qop_t qop_req, gss_buffer_t message_buffer,
++                   gss_buffer_t message_token);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                       gss_qop_t qop_req, gss_iov_buffer_desc *iov,
++                       int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
++                              gss_ctx_id_t context_handle, gss_qop_t qop_req,
++                              gss_iov_buffer_desc *iov, int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                      gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
++                      gss_qop_t *qop_state);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                          gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
++                          int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                int conf_req_flag, gss_qop_t qop_req,
++                gss_buffer_t input_message_buffer, int *conf_state,
++                gss_buffer_t output_message_buffer);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                    int conf_req_flag, gss_qop_t qop_req, int *conf_state,
++                    gss_iov_buffer_desc *iov, int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, int conf_req_flag,
++                           gss_qop_t qop_req, int *conf_state,
++                           gss_iov_buffer_desc *iov, int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                  gss_buffer_t input_message_buffer,
++                  gss_buffer_t output_message_buffer, int *conf_state,
++                  gss_qop_t *qop_state);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                      int *conf_state, gss_qop_t *qop_state,
++                      gss_iov_buffer_desc *iov, int iov_count);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, int conf_req_flag,
++                           gss_qop_t qop_req, OM_uint32 req_output_size,
++                           OM_uint32 *max_input_size);
++
++#ifndef LEAN_CLIENT
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_export_sec_context(OM_uint32 *minor_status,
++                              gss_ctx_id_t *context_handle,
++                              gss_buffer_t interprocess_token);
++#endif /* LEAN_CLIENT */
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
++                                      const gss_ctx_id_t context_handle,
++                                      const gss_OID desired_object,
++                                      gss_buffer_set_t *data_set);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
++                                  gss_ctx_id_t *context_handle,
++                                  const gss_OID desired_object,
++                                  const gss_buffer_t value);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                         int prf_key, const gss_buffer_t prf_in,
++                         ssize_t desired_output_len, gss_buffer_t prf_out);
++
+ /* Magic string to identify exported krb5 GSS credentials.  Increment this if
+  * the format changes. */
+ #define CRED_EXPORT_MAGIC "K5C1"
+diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
+index 77b7fff..9a23656 100644
+--- a/src/lib/gssapi/krb5/gssapi_krb5.c
++++ b/src/lib/gssapi/krb5/gssapi_krb5.c
+@@ -345,7 +345,7 @@ static struct {
+     }
+ };
+ 
+-static OM_uint32 KRB5_CALLCONV
++OM_uint32 KRB5_CALLCONV
+ krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
+                                      const gss_ctx_id_t context_handle,
+                                      const gss_OID desired_object,
+@@ -459,7 +459,7 @@ static struct {
+ };
+ #endif
+ 
+-static OM_uint32 KRB5_CALLCONV
++OM_uint32 KRB5_CALLCONV
+ krb5_gss_set_sec_context_option (OM_uint32 *minor_status,
+                                  gss_ctx_id_t *context_handle,
+                                  const gss_OID desired_object,
+@@ -904,20 +904,103 @@ static struct gss_config krb5_mechanism = {
+     krb5_gss_get_mic_iov_length,
+ };
+ 
++/* Functions which use security contexts or acquire creds are IAKERB-specific;
++ * other functions can borrow from the krb5 mech. */
++static struct gss_config iakerb_mechanism = {
++    { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID },
++    NULL,
++    iakerb_gss_acquire_cred,
++    krb5_gss_release_cred,
++    iakerb_gss_init_sec_context,
++#ifdef LEAN_CLIENT
++    NULL,
++#else
++    iakerb_gss_accept_sec_context,
++#endif
++    iakerb_gss_process_context_token,
++    iakerb_gss_delete_sec_context,
++    iakerb_gss_context_time,
++    iakerb_gss_get_mic,
++    iakerb_gss_verify_mic,
++#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE)
++    NULL,
++#else
++    iakerb_gss_wrap,
++#endif
++#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE)
++    NULL,
