CVE-2022-45142

NameCVE-2022-45142
DescriptionThe fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3311-1, DSA-5344-1
Debian Bugs1030849

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
heimdal (PTS)buster7.5.0+dfsg-3vulnerable
buster (security)7.5.0+dfsg-3+deb10u2fixed
bullseye (security), bullseye7.7.0+dfsg-2+deb11u3fixed
bookworm7.8.git20221117.28daf24+dfsg-2fixed
trixie7.8.git20221117.28daf24+dfsg-4fixed
sid7.8.git20221117.28daf24+dfsg-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
heimdalsourcebuster7.5.0+dfsg-3+deb10u2DLA-3311-1
heimdalsourcebullseye7.7.0+dfsg-2+deb11u3DSA-5344-1
heimdalsource(unstable)7.8.git20221117.28daf24+dfsg-1.11030849

Notes

https://www.openwall.com/lists/oss-security/2023/02/08/1
https://bugzilla.samba.org/show_bug.cgi?id=15296

Search for package or bug name: Reporting problems