This was reported to us by Petr Štetiar of OpenWRT, and was fixed upstream in November 2021, hence the fix was included in the new Heimdal snapshot for 4.16.
The original report reputedly said
"A flawed logical condition in lib/gssapi/spnego/accept_sec_context.c
allows a malicious actor to remotely trigger a NULL pointer dereference
using a crafted negTokenInit token."
The patch doesn't apply cleanly on our old snapshot, and it is not immediately clear to me how to adapt the second chunk.
There is no CVE assigned, and the veil of secrecy is somewhat incomplete, given it was patched upstream last year.
Restricting to Samba developers for now.
Created attachment 17504 [details]
a patch being handed round the internet
Attaching a patch we have received, that claims to be by Jeffrey Altman.
It might work better for the old versions, pre the latest lorikeet Heimdal import. I haven't actually looked.
(In reply to Douglas Bagnall from comment #1)
> I haven't actually looked.
I did. It sort of applies to old and new, and I am still not really sure what the status of this bug is.
I am taking the liberty of CCing Jeffrey Altman and some of our kerberos experts, in the hope that someone can work out which patches, if any, we need for our various versions.
Reportedly this will be published by CERT/CC on October 7.
I'm almost certain Samba doesn't run this codepath, we handle the SPNEGO in GENSEC, not in Heimdal.
Either way, this does not meet our bar for a security release, as it would be in a child process that is restarted.
https://samba-team.gitlab.io/samba/third_party/heimdal/lib/gssapi/spnego/index.html shows we don't run the Heimdal SPNEGO code, thankfully.
*** Bug 15204 has been marked as a duplicate of this bug. ***