The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.
References: https://nvd.nist.gov/vuln/detail/CVE-2022-45142 Upstream patches: https://www.openwall.com/lists/oss-security/2023/02/08/1 https://github.com/heimdal/heimdal/commit/5f63215d0d82678233fdfb1c07f4b421f57c528b Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> --- .../samba/samba/CVE-2022-45142.patch | 51 +++++++++++++++++++ .../samba/samba_4.14.14.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch new file mode 100644 index 000000000..d6b9826e4 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch @@ -0,0 +1,51 @@ +From: Helmut Grohne <hel...@...divi.de> +Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions + +The referenced commit attempted to fix miscompilations with gcc-9 and +gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately, +it also inverted the result of the comparison in two occasions. This +inversion happened during backporting the patch to 7.7.1 and 7.8.0. + +Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp() + for arcfour unwrap") +Signed-off-by: Helmut Grohne <hel...@...divi.de> + +Upstream-Status: Backport [https://www.openwall.com/lists/oss-security/2023/02/08/1] +CVE: CVE-2022-45142 + +Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> +--- + lib/gssapi/krb5/arcfour.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Changes since v1: + * Fix typo in commit message. + * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman. + +Changes since v2: + * Add CVE identifier. + +diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c +index e838d007a..eee6ad72f 100644 +--- a/lib/gssapi/krb5/arcfour.c ++++ b/lib/gssapi/krb5/arcfour.c +@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0); ++ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0); + if (cmp) { + *minor_status = 0; + return GSS_S_BAD_MIC; +@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */ ++ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */ + if (cmp) { + _gsskrb5_release_buffer(minor_status, output_message_buffer); + *minor_status = 0; +-- +2.38.1 diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb index 39ba85194..cc07d51dc 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb @@ -30,6 +30,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ file://CVE-2022-3437-0006.patch;patchdir=source4/heimdal \ file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \ file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \ + file://CVE-2022-45142.patch;patchdir=source4/heimdal \ " SRC_URI:append:libc-musl = " \ -- 2.40.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#103341): https://lists.openembedded.org/g/openembedded-devel/message/103341 Mute This Topic: https://lists.openembedded.org/mt/99569127/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-