On Sat, Apr 08, 2023 at 01:44:33PM +0200, Salvatore Bonaccorso wrote: > Hi Brian, > > On Sat, Apr 08, 2023 at 07:56:55PM +1000, Brian May wrote: > > Salvatore Bonaccorso <[email protected]> writes: > > > > > Version: 7.8.git20221117.28daf24+dfsg-1.1 > > > > Are you sure this applies to the unstable version? > > > > I can only find one out of two chunks in the patch. Maybe it was already > > fixed in the stable branch which we use for unstable? > > I *was* almost sure this was only fixed in the master branch of > Heimdal and was not in 7.7.0 as well, and 7.8 does not seem to have > the change applied as well. > > But I will double-check again. > > https://www.kb.cert.org/vuls/id/730793 contains some more information > and some distributions like Ubuntu did cherry pick the fix as well in > their respective 7.7.0 and 7.5.0 based versions.
Here is what ubuntu has backported for the older series, for 7.7.0 https://launchpadlibrarian.net/628258298/heimdal_7.7.0+dfsg-1ubuntu1_7.7.0+dfsg-1ubuntu1.1.diff.gz and for 7.5.0 it is included in https://launchpadlibrarian.net/628240960/heimdal_7.5.0+dfsg-1_7.5.0+dfsg-1ubuntu0.1.diff.gz and the change for spnego/accept_sec_context.c still applies to the version in unstable. The upstream code was refactored in master branch of upstream project, but the underlying issue seems what is touched there. Unfortunately I have no further information available on the heimdal issue, still it might be worth getting this fixed via unstable in bookworm. Let me know what you think, Brian. Regards, Salvatore
