gnu: heimdal: Apply patch to fix CVE-2022-45142.
Several recent Heimdal releases are affected by the serious vulnerability CVE-2022-45142, which NIST scored as "7.5 HIGH". [1] At the time of writing, the upstream developers had not yet cut any releases post-7.8.0, which is why the patch is being applied here. The patch was extracted from Helmut Grohne's public vulnerability disclosure. [2] [1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142 [2] https://www.openwall.com/lists/oss-security/2023/02/08/1 * gnu/packages/patches/heimdal-CVE-2022-45142.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/kerberos.scm (heimdal)[source]: Apply it. Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
This commit is contained in:
parent
789554cb76
commit
691f17a8cc
@ -1328,6 +1328,7 @@ dist_patch_DATA = \
|
||||
%D%/packages/patches/hdf-eos5-remove-gctp.patch \
|
||||
%D%/packages/patches/hdf-eos5-fix-szip.patch \
|
||||
%D%/packages/patches/hdf-eos5-fortrantests.patch \
|
||||
%D%/packages/patches/heimdal-CVE-2022-45142.patch \
|
||||
%D%/packages/patches/helm-fix-gcc-9-build.patch \
|
||||
%D%/packages/patches/http-parser-CVE-2020-8287.patch \
|
||||
%D%/packages/patches/htslib-for-stringtie.patch \
|
||||
|
@ -176,6 +176,8 @@ After installation, the system administrator should generate keys using
|
||||
(sha256
|
||||
(base32
|
||||
"0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
|
||||
(patches
|
||||
(search-patches "heimdal-CVE-2022-45142.patch"))
|
||||
(modules '((guix build utils)))
|
||||
(snippet
|
||||
'(begin
|
||||
|
49
gnu/packages/patches/heimdal-CVE-2022-45142.patch
Normal file
49
gnu/packages/patches/heimdal-CVE-2022-45142.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From: Helmut Grohne <helmut@...divi.de>
|
||||
Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
|
||||
|
||||
The referenced commit attempted to fix miscompilations with gcc-9 and
|
||||
gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
|
||||
it also inverted the result of the comparison in two occasions. This
|
||||
inversion happened during backporting the patch to 7.7.1 and 7.8.0.
|
||||
|
||||
Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
|
||||
for arcfour unwrap")
|
||||
Signed-off-by: Helmut Grohne <helmut@...divi.de>
|
||||
---
|
||||
lib/gssapi/krb5/arcfour.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
Changes since v1:
|
||||
* Fix typo in commit message.
|
||||
* Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
|
||||
|
||||
Changes since v2:
|
||||
* Add CVE identifier.
|
||||
|
||||
NB (Felix Lechner): The message above and the patch below were taken from the
|
||||
disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1
|
||||
|
||||
diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
|
||||
index e838d007a..eee6ad72f 100644
|
||||
--- a/lib/gssapi/krb5/arcfour.c
|
||||
+++ b/lib/gssapi/krb5/arcfour.c
|
||||
@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
|
||||
- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
|
||||
+ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
|
||||
if (cmp) {
|
||||
*minor_status = 0;
|
||||
return GSS_S_BAD_MIC;
|
||||
@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
|
||||
- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
|
||||
+ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
|
||||
if (cmp) {
|
||||
_gsskrb5_release_buffer(minor_status, output_message_buffer);
|
||||
*minor_status = 0;
|
||||
--
|
||||
2.38.1
|
Loading…
Reference in New Issue
Block a user