Message ID | 6458bcfc33fec031de1a1574a8e073ac04d1ea3e.1681186993.git.felix.lechner@lease-up.com |
---|---|
State | New |
Headers | show |
Series | [bug#62760,v2,1/3] gnu: heimdal: Update to 7.8.0. | expand |
Hi, Felix Lechner <felix.lechner@lease-up.com> writes: > Several recent Heimdal releases are affected by the serious vulnerability > CVE-2022-45142, which NIST scored as "7.5 HIGH". [1] > > At the time of writing, the upstream developers had not yet cut any releases > post-7.8.0, which is why the patch is being applied here. > > The patch was extracted from Helmut Grohne's public vulnerability > disclosure. [2] > > [1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142 > [2] https://www.openwall.com/lists/oss-security/2023/02/08/1 > > * gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for > CVE-2022-45142. I've fixed the change log commit message like so: --8<---------------cut here---------------start------------->8--- * gnu/packages/patches/heimdal-CVE-2022-45142.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/kerberos.scm (heimdal)[source]: Apply it. --8<---------------cut here---------------end--------------->8--- > --- > gnu/local.mk | 1 + > gnu/packages/kerberos.scm | 2 + > .../patches/heimdal-CVE-2022-45142.patch | 49 +++++++++++++++++++ > 3 files changed, 52 insertions(+) > create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index b7e19b6bc2..f4cd3f448a 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -1327,6 +1327,7 @@ dist_patch_DATA = \ > %D%/packages/patches/hdf-eos5-remove-gctp.patch \ > %D%/packages/patches/hdf-eos5-fix-szip.patch \ > %D%/packages/patches/hdf-eos5-fortrantests.patch \ > + %D%/packages/patches/heimdal-CVE-2022-45142.patch \ > %D%/packages/patches/helm-fix-gcc-9-build.patch \ > %D%/packages/patches/http-parser-CVE-2020-8287.patch \ > %D%/packages/patches/htslib-for-stringtie.patch \ > diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm > index ae4efcbc23..0faf879e35 100644 > --- a/gnu/packages/kerberos.scm > +++ b/gnu/packages/kerberos.scm > @@ -176,6 +176,8 @@ (define-public heimdal > (sha256 > (base32 > "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx")) > + (patches (search-patches > + "heimdal-CVE-2022-45142.patch")) Nitpick; I've used the more conventional indentation for patches: --8<---------------cut here---------------start------------->8--- (patches (search-patches "heimdal-CVE-2022-45142.patch")) --8<---------------cut here---------------end--------------->8--- Thank you!
diff --git a/gnu/local.mk b/gnu/local.mk index b7e19b6bc2..f4cd3f448a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1327,6 +1327,7 @@ dist_patch_DATA = \ %D%/packages/patches/hdf-eos5-remove-gctp.patch \ %D%/packages/patches/hdf-eos5-fix-szip.patch \ %D%/packages/patches/hdf-eos5-fortrantests.patch \ + %D%/packages/patches/heimdal-CVE-2022-45142.patch \ %D%/packages/patches/helm-fix-gcc-9-build.patch \ %D%/packages/patches/http-parser-CVE-2020-8287.patch \ %D%/packages/patches/htslib-for-stringtie.patch \ diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index ae4efcbc23..0faf879e35 100644 --- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -176,6 +176,8 @@ (define-public heimdal (sha256 (base32 "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx")) + (patches (search-patches + "heimdal-CVE-2022-45142.patch")) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/heimdal-CVE-2022-45142.patch b/gnu/packages/patches/heimdal-CVE-2022-45142.patch new file mode 100644 index 0000000000..a7258a937c --- /dev/null +++ b/gnu/packages/patches/heimdal-CVE-2022-45142.patch @@ -0,0 +1,49 @@ +From: Helmut Grohne <helmut@...divi.de> +Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions + +The referenced commit attempted to fix miscompilations with gcc-9 and +gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately, +it also inverted the result of the comparison in two occasions. This +inversion happened during backporting the patch to 7.7.1 and 7.8.0. + +Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp() + for arcfour unwrap") +Signed-off-by: Helmut Grohne <helmut@...divi.de> +--- + lib/gssapi/krb5/arcfour.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Changes since v1: + * Fix typo in commit message. + * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman. + +Changes since v2: + * Add CVE identifier. + +NB (Felix Lechner): The message above and the patch below were taken from the +disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1 + +diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c +index e838d007a..eee6ad72f 100644 +--- a/lib/gssapi/krb5/arcfour.c ++++ b/lib/gssapi/krb5/arcfour.c +@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0); ++ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0); + if (cmp) { + *minor_status = 0; + return GSS_S_BAD_MIC; +@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */ ++ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */ + if (cmp) { + _gsskrb5_release_buffer(minor_status, output_message_buffer); + *minor_status = 0; +-- +2.38.1