++#else
++    iakerb_gss_unwrap,
++#endif
++    krb5_gss_display_status,
++    krb5_gss_indicate_mechs,
++    krb5_gss_compare_name,
++    krb5_gss_display_name,
++    krb5_gss_import_name,
++    krb5_gss_release_name,
++    krb5_gss_inquire_cred,
++    NULL,                /* add_cred */
++#ifdef LEAN_CLIENT
++    NULL,
++    NULL,
++#else
++    iakerb_gss_export_sec_context,
++    NULL,
++#endif
++    krb5_gss_inquire_cred_by_mech,
++    krb5_gss_inquire_names_for_mech,
++    iakerb_gss_inquire_context,
++    krb5_gss_internal_release_oid,
++    iakerb_gss_wrap_size_limit,
++    krb5_gss_localname,
++    krb5_gss_authorize_localname,
++    krb5_gss_export_name,
++    krb5_gss_duplicate_name,
++    krb5_gss_store_cred,
++    iakerb_gss_inquire_sec_context_by_oid,
++    krb5_gss_inquire_cred_by_oid,
++    iakerb_gss_set_sec_context_option,
++    krb5_gssspi_set_cred_option,
++    krb5_gssspi_mech_invoke,
++    NULL,                /* wrap_aead */
++    NULL,                /* unwrap_aead */
++    iakerb_gss_wrap_iov,
++    iakerb_gss_unwrap_iov,
++    iakerb_gss_wrap_iov_length,
++    NULL,               /* complete_auth_token */
++    NULL,               /* acquire_cred_impersonate_name */
++    NULL,               /* add_cred_impersonate_name */
++    NULL,               /* display_name_ext */
++    krb5_gss_inquire_name,
++    krb5_gss_get_name_attribute,
++    krb5_gss_set_name_attribute,
++    krb5_gss_delete_name_attribute,
++    krb5_gss_export_name_composite,
++    krb5_gss_map_name_to_any,
++    krb5_gss_release_any_name_mapping,
++    iakerb_gss_pseudo_random,
++    NULL,               /* set_neg_mechs */
++    krb5_gss_inquire_saslname_for_mech,
++    krb5_gss_inquire_mech_for_saslname,
++    krb5_gss_inquire_attrs_for_mech,
++    krb5_gss_acquire_cred_from,
++    krb5_gss_store_cred_into,
++    iakerb_gss_acquire_cred_with_password,
++    krb5_gss_export_cred,
++    krb5_gss_import_cred,
++    NULL,               /* import_sec_context_by_mech */
++    NULL,               /* import_name_by_mech */
++    NULL,               /* import_cred_by_mech */
++    iakerb_gss_get_mic_iov,
++    iakerb_gss_verify_mic_iov,
++    iakerb_gss_get_mic_iov_length,
++};
++
+ #ifdef _GSS_STATIC_LINK
+ #include "mglueP.h"
+ static int gss_iakerbmechglue_init(void)
+ {
+     struct gss_mech_config mech_iakerb;
+-    struct gss_config iakerb_mechanism = krb5_mechanism;
+-
+-    /* IAKERB mechanism mirrors krb5, but with different context SPIs */
+-    iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context;
+-    iakerb_mechanism.gss_init_sec_context   = iakerb_gss_init_sec_context;
+-    iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context;
+-    iakerb_mechanism.gss_acquire_cred       = iakerb_gss_acquire_cred;
+-    iakerb_mechanism.gssspi_acquire_cred_with_password
+-                                    = iakerb_gss_acquire_cred_with_password;
+ 
+     memset(&mech_iakerb, 0, sizeof(mech_iakerb));
+     mech_iakerb.mech = &iakerb_mechanism;
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+index f30de32..4662bd9 100644
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec {
+     gss_ctx_id_t gssc;
+     krb5_data conv;                     /* conversation for checksumming */
+     unsigned int count;                 /* number of round trips */
++    int initiate;
++    int established;
+     krb5_get_init_creds_opt *gic_opts;
+ };
+ 
+@@ -695,7 +697,7 @@ cleanup:
+  * Allocate and initialise an IAKERB context
+  */
+ static krb5_error_code
+-iakerb_alloc_context(iakerb_ctx_id_t *pctx)
++iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate)
+ {
+     iakerb_ctx_id_t ctx;
+     krb5_error_code code;
+@@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx)
+     ctx->magic = KG_IAKERB_CONTEXT;
+     ctx->state = IAKERB_AS_REQ;
+     ctx->count = 0;
++    ctx->initiate = initiate;
++    ctx->established = 0;
+ 
+     code = krb5_gss_init_context(&ctx->k5c);
+     if (code != 0)
+@@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
+                               gss_ctx_id_t *context_handle,
+                               gss_buffer_t output_token)
+ {
+-    OM_uint32 major_status = GSS_S_COMPLETE;
++    iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
+ 
+     if (output_token != GSS_C_NO_BUFFER) {
+         output_token->length = 0;
+@@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
+     }
+ 
+     *minor_status = 0;
++    *context_handle = GSS_C_NO_CONTEXT;
++    iakerb_release_context(iakerb_ctx);
+ 
+-    if (*context_handle != GSS_C_NO_CONTEXT) {
+-        iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle;
+-
+-        if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) {
+-            iakerb_release_context(iakerb_ctx);
+-            *context_handle = GSS_C_NO_CONTEXT;
