Version in base suite: 7.7.0+dfsg-2+deb11u2 Base version: heimdal_7.7.0+dfsg-2+deb11u2 Target version: heimdal_7.7.0+dfsg-2+deb11u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/h/heimdal/heimdal_7.7.0+dfsg-2+deb11u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/h/heimdal/heimdal_7.7.0+dfsg-2+deb11u3.dsc changelog | 7 + patches/CVE-2022-45142-gsskrb5-fix-accidental-logic-inversio.patch | 42 ++++++++++ patches/series | 1 3 files changed, 50 insertions(+) diff -Nru heimdal-7.7.0+dfsg/debian/changelog heimdal-7.7.0+dfsg/debian/changelog --- heimdal-7.7.0+dfsg/debian/changelog 2022-11-19 10:39:50.000000000 +0000 +++ heimdal-7.7.0+dfsg/debian/changelog 2023-02-05 13:28:40.000000000 +0000 @@ -1,3 +1,10 @@ +heimdal (7.7.0+dfsg-2+deb11u3) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * gsskrb5: fix accidental logic inversions (CVE-2022-45142) + + -- Salvatore Bonaccorso Sun, 05 Feb 2023 14:28:40 +0100 + heimdal (7.7.0+dfsg-2+deb11u2) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru heimdal-7.7.0+dfsg/debian/patches/CVE-2022-45142-gsskrb5-fix-accidental-logic-inversio.patch heimdal-7.7.0+dfsg/debian/patches/CVE-2022-45142-gsskrb5-fix-accidental-logic-inversio.patch --- heimdal-7.7.0+dfsg/debian/patches/CVE-2022-45142-gsskrb5-fix-accidental-logic-inversio.patch 1970-01-01 00:00:00.000000000 +0000 +++ heimdal-7.7.0+dfsg/debian/patches/CVE-2022-45142-gsskrb5-fix-accidental-logic-inversio.patch 2023-02-05 13:28:40.000000000 +0000 @@ -0,0 +1,42 @@ +From 5e6830aa2d5287fbccbda929b3b20575afa60940 Mon Sep 17 00:00:00 2001 +From: Helmut Grohne +Date: Sun, 5 Feb 2023 14:23:48 +0100 +Subject: [PATCH] CVE-2022-45142: gsskrb5: fix accidental logic inversions + +The referenced commit attempted to fix miscompilations with gcc-9 and +gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately, +it also inverted the result of the comparison in two occasions. This +inversion happened during backporting the patch to 7.7.1 and 7.8.0. + +Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp() + for arcfour unwrap") +Signed-off-by: Helmut Grohne +--- + lib/gssapi/krb5/arcfour.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c +index e838d007a4e4..eee6ad72fc07 100644 +--- a/lib/gssapi/krb5/arcfour.c ++++ b/lib/gssapi/krb5/arcfour.c +@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0); ++ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0); + if (cmp) { + *minor_status = 0; + return GSS_S_BAD_MIC; +@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */ ++ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */ + if (cmp) { + _gsskrb5_release_buffer(minor_status, output_message_buffer); + *minor_status = 0; +-- +2.39.1 + diff -Nru heimdal-7.7.0+dfsg/debian/patches/series heimdal-7.7.0+dfsg/debian/patches/series --- heimdal-7.7.0+dfsg/debian/patches/series 2022-11-19 10:39:50.000000000 +0000 +++ heimdal-7.7.0+dfsg/debian/patches/series 2023-02-05 13:28:40.000000000 +0000 @@ -37,3 +37,4 @@ lib-krb5-fix-_krb5_get_int64-on-32-bit-systems.patch lib-krb5-krb5_pac_parse-mem-leak-if-pac_header_size-.patch kdc-Check-generate_pac-return-code.patch +CVE-2022-45142-gsskrb5-fix-accidental-logic-inversio.patch