Hi Simon,

On Tue, Jun 16, 2026 at 01:15:26AM +0200, Simon Josefsson wrote:
> Attached is a suggested debdiff for oldstable.  Ok to upload too?

Note, oldstable is now handled by the LTS team, so looping in the LTS
mailing list in.

That said we acked the trixie-security update and this is almost the
same, so I would suggest to follow for bookworm as well with a DLA.

Regards,
Salvatore

> diff -Nru gsasl-2.2.0/debian/changelog gsasl-2.2.0/debian/changelog
> --- gsasl-2.2.0/debian/changelog      2026-05-13 14:20:34.000000000 +0200
> +++ gsasl-2.2.0/debian/changelog      2026-06-16 01:06:38.000000000 +0200
> @@ -1,3 +1,9 @@
> +gsasl (2.2.0-1+deb12u2) bookworm-security; urgency=medium
> +
> +  * NTLM client: Avoid use-of-unitialized-value inside libntlm
> +
> + -- Simon Josefsson <[email protected]>  Tue, 16 Jun 2026 01:06:38 +0200
> +
>  gsasl (2.2.0-1+deb12u1) bookworm-security; urgency=medium
>  
>    * Fix NULL pointer dereference in DIGEST-MD5 parser
> diff -Nru 
> gsasl-2.2.0/debian/patches/0001-NTLM-client-Avoid-use-of-unitialized-value-inside-li.patch
>  
> gsasl-2.2.0/debian/patches/0001-NTLM-client-Avoid-use-of-unitialized-value-inside-li.patch
> --- 
> gsasl-2.2.0/debian/patches/0001-NTLM-client-Avoid-use-of-unitialized-value-inside-li.patch
>         1970-01-01 01:00:00.000000000 +0100
> +++ 
> gsasl-2.2.0/debian/patches/0001-NTLM-client-Avoid-use-of-unitialized-value-inside-li.patch
>         2026-06-16 01:06:25.000000000 +0200
> @@ -0,0 +1,27 @@
> +From 5761f4c7066c079356ad610d2c98691d616212eb Mon Sep 17 00:00:00 2001
> +From: Simon Josefsson <[email protected]>
> +Date: Mon, 15 Jun 2026 22:28:47 +0200
> +Subject: [PATCH] NTLM client: Avoid use-of-unitialized-value inside libntlm
> +
> +Reported by [email protected] in:
> +https://lists.gnu.org/archive/html/help-gsasl/2026-06/msg00000.html
> +---
> + lib/ntlm/ntlm.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/lib/ntlm/ntlm.c b/lib/ntlm/ntlm.c
> +index 7fa55026..f3bba355 100644
> +--- a/lib/ntlm/ntlm.c
> ++++ b/lib/ntlm/ntlm.c
> +@@ -107,7 +107,7 @@ _gsasl_ntlm_client_step (Gsasl_session *sctx,
> +     if (input_len > sizeof (*challenge))
> +       return GSASL_MECHANISM_PARSE_ERROR;
> + 
> +-    challenge = malloc (sizeof (*challenge));
> ++    challenge = calloc (1, sizeof (*challenge));
> +     if (!challenge)
> +       return GSASL_MALLOC_ERROR;
> + 
> +-- 
> +2.54.0
> +
> diff -Nru gsasl-2.2.0/debian/patches/series gsasl-2.2.0/debian/patches/series
> --- gsasl-2.2.0/debian/patches/series 2026-05-13 14:20:02.000000000 +0200
> +++ gsasl-2.2.0/debian/patches/series 2026-06-16 01:06:25.000000000 +0200
> @@ -1 +1,2 @@
>  0001-Fix-NULL-pointer-dereference-in-DIGEST-MD5-parser.patch
> +0001-NTLM-client-Avoid-use-of-unitialized-value-inside-li.patch

Reply via email to