Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 893722 (CVE-2022-45142)

Summary: <app-crypt/heimdal-7.8.0-r1: Incorrect integrity check (incomplete CVE-2022-3437 fix)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: kerberos
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2023/02/08/1
See Also: https://bugs.gentoo.org/show_bug.cgi?id=881429
https://bugzilla.samba.org/show_bug.cgi?id=15296
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 894490    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-02-09 04:11:10 UTC 
"""
CVE-2022-3437 was a vulnerability affecting heimdal and samba. It was
fixed in both places. The fix included changing memcmp to be constant
time and a workaround for a compiler bug by adding "!= 0" comparisons to
the result of memcmp. When these patches were backported to the
heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a
logic inversion sneaked in causing the validation of message integrity
codes in gssapi/arcfour to be inverted.

This vulnerability does not affect samba nor the main heimdal branch and
only applies to backports. At least the 7.7.1 and 7.8.0 branches are
affected. CVE-2022-45142 has been assigned. All releases of Debian are
affected. At least one release of Fedora and Ubuntu are affected.
"""
Comment 1 Larry the Git Cow gentoo-dev 2023-02-09 04:20:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ea98796eb18ab898c602e5f4c447eb310090435

commit 8ea98796eb18ab898c602e5f4c447eb310090435
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-02-09 04:19:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-02-09 04:19:44 +0000

    app-crypt/heimdal: fix CVE-2022-45142
    
    Bug: https://bugs.gentoo.org/893722
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/heimdal-7.8.0-CVE-2022-45142.patch       |  36 ++++
 app-crypt/heimdal/heimdal-7.8.0-r1.ebuild          | 187 +++++++++++++++++++++
 2 files changed, 223 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-08-16 17:49:58 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bdef46539adc83699dd8db1c3eb5580e662cdb9

commit 8bdef46539adc83699dd8db1c3eb5580e662cdb9
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2023-08-16 17:49:26 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2023-08-16 17:49:26 +0000

    app-crypt/heimdal: drop 7.7.1, 7.8.0
    
    Bug: https://bugs.gentoo.org/893722
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 app-crypt/heimdal/Manifest             |   1 -
 app-crypt/heimdal/heimdal-7.7.1.ebuild | 186 ---------------------------------
 app-crypt/heimdal/heimdal-7.8.0.ebuild | 186 ---------------------------------
 3 files changed, 373 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2023-10-08 06:55:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7bd41611164b352f0d17174c80887b0eae1e870f

commit 7bd41611164b352f0d17174c80887b0eae1e870f
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-08 06:51:59 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-08 06:55:17 +0000

    [ GLSA 202310-06 ] Heimdal: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/881429
    Bug: https://bugs.gentoo.org/893722
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202310-06.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)