+-        } else {
+-            assert(iakerb_ctx->magic == KG_CONTEXT);
+-
+-            major_status = krb5_gss_delete_sec_context(minor_status,
+-                                                       context_handle,
+-                                                       output_token);
+-        }
+-    }
+-
+-    return major_status;
++    return GSS_S_COMPLETE;
+ }
+ 
+ static krb5_boolean
+@@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
+     int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
+ 
+     if (initialContextToken) {
+-        code = iakerb_alloc_context(&ctx);
++        code = iakerb_alloc_context(&ctx, 0);
+         if (code != 0)
+             goto cleanup;
+ 
+@@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
+                                                        time_rec,
+                                                        delegated_cred_handle,
+                                                        &exts);
+-        if (major_status == GSS_S_COMPLETE) {
+-            *context_handle = ctx->gssc;
+-            ctx->gssc = NULL;
+-            iakerb_release_context(ctx);
+-        }
++        if (major_status == GSS_S_COMPLETE)
++            ctx->established = 1;
+         if (mech_type != NULL)
+             *mech_type = (gss_OID)gss_mech_krb5;
+     }
+@@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
+     int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
+ 
+     if (initialContextToken) {
+-        code = iakerb_alloc_context(&ctx);
++        code = iakerb_alloc_context(&ctx, 1);
+         if (code != 0) {
+             *minor_status = code;
+             goto cleanup;
+@@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
+                                                      ret_flags,
+                                                      time_rec,
+                                                      &exts);
+-        if (major_status == GSS_S_COMPLETE) {
+-            *context_handle = ctx->gssc;
+-            ctx->gssc = GSS_C_NO_CONTEXT;
+-            iakerb_release_context(ctx);
+-        }
++        if (major_status == GSS_S_COMPLETE)
++            ctx->established = 1;
+         if (actual_mech_type != NULL)
+             *actual_mech_type = (gss_OID)gss_mech_krb5;
+     } else {
+@@ -1010,3 +995,309 @@ cleanup:
+ 
+     return major_status;
+ }
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                  gss_buffer_t input_message_buffer,
++                  gss_buffer_t output_message_buffer, int *conf_state,
++                  gss_qop_t *qop_state)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer,
++                           output_message_buffer, conf_state, qop_state);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                int conf_req_flag, gss_qop_t qop_req,
++                gss_buffer_t input_message_buffer, int *conf_state,
++                gss_buffer_t output_message_buffer)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req,
++                         input_message_buffer, conf_state,
++                         output_message_buffer);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_process_context_token(OM_uint32 *minor_status,
++                                 const gss_ctx_id_t context_handle,
++                                 const gss_buffer_t token_buffer)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_DEFECTIVE_TOKEN;
++
++    return krb5_gss_process_context_token(minor_status, ctx->gssc,
++                                          token_buffer);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                        OM_uint32 *time_rec)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_context_time(minor_status, ctx->gssc, time_rec);
++}
++
++#ifndef LEAN_CLIENT
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_export_sec_context(OM_uint32 *minor_status,
++                              gss_ctx_id_t *context_handle,
++                              gss_buffer_t interprocess_token)
++{
++    OM_uint32 maj;
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    /* We don't currently support exporting partially established contexts. */
++    if (!ctx->established)
++        return GSS_S_UNAVAILABLE;
++
++    maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc,
++                                      interprocess_token);
++    if (ctx->gssc == GSS_C_NO_CONTEXT) {
++        iakerb_release_context(ctx);
++        *context_handle = GSS_C_NO_CONTEXT;
++    }
++    return maj;
++}
++
++/*
++ * Until we implement partial context exports, there are no SPNEGO exported
++ * context tokens, only tokens for the underlying krb5 context.  So we do not
++ * need to implement an iakerb_gss_import_sec_context() yet; it would be
++ * unreachable except via a manually constructed token.
