""" CVE-2022-3437 was a vulnerability affecting heimdal and samba. It was fixed in both places. The fix included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted. This vulnerability does not affect samba nor the main heimdal branch and only applies to backports. At least the 7.7.1 and 7.8.0 branches are affected. CVE-2022-45142 has been assigned. All releases of Debian are affected. At least one release of Fedora and Ubuntu are affected. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ea98796eb18ab898c602e5f4c447eb310090435 commit 8ea98796eb18ab898c602e5f4c447eb310090435 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-09 04:19:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-09 04:19:44 +0000 app-crypt/heimdal: fix CVE-2022-45142 Bug: https://bugs.gentoo.org/893722 Signed-off-by: Sam James <sam@gentoo.org> .../files/heimdal-7.8.0-CVE-2022-45142.patch | 36 ++++ app-crypt/heimdal/heimdal-7.8.0-r1.ebuild | 187 +++++++++++++++++++++ 2 files changed, 223 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bdef46539adc83699dd8db1c3eb5580e662cdb9 commit 8bdef46539adc83699dd8db1c3eb5580e662cdb9 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2023-08-16 17:49:26 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2023-08-16 17:49:26 +0000 app-crypt/heimdal: drop 7.7.1, 7.8.0 Bug: https://bugs.gentoo.org/893722 Signed-off-by: Eray Aslan <eras@gentoo.org> app-crypt/heimdal/Manifest | 1 - app-crypt/heimdal/heimdal-7.7.1.ebuild | 186 --------------------------------- app-crypt/heimdal/heimdal-7.8.0.ebuild | 186 --------------------------------- 3 files changed, 373 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7bd41611164b352f0d17174c80887b0eae1e870f commit 7bd41611164b352f0d17174c80887b0eae1e870f Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-08 06:51:59 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-08 06:55:17 +0000 [ GLSA 202310-06 ] Heimdal: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/881429 Bug: https://bugs.gentoo.org/893722 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202310-06.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)