[Debian] CVE: CVE-2022-42898: krb5: integer overflows.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Critical
|
Zhixiong Chi |
Bug Description
CVE-2022-42898: https:/
PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."
Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-42898 fixed 8.8 N L N N H
References:
https:/
['libgssapi-
Found during December 2022 CVE scan using vulscan
CVE References
Changed in starlingx: | |
assignee: | nobody → Zhixiong Chi (zhixiongchi) |
status: | New → Triaged |
importance: | Undecided → Critical |
information type: | Public → Public Security |
tags: | added: stx.8.0 stx.security |
Changed in starlingx: | |
status: | Triaged → In Progress |
Fix proposed to branch: master /review. opendev. org/c/starlingx /tools/ +/869624
Review: https:/