++ */
++
++#endif /* LEAN_CLIENT */
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_inquire_context(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, gss_name_t *src_name,
++                           gss_name_t *targ_name, OM_uint32 *lifetime_rec,
++                           gss_OID *mech_type, OM_uint32 *ctx_flags,
++                           int *initiate, int *opened)
++{
++    OM_uint32 ret;
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (src_name != NULL)
++        *src_name = GSS_C_NO_NAME;
++    if (targ_name != NULL)
++        *targ_name = GSS_C_NO_NAME;
++    if (lifetime_rec != NULL)
++        *lifetime_rec = 0;
++    if (mech_type != NULL)
++        *mech_type = (gss_OID)gss_mech_iakerb;
++    if (ctx_flags != NULL)
++        *ctx_flags = 0;
++    if (initiate != NULL)
++        *initiate = ctx->initiate;
++    if (opened != NULL)
++        *opened = ctx->established;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_COMPLETE;
++
++    ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name,
++                                   targ_name, lifetime_rec, mech_type,
++                                   ctx_flags, initiate, opened);
++
++    if (!ctx->established) {
++        /* Report IAKERB as the mech OID until the context is established. */
++        if (mech_type != NULL)
++            *mech_type = (gss_OID)gss_mech_iakerb;
++
++        /* We don't support exporting partially-established contexts. */
++        if (ctx_flags != NULL)
++            *ctx_flags &= ~GSS_C_TRANS_FLAG;
++    }
++
++    return ret;
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, int conf_req_flag,
++                           gss_qop_t qop_req, OM_uint32 req_output_size,
++                           OM_uint32 *max_input_size)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag,
++                                    qop_req, req_output_size, max_input_size);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                   gss_qop_t qop_req, gss_buffer_t message_buffer,
++                   gss_buffer_t message_token)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer,
++                            message_token);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                      gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
++                      gss_qop_t *qop_state)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer,
++                               token_buffer, qop_state);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
++                                      const gss_ctx_id_t context_handle,
++                                      const gss_OID desired_object,
++                                      gss_buffer_set_t *data_set)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_UNAVAILABLE;
++
++    return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc,
++                                               desired_object, data_set);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
++                                  gss_ctx_id_t *context_handle,
++                                  const gss_OID desired_object,
++                                  const gss_buffer_t value)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
++
++    if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_UNAVAILABLE;
++
++    return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc,
++                                           desired_object, value);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                    int conf_req_flag, gss_qop_t qop_req, int *conf_state,
++                    gss_iov_buffer_desc *iov, int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req,
++                             conf_state, iov, iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                      int *conf_state, gss_qop_t *qop_state,
++                      gss_iov_buffer_desc *iov, int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state,
++                               iov, iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
++                           gss_ctx_id_t context_handle, int conf_req_flag,
++                           gss_qop_t qop_req, int *conf_state,
++                           gss_iov_buffer_desc *iov, int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag,
++                                    qop_req, conf_state, iov, iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                         int prf_key, const gss_buffer_t prf_in,
++                         ssize_t desired_output_len, gss_buffer_t prf_out)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in,
++                                  desired_output_len, prf_out);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                       gss_qop_t qop_req, gss_iov_buffer_desc *iov,
++                       int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov,
++                                iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
++                          gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
++                          int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov,
++                                   iov_count);
++}
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
++                              gss_ctx_id_t context_handle, gss_qop_t qop_req,
++                              gss_iov_buffer_desc *iov, int iov_count)
++{
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++
++    if (ctx->gssc == GSS_C_NO_CONTEXT)
++        return GSS_S_NO_CONTEXT;
++
++    return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov,
++                                       iov_count);
++}
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch
new file mode 100644
index 0000000000..f65ce39623
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch
@@ -0,0 +1,55 @@
+Copied from Debian.
+
+From fcafb522a0509bfd6f4f6b57e4a1e93c0092eeb0 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 25 Sep 2015 12:51:47 -0400
+Subject: Fix build_principal memory bug [CVE-2015-2697]
+
+In build_principal_va(), use k5memdup0() instead of strdup() to make a
+copy of the realm, to ensure that we allocate the correct number of
+bytes and do not read past the end of the input string.  This bug
+affects krb5_build_principal(), krb5_build_principal_va(), and
+krb5_build_principal_alloc_va().  krb5_build_principal_ext() is not
+affected.
+
+CVE-2015-2697:
+
+In MIT krb5 1.7 and later, an authenticated attacker may be able to
+cause a KDC to crash using a TGS request with a large realm field
+beginning with a null byte.  If the KDC attempts to find a referral to
+answer the request, it constructs a principal name for lookup using
+krb5_build_principal() with the requested realm.  Due to a bug in this
+function, the null byte causes only one byte be allocated for the
+realm field of the constructed principal, far less than its length.
+Subsequent operations on the lookup principal may cause a read beyond
+the end of the mapped memory region, causing the KDC process to crash.
+
+CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
+
+ticket: 8252 (new)
+target_version: 1.14
+tags: pullup
+
+(cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789)
+Patch-Category: upstream
+---
+ src/lib/krb5/krb/bld_princ.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
+index ab6fed8..8604268 100644
+--- a/src/lib/krb5/krb/bld_princ.c
++++ b/src/lib/krb5/krb/bld_princ.c
+@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ,
+     data = malloc(size * sizeof(krb5_data));
+     if (!data) { retval = ENOMEM; }
+ 
+-    if (!retval) {
+-        r = strdup(realm);
+-        if (!r) { retval = ENOMEM; }
+-    }
++    if (!retval)
++        r = k5memdup0(realm, rlen, &retval);
+ 
+     while (!retval && (component = va_arg(ap, char *))) {
+         if (count == size) {
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch
new file mode 100644
index 0000000000..67545e4c16
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch
@@ -0,0 +1,43 @@
+Copied from Debian.
+
+From 1a8bdc6d81dcd7dd8a4d42e8de6d2cacf1dd4408 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 27 Oct 2015 00:44:24 -0400
+Subject: Fix two IAKERB comments
+
+The comment explaining why there is no iakerb_gss_import_sec_context()
+erroneously referenced SPNEGO instead of IAKERB (noticed by Ben
+Kaduk).  The comment above iakerb_gss_delete_sec_context() is out of
+date after the last commit.
+
+(cherry picked from commit 92d6dd045dfc06cc03d20b327a6ee7a71e6bc24d)
+
+Patch-Category: upstream
+---
+ src/lib/gssapi/krb5/iakerb.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+index 4662bd9..e25862d 100644
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -727,10 +727,6 @@ cleanup:
+     return code;
+ }
+ 
+-/*
+- * Delete an IAKERB context. This can also accept Kerberos context
+- * handles. The heuristic is similar to SPNEGO's delete_sec_context.
+- */
+ OM_uint32 KRB5_CALLCONV
+ iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
+                               gss_ctx_id_t *context_handle,
+@@ -1077,7 +1073,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+ }
+ 
+ /*
+- * Until we implement partial context exports, there are no SPNEGO exported
++ * Until we implement partial context exports, there are no IAKERB exported
+  * context tokens, only tokens for the underlying krb5 context.  So we do not
+  * need to implement an iakerb_gss_import_sec_context() yet; it would be
+  * unreachable except via a manually constructed token.
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch
new file mode 100644
index 0000000000..8725cd4eed
--- /dev/null
+++ b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch
@@ -0,0 +1,132 @@
+Copied from Debian.
+
+From 4b330d5be1f8048be4d079ac3cb38d60c0e99e69 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 4 Nov 2015 21:28:28 -0500
+Subject: Fix IAKERB context export/import [CVE-2015-2698]
+
+The patches for CVE-2015-2696 contained a regression in the newly
+added IAKERB iakerb_gss_export_sec_context() function, which could
+cause it to corrupt memory.  Fix the regression by properly
+dereferencing the context_handle pointer before casting it.
