mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
samba: fix CVE-2022-45142
The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted. References: https://nvd.nist.gov/vuln/detail/CVE-2022-45142 Upstream patches: https://www.openwall.com/lists/oss-security/2023/02/08/1 https://github.com/heimdal/heimdal/commit/5f63215d0d82678233fdfb1c07f4b421f57c528b Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
9d203efe8f
commit
84544d6440
@@ -0,0 +1,51 @@
|
|||||||
|
From: Helmut Grohne <helmut@...divi.de>
|
||||||
|
Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
|
||||||
|
|
||||||
|
The referenced commit attempted to fix miscompilations with gcc-9 and
|
||||||
|
gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
|
||||||
|
it also inverted the result of the comparison in two occasions. This
|
||||||
|
inversion happened during backporting the patch to 7.7.1 and 7.8.0.
|
||||||
|
|
||||||
|
Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
|
||||||
|
for arcfour unwrap")
|
||||||
|
Signed-off-by: Helmut Grohne <helmut@...divi.de>
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://www.openwall.com/lists/oss-security/2023/02/08/1]
|
||||||
|
CVE: CVE-2022-45142
|
||||||
|
|
||||||
|
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
|
||||||
|
---
|
||||||
|
lib/gssapi/krb5/arcfour.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
Changes since v1:
|
||||||
|
* Fix typo in commit message.
|
||||||
|
* Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
|
||||||
|
|
||||||
|
Changes since v2:
|
||||||
|
* Add CVE identifier.
|
||||||
|
|
||||||
|
diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
|
||||||
|
index e838d007a..eee6ad72f 100644
|
||||||
|
--- a/lib/gssapi/krb5/arcfour.c
|
||||||
|
+++ b/lib/gssapi/krb5/arcfour.c
|
||||||
|
@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
|
||||||
|
return GSS_S_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
|
||||||
|
+ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
|
||||||
|
if (cmp) {
|
||||||
|
*minor_status = 0;
|
||||||
|
return GSS_S_BAD_MIC;
|
||||||
|
@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
|
||||||
|
return GSS_S_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
|
||||||
|
+ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
|
||||||
|
if (cmp) {
|
||||||
|
_gsskrb5_release_buffer(minor_status, output_message_buffer);
|
||||||
|
*minor_status = 0;
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
@@ -30,6 +30,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
|
|||||||
file://CVE-2022-3437-0006.patch;patchdir=source4/heimdal \
|
file://CVE-2022-3437-0006.patch;patchdir=source4/heimdal \
|
||||||
file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
|
file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
|
||||||
file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
|
file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
|
||||||
|
file://CVE-2022-45142.patch;patchdir=source4/heimdal \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI:append:libc-musl = " \
|
SRC_URI:append:libc-musl = " \
|
||||||
|
|||||||
Reference in New Issue
Block a user