CVE-2022-45142

NameCVE-2022-45142
DescriptionThe fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3311-1, DSA-5344-1
Debian Bugs1030849

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
heimdal (PTS)jessie, jessie (lts)1.6~rc2+dfsg-9+deb8u3fixed
stretch (security)7.1.0+dfsg-13+deb9u3fixed
stretch (lts), stretch7.1.0+dfsg-13+deb9u4fixed
buster (security), buster, buster (lts)7.5.0+dfsg-3+deb10u2fixed
bullseye (security), bullseye7.7.0+dfsg-2+deb11u3fixed
bookworm7.8.git20221117.28daf24+dfsg-2fixed
sid, trixie7.8.git20221117.28daf24+dfsg-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
heimdalsourcejessie(not affected)
heimdalsourcestretch(not affected)
heimdalsourcebuster7.5.0+dfsg-3+deb10u2DLA-3311-1
heimdalsourcebullseye7.7.0+dfsg-2+deb11u3DSA-5344-1
heimdalsource(unstable)7.8.git20221117.28daf24+dfsg-1.11030849

Notes

https://www.openwall.com/lists/oss-security/2023/02/08/1
https://bugzilla.samba.org/show_bug.cgi?id=15296
[stretch] - heimdal <not-affected> (CVE-2022-3437 backported correctly)
[jessie] - heimdal <not-affected> (CVE-2022-3437 backported correctly)

Search for package or bug name: Reporting problems