[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
238/244: gnu: heimdal: Apply patch to fix CVE-2022-45142.
From: |
guix-commits |
Subject: |
238/244: gnu: heimdal: Apply patch to fix CVE-2022-45142. |
Date: |
Wed, 12 Apr 2023 08:49:38 -0400 (EDT) |
apteryx pushed a commit to branch staging
in repository guix.
commit 4edf7d93ddfdadde198e75c160e83e30eaba44ae
Author: Felix Lechner <felix.lechner@lease-up.com>
AuthorDate: Mon Apr 10 21:23:12 2023 -0700
gnu: heimdal: Apply patch to fix CVE-2022-45142.
Several recent Heimdal releases are affected by the serious vulnerability
CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]
At the time of writing, the upstream developers had not yet cut any releases
post-7.8.0, which is why the patch is being applied here.
The patch was extracted from Helmut Grohne's public vulnerability
disclosure. [2]
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1
* gnu/packages/patches/heimdal-CVE-2022-45142.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/kerberos.scm (heimdal)[source]: Apply it.
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
---
gnu/local.mk | 1 +
gnu/packages/kerberos.scm | 2 +
gnu/packages/patches/heimdal-CVE-2022-45142.patch | 49 +++++++++++++++++++++++
3 files changed, 52 insertions(+)
diff --git a/gnu/local.mk b/gnu/local.mk
index a5ac123586..eeb26d34d0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1329,6 +1329,7 @@ dist_patch_DATA =
\
%D%/packages/patches/hdf-eos5-remove-gctp.patch \
%D%/packages/patches/hdf-eos5-fix-szip.patch \
%D%/packages/patches/hdf-eos5-fortrantests.patch \
+ %D%/packages/patches/heimdal-CVE-2022-45142.patch \
%D%/packages/patches/helm-fix-gcc-9-build.patch \
%D%/packages/patches/http-parser-CVE-2020-8287.patch \
%D%/packages/patches/htslib-for-stringtie.patch \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 6f3770db28..2035f16d71 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -176,6 +176,8 @@ After installation, the system administrator should
generate keys using
(sha256
(base32
"0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
+ (patches
+ (search-patches "heimdal-CVE-2022-45142.patch"))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/gnu/packages/patches/heimdal-CVE-2022-45142.patch
b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
new file mode 100644
index 0000000000..a7258a937c
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
@@ -0,0 +1,49 @@
+From: Helmut Grohne <helmut@...divi.de>
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne <helmut@...divi.de>
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+NB (Felix Lechner): The message above and the patch below were taken from the
+disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
++++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ return GSS_S_FAILURE;
+ }
+
+- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+ if (cmp) {
+ *minor_status = 0;
+ return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ return GSS_S_FAILURE;
+ }
+
+- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+ if (cmp) {
+ _gsskrb5_release_buffer(minor_status, output_message_buffer);
+ *minor_status = 0;
+--
+2.38.1
- 184/244: gnu: fcitx-qt5: Update to 1.2.7., (continued)
- 184/244: gnu: fcitx-