CVE-2020-12658

NameCVE-2020-12658
Descriptiongssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex before pthread exit in gp_worker_main() in gp_workers.c. NOTE: An upstream comment states "We are already on a shutdown path when running the code in question, so a DoS there doesn't make any sense, and there has been no additional information provided us (as upstream) to indicate why this would be a problem.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2516-1
Debian Bugs978931

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gssproxy (PTS)stretch (security), stretch (lts), stretch0.5.1-2+deb9u1fixed
buster0.8.0-1.1vulnerable
bullseye0.8.2-2vulnerable
bookworm0.9.1-1vulnerable
sid, trixie0.9.2-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gssproxysourcestretch0.5.1-2+deb9u1DLA-2516-1
gssproxysource(unstable)(unfixed)unimportant978931

Notes

https://github.com/gssapi/gssproxy/commit/cb761412e299ef907f22cd7c4146d50c8a792003 (v0.8.3)
code change in question only happens in a shutdown path.

Search for package or bug name: Reporting problems