Your message dated Mon, 17 Apr 2023 15:25:31 +0200
with message-id <ZD1Iy679tU81/[email protected]>
and subject line Re: Bug#1033755: heimdal: CVE-2022-3116
has caused the Debian Bug report #1033755,
regarding heimdal: CVE-2022-3116
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1033755: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033755
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: heimdal
Version: 7.8.git20221117.28daf24+dfsg-1.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 7.7.0+dfsg-2+deb11u3
Control: found -1 7.7.0+dfsg-2
Hi,
The following vulnerability was published for heimdal.
CVE-2022-3116[0]:
| The Heimdal Software Kerberos 5 implementation is vulnerable to a null
| pointer dereferance. An attacker with network access to an application
| that depends on the vulnerable code path can cause the application to
| crash.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-3116
https://www.cve.org/CVERecord?id=CVE-2022-3116
[1]
https://github.com/heimdal/heimdal/commit/7a19658c1f4fc4adf85bb7bea96caae5ba57b33e
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Hi Brian,
On Mon, Apr 10, 2023 at 02:54:42PM +0200, Salvatore Bonaccorso wrote:
> On Sat, Apr 08, 2023 at 01:44:33PM +0200, Salvatore Bonaccorso wrote:
> > Hi Brian,
> >
> > On Sat, Apr 08, 2023 at 07:56:55PM +1000, Brian May wrote:
> > > Salvatore Bonaccorso <[email protected]> writes:
> > >
> > > > Version: 7.8.git20221117.28daf24+dfsg-1.1
> > >
> > > Are you sure this applies to the unstable version?
> > >
> > > I can only find one out of two chunks in the patch. Maybe it was already
> > > fixed in the stable branch which we use for unstable?
> >
> > I *was* almost sure this was only fixed in the master branch of
> > Heimdal and was not in 7.7.0 as well, and 7.8 does not seem to have
> > the change applied as well.
> >
> > But I will double-check again.
> >
> > https://www.kb.cert.org/vuls/id/730793 contains some more information
> > and some distributions like Ubuntu did cherry pick the fix as well in
> > their respective 7.7.0 and 7.5.0 based versions.
>
> Here is what ubuntu has backported for the older series, for 7.7.0
> https://launchpadlibrarian.net/628258298/heimdal_7.7.0+dfsg-1ubuntu1_7.7.0+dfsg-1ubuntu1.1.diff.gz
> and for 7.5.0 it is included in
> https://launchpadlibrarian.net/628240960/heimdal_7.5.0+dfsg-1_7.5.0+dfsg-1ubuntu0.1.diff.gz
> and the change for spnego/accept_sec_context.c still applies to the
> version in unstable.
>
> The upstream code was refactored in master branch of upstream project,
> but the underlying issue seems what is touched there.
>
> Unfortunately I have no further information available on the heimdal
> issue, still it might be worth getting this fixed via unstable in
> bookworm.
>
> Let me know what you think, Brian.
I made the following change to the security-tracker metadata:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99013142d2f81b3c821be4c6683e7157615977e2
The reason behind that is I think we should consider CVE-2022-3116 and
CVE-2021-44758 different issues, I'm not completely sure, but
CVE-2021-44758 was analogeous dealing with the code.
Regards,
Salvatore
--- End Message ---
