Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 893722 (CVE-2022-45142) - <app-crypt/heimdal-7.8.0-r1: Incorrect integrity check (incomplete CVE-2022-3437 fix)
Summary: <app-crypt/heimdal-7.8.0-r1: Incorrect integrity check (incomplete CVE-2022-3...
Alias: CVE-2022-45142
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+]
Depends on: 894490
  Show dependency tree
Reported: 2023-02-09 04:11 UTC by Sam James
Modified: 2023-10-08 06:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-02-09 04:11:10 UTC
CVE-2022-3437 was a vulnerability affecting heimdal and samba. It was
fixed in both places. The fix included changing memcmp to be constant
time and a workaround for a compiler bug by adding "!= 0" comparisons to
the result of memcmp. When these patches were backported to the
heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a
logic inversion sneaked in causing the validation of message integrity
codes in gssapi/arcfour to be inverted.

This vulnerability does not affect samba nor the main heimdal branch and
only applies to backports. At least the 7.7.1 and 7.8.0 branches are
affected. CVE-2022-45142 has been assigned. All releases of Debian are
affected. At least one release of Fedora and Ubuntu are affected.
Comment 1 Larry the Git Cow gentoo-dev 2023-02-09 04:20:15 UTC
The bug has been referenced in the following commit(s):

commit 8ea98796eb18ab898c602e5f4c447eb310090435
Author:     Sam James <>
AuthorDate: 2023-02-09 04:19:34 +0000
Commit:     Sam James <>
CommitDate: 2023-02-09 04:19:44 +0000

    app-crypt/heimdal: fix CVE-2022-45142
    Signed-off-by: Sam James <>

 .../files/heimdal-7.8.0-CVE-2022-45142.patch       |  36 ++++
 app-crypt/heimdal/heimdal-7.8.0-r1.ebuild          | 187 +++++++++++++++++++++
 2 files changed, 223 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-08-16 17:49:58 UTC
The bug has been referenced in the following commit(s):

commit 8bdef46539adc83699dd8db1c3eb5580e662cdb9
Author:     Eray Aslan <>
AuthorDate: 2023-08-16 17:49:26 +0000
Commit:     Eray Aslan <>
CommitDate: 2023-08-16 17:49:26 +0000

    app-crypt/heimdal: drop 7.7.1, 7.8.0
    Signed-off-by: Eray Aslan <>

 app-crypt/heimdal/Manifest             |   1 -
 app-crypt/heimdal/heimdal-7.7.1.ebuild | 186 ---------------------------------
 app-crypt/heimdal/heimdal-7.8.0.ebuild | 186 ---------------------------------
 3 files changed, 373 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2023-10-08 06:55:21 UTC
The bug has been referenced in the following commit(s):

commit 7bd41611164b352f0d17174c80887b0eae1e870f
Author:     GLSAMaker <>
AuthorDate: 2023-10-08 06:51:59 +0000
Commit:     Hans de Graaff <>
CommitDate: 2023-10-08 06:55:17 +0000

    [ GLSA 202310-06 ] Heimdal: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Hans de Graaff <>

 glsa-202310-06.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)