GNU bug report logs - #62760
[PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos

Previous Next

Full log

View this message in rfc822 format

From: Felix Lechner <felix.lechner <at> lease-up.com>
To: 62760 <at> debbugs.gnu.org
Cc: Felix Lechner <felix.lechner <at> lease-up.com>
Subject: [bug#62760] [PATCH 2/3] gnu: heimdal: Patch for CVE-2022-45142.
Date: Mon, 10 Apr 2023 12:52:25 -0700

Several recent Heimdal releases are affected by the serious vulnerability
CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]

At the time of writing, the upstream developers had not yet cut any releases
post-7.8.0, which is why the patch is being applied here.

The patch was extracted from Helmut Grohne's public vulnerability
disclosure. [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1

* gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142.
---
 gnu/packages/kerberos.scm                     |  2 +
 .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index ae4efcbc23..0faf879e35 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -176,6 +176,8 @@ (define-public heimdal
               (sha256
                (base32
                 "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
+              (patches (search-patches
+                        "heimdal-CVE-2022-45142.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
diff --git a/gnu/packages/patches/heimdal-CVE-2022-45142.patch b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
new file mode 100644
index 0000000000..a7258a937c
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
@@ -0,0 +1,49 @@
+From: Helmut Grohne <helmut@...divi.de>
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne <helmut@...divi.de>
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+NB (Felix Lechner): The message above and the patch below were taken from the
+disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
++++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++    cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+     if (cmp) {
+ 	*minor_status = 0;
+ 	return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+     if (cmp) {
+ 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+ 	*minor_status = 0;
+--
+2.38.1
-- 
2.39.2

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.