Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libheimdal for openSUSE:Factory checked in at 2023-04-07 18:17:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libheimdal (Old) and /work/SRC/openSUSE:Factory/.libheimdal.new.19717 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libheimdal" Fri Apr 7 18:17:04 2023 rev:13 rq:1077833 version:7.8.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libheimdal/libheimdal.changes 2023-01-12 22:45:20.381217394 +0100 +++ /work/SRC/openSUSE:Factory/.libheimdal.new.19717/libheimdal.changes 2023-04-07 18:17:14.088859424 +0200 @@ -1,0 +2,7 @@ +Thu Apr 6 13:26:58 UTC 2023 - Dominique Leuenberger <dims...@opensuse.org> + +- Add heimdal-CVE-2022-45142.patch: Fix logic inversion introduced + when fixing/backporting CVE-2022-3437 (CVE-2022-45142, + boo#1208992). + +------------------------------------------------------------------- New: ---- heimdal-CVE-2022-45142.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libheimdal.spec ++++++ --- /var/tmp/diff_new_pack.YPjdLN/_old 2023-04-07 18:17:14.664862742 +0200 +++ /var/tmp/diff_new_pack.YPjdLN/_new 2023-04-07 18:17:14.668862765 +0200 @@ -30,6 +30,8 @@ Patch0: heimdal-patched.diff # PATCH-FIX-UPSTREAM bmwiedemann -- make build reproducible (boo#1047218) Patch1: reproducible.patch +# PATCH-FIX-UPSTREAM https://www.openwall.com/lists/oss-security/2023/02/08/1 +Patch2: heimdal-CVE-2022-45142.patch BuildRequires: automake >= 1.11 BuildRequires: bison BuildRequires: db-devel >= 4.8 ++++++ heimdal-CVE-2022-45142.patch ++++++ From: Helmut Grohne <hel...@...divi.de> Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions The referenced commit attempted to fix miscompilations with gcc-9 and gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately, it also inverted the result of the comparison in two occasions. This inversion happened during backporting the patch to 7.7.1 and 7.8.0. Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp() for arcfour unwrap") Signed-off-by: Helmut Grohne <hel...@...divi.de> --- lib/gssapi/krb5/arcfour.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changes since v1: * Fix typo in commit message. * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman. Changes since v2: * Add CVE identifier. diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c index e838d007a..eee6ad72f 100644 --- a/lib/gssapi/krb5/arcfour.c +++ b/lib/gssapi/krb5/arcfour.c @@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, return GSS_S_FAILURE; } - cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0); + cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0); if (cmp) { *minor_status = 0; return GSS_S_BAD_MIC; @@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, return GSS_S_FAILURE; } - cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */ + cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */ if (cmp) { _gsskrb5_release_buffer(minor_status, output_message_buffer); *minor_status = 0; -- 2.38.1