+
+Also, the patches did not implement an IAKERB gss_import_sec_context()
+function, under the erroneous belief than an exported IAKERB context
+would be tagged as a krb5 context.  Implement it now to allow IAKERB
+contexts to be successfully exported and imported after establishment.
+
+CVE-2015-2698:
+
+In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
+application which calls gss_export_sec_context() may experience memory
+corruption if the context was established using the IAKERB mechanism.
+Historically, some vulnerabilities of this nature can be translated
+into remote code execution, though the necessary exploits must be
+tailored to the individual application and are usually quite
+complicated.
+
+    CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
+
+ticket: 8273 (new)
+target_version: 1.14
+tags: pullup
+
+(cherry picked from commit d8b31c874c7d1039be7649362ef11c89f4e14c27)
+
+Patch-Category: upstream
+---
+ src/lib/gssapi/krb5/gssapiP_krb5.h |  5 +++++
+ src/lib/gssapi/krb5/gssapi_krb5.c  |  2 +-
+ src/lib/gssapi/krb5/iakerb.c       | 42 +++++++++++++++++++++++++++++++-------
+ 3 files changed, 41 insertions(+), 8 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
+index 05dc321..ac53662 100644
+--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
+@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV
+ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+                               gss_ctx_id_t *context_handle,
+                               gss_buffer_t interprocess_token);
++
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_import_sec_context(OM_uint32 *minor_status,
++                              const gss_buffer_t interprocess_token,
++                              gss_ctx_id_t *context_handle);
+ #endif /* LEAN_CLIENT */
+ 
+ OM_uint32 KRB5_CALLCONV
+diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
+index 9a23656..d7ba279 100644
+--- a/src/lib/gssapi/krb5/gssapi_krb5.c
++++ b/src/lib/gssapi/krb5/gssapi_krb5.c
+@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = {
+     NULL,
+ #else
+     iakerb_gss_export_sec_context,
+-    NULL,
++    iakerb_gss_import_sec_context,
+ #endif
+     krb5_gss_inquire_cred_by_mech,
+     krb5_gss_inquire_names_for_mech,
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+index e25862d..32a341e 100644
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -1057,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+                               gss_buffer_t interprocess_token)
+ {
+     OM_uint32 maj;
+-    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle;
++    iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle;
+ 
+     /* We don't currently support exporting partially established contexts. */
+     if (!ctx->established)
+@@ -1072,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status,
+     return maj;
+ }
+ 
+-/*
+- * Until we implement partial context exports, there are no IAKERB exported
+- * context tokens, only tokens for the underlying krb5 context.  So we do not
+- * need to implement an iakerb_gss_import_sec_context() yet; it would be
+- * unreachable except via a manually constructed token.
+- */
++OM_uint32 KRB5_CALLCONV
++iakerb_gss_import_sec_context(OM_uint32 *minor_status,
++                              gss_buffer_t interprocess_token,
++                              gss_ctx_id_t *context_handle)
++{
++    OM_uint32 maj, tmpmin;
++    krb5_error_code code;
++    gss_ctx_id_t gssc;
++    krb5_gss_ctx_id_t kctx;
++    iakerb_ctx_id_t ctx;
++
++    maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc);
++    if (maj != GSS_S_COMPLETE)
++        return maj;
++    kctx = (krb5_gss_ctx_id_t)gssc;
++
++    if (!kctx->established) {
++        /* We don't currently support importing partially established
++         * contexts. */
++        krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
++        return GSS_S_FAILURE;
++    }
+ 
++    code = iakerb_alloc_context(&ctx, kctx->initiate);
++    if (code != 0) {
++        krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER);
++        *minor_status = code;
++        return GSS_S_FAILURE;
++    }
++
++    ctx->gssc = gssc;
++    ctx->established = 1;
++    *context_handle = (gss_ctx_id_t)ctx;
++    return GSS_S_COMPLETE;
++}
+ #endif /* LEAN_CLIENT */
+ 
+ OM_uint32 KRB5_CALLCONV