CVE-2022-44640

Name	CVE-2022-44640
Description	Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC).
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3206-1, DSA-5287-1
Debian Bugs	1024187

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
heimdal (PTS)	bullseye (security), bullseye	7.7.0+dfsg-2+deb11u3	fixed
	bookworm	7.8.git20221117.28daf24+dfsg-2	fixed
	sid, trixie	7.8.git20221117.28daf24+dfsg-9	fixed
samba (PTS)	bullseye (security), bullseye	2:4.13.13+dfsg-1~deb11u6	vulnerable
	bookworm, bookworm (security)	2:4.17.12+dfsg-0+deb12u1	fixed
	sid, trixie	2:4.22.1+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
heimdal	source	buster	7.5.0+dfsg-3+deb10u1	DLA-3206-1
heimdal	source	bullseye	7.7.0+dfsg-2+deb11u2	DSA-5287-1
heimdal	source	(unstable)	7.8.git20221115.a6cf945+dfsg-1		1024187
samba	source	(unstable)	2:4.17.4+dfsg-1

Notes

[bullseye] - samba <ignored> (Domain controller functionality is EOLed, see DSA DSA-5477-1)
[buster] - samba <ignored> (Domain controller functionality is EOLed, see DSA-5015-1)
https://github.com/heimdal/heimdal/security/advisories/GHSA-88pm-hfmq-7vv4
https://github.com/heimdal/heimdal/commit/ea5ec8f174920cb80ce2b168b49195378420449e (heimdal-7.7.1)
https://bugzilla.samba.org/show_bug.cgi?id=14929