gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex before pthread exit in gp_worker_main() in gp_workers.c. Reference: https://github.com/gssapi/gssproxy/commit/cb761412e299ef907f22cd7c4146d50c8a792003 https://github.com/gssapi/gssproxy/compare/v0.8.2...v0.8.3
Created gssproxy tracking bugs for this issue: Affects: fedora-all [bug 1918259]
Hi, we (gssproxy upstream) do not believe this is a CVE and MITRE has marked it as disputed, per our request: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12658 Please do not create trackers that we have to close.
hey @tcullum I agree with the discussion @rharwood, this was my understanding as well
External References: https://github.com/gssapi/gssproxy/commit/cb761412e299ef907f22cd7c4146d50c8a792003#commitcomment-45670376
Statement: Red Hat Product Security does not view this as a security vulnerability because no service will be denied since the bug is triggered on an exit path of the program, which means that the program would already be stopping service and thus a malicious attacker would gain no impact to availability by triggering the bug.