Hi Sam, On Thu, Nov 17, 2022 at 09:49:20AM -0700, Sam Hartman wrote: > >>>>> "Salvatore" == Salvatore Bonaccorso <car...@debian.org> writes: > >> Will fix for unstable tomorrow. > > Salvatore> Thank you. > > >> I'm still trying to understand the practical impact. Do you > >> think you're going to want to issue a DSA for stable? > > Salvatore> We were originally thinking so (and Moritz added krb5 to > Salvatore> the DSA needed list), as at least for 32bit architectures > Salvatore> it might be possible to go beyond denial of service and > Salvatore> potentially leading to remote code execution. But if your > Salvatore> assesment on the issue makes you confident it's not DSA > Salvatore> worthy we can re-evaluate. > > I strongly encourage a DSA. > There's the 32-bit issue, but I'm also concerned about what happens if > there is a cross-realm trust. > I think the issue is that with cross-realm trust you may be able to get > the KDC to produce a PACcontaining out-of-bounds memory and send it out. > And then if you have a service that can decrypt that PAC, look at that > memory, possibly including tservice keys. > So it may lead to an entire realm compromise. > What I can't entirely tell is whether that's limited to 32-bit > architectures or whether you could potentially have that happen on > 64-bit architectures. > > Either way that's really bad.
Thanks for sharing the analysis. Can you prepare debdiff for bullseye-security accordingly, so we can release an update via a DSA? Regards, Salvatore
