Diffusion FreeBSD src repository 08ffa93d9f0e

heimdal: Fix CVE-2022-4152, signature validation error
08ffa93d9f0e
Actions

Description

heimdal: Fix CVE-2022-4152, signature validation error

When CVE-2022-3437 was fixed by changing memcmp to be a constant
time and the workaround for th e compiler was to add "!=0". However
the logic implmented was inverted resulting in CVE-2022-4152.

Reported by: Timothy E Zingelman <zingelman _AT_ fnal.gov>
Security: CVE-2022-4152
Security: https://www.cve.org/CVERecord?id=CVE-2022-45142
Security: https://nvd.nist.gov/vuln/detail/CVE-2022-45142
Security: https://security-tracker.debian.org/tracker/CVE-2022-45142
Security: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2022-45142
Security: https://bugzilla.samba.org/show_bug.cgi?id=15296
Security: https://www.openwall.com/lists/oss-security/2023/02/08/1
Approved by: re (cperciva)

(cherry picked from commit 5abaf0866445a61c11665fffc148ecd13a7bb9ac)
(cherry picked from commit 59c26d1a95a00418892e08341e3eae074c238680)

Details

Provenance

cy	Authored on Mar 10 2023, 1:03 AM
emaste	Committed on Mar 16 2023, 5:44 PM

Parents

rG61dad7633cd3: route.8: Don't reference an external command in EXAMPLES

Branches

Unknown

Tags

Unknown

Event Timeline

emaste committed rG08ffa93d9f0e: heimdal: Fix CVE-2022-4152, signature validation error (authored by cy).Mar 16 2023, 5:44 PM

Changes (1)

Path

Size

crypto/

heimdal/

lib/

gssapi/

krb5/

arcfour.c

rG08ffa93d9f0e

View Options

crypto/heimdal/lib/gssapi/krb5/arcfour.c