heimdal-7.7.1 and heimdal-7.8.0 are missing CVE-2022-42898 fix #1161
Comments
|
Ping? I know the dominant platforms these days are LP64 and thus unaffected by this, but it is a security issue for anyone on LP32 like i386 and armv7 and the release notes appear to be misleading users into thinking it's fixed. |
|
Thanks for this report. I don't know how that happened, but we'll prep new releases. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
The Heimdal 7.7.1 release notes say:
Likewise the Heimdal 7.8.0 release notes:
However, the fix does not appear to have been applied in the heimdal-7.7.1 tag (https://github.com/heimdal/heimdal/blob/heimdal-7.7.1/lib/krb5/store-int.c#L52):
heimdal/lib/krb5/store-int.c
Line 52 in 78077c3
Nor does it appear to have been applied in the heimdal-7.8.0 tag (https://github.com/heimdal/heimdal/blob/heimdal-7.8.0/lib/krb5/store-int.c#L52):
heimdal/lib/krb5/store-int.c
Line 52 in a6cf945
Compare master as of today:
heimdal/lib/krb5/store-int.c
Line 52 in 1b954fa
To Reproduce
code inspection
Expected behavior
fix exists on 7.7.1 and 7.8.0 (well, a bit late for that now, but maybe 7.7.2 and 7.8.1, along with the CVE-2022-45142 fix?)
The text was updated successfully, but these errors were encountered: