Bug#1024267: krb5: CVE-2022-42898: integer overflows in PAC parsing

2022-11-18 Thread Salvatore Bonaccorso
Hi Sam, On Thu, Nov 17, 2022 at 01:11:44PM -0700, Sam Hartman wrote: > > "Salvatore" == Salvatore Bonaccorso writes: > Salvatore> Thanks for sharing the analysis. Can you prepare debdiff > Salvatore> for bullseye-security accordingly, so we can release an > Salvatore> update via a

Bug#1024267: krb5: CVE-2022-42898: integer overflows in PAC parsing

2022-11-17 Thread Sam Hartman
> "Salvatore" == Salvatore Bonaccorso writes: Salvatore> We were originally thinking so (and Moritz added krb5 to Salvatore> the DSA needed list), as at least for 32bit architectures Salvatore> it might be possible to go beyond denial of service and Salvatore> potentially lead

Bug#1024267: krb5: CVE-2022-42898: integer overflows in PAC parsing

2022-11-17 Thread Sam Hartman
> "Salvatore" == Salvatore Bonaccorso writes: Salvatore> Thanks for sharing the analysis. Can you prepare debdiff Salvatore> for bullseye-security accordingly, so we can release an Salvatore> update via a DSA? diff --git a/debian/changelog b/debian/changelog index d6eaa38262..60fb

Bug#1024267: krb5: CVE-2022-42898: integer overflows in PAC parsing

2022-11-17 Thread Salvatore Bonaccorso
Hi Sam, On Thu, Nov 17, 2022 at 09:49:20AM -0700, Sam Hartman wrote: > > "Salvatore" == Salvatore Bonaccorso writes: > >> Will fix for unstable tomorrow. > > Salvatore> Thank you. > > >> I'm still trying to understand the practical impact. Do you > >> think you're going to

Bug#1024267: krb5: CVE-2022-42898: integer overflows in PAC parsing

2022-11-17 Thread Sam Hartman
> "Salvatore" == Salvatore Bonaccorso writes: >> Will fix for unstable tomorrow. Salvatore> Thank you. >> I'm still trying to understand the practical impact. Do you >> think you're going to want to issue a DSA for stable? Salvatore> We were originally thinking so (and

Bug#1024267: krb5: CVE-2022-42898: integer overflows in PAC parsing

2022-11-17 Thread Salvatore Bonaccorso
Hi Sam, On Wed, Nov 16, 2022 at 07:32:00PM -0700, Sam Hartman wrote: > > "Salvatore" == Salvatore Bonaccorso writes: > Salvatore> Hi, > > Salvatore> The following vulnerability was published for krb5. > > Salvatore> CVE-2022-42898[0]: | integer overflows in PAC parsing > >

Bug#1024267: krb5: CVE-2022-42898: integer overflows in PAC parsing

2022-11-16 Thread Sam Hartman
> "Salvatore" == Salvatore Bonaccorso writes: Salvatore> Hi, Salvatore> The following vulnerability was published for krb5. Salvatore> CVE-2022-42898[0]: | integer overflows in PAC parsing Salvatore> If you fix the vulnerability please also make sure to Salvatore> includ

Bug#1024267: krb5: CVE-2022-42898: integer overflows in PAC parsing

2022-11-16 Thread Salvatore Bonaccorso
Source: krb5 Version: 1.20-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.18.3-6+deb11u2 Control: found -1 1.18.3-6 Control: found -1 1.8+dfsg-1 Hi, The following vulnerability was published for krb5. CVE-2022-42898[0]: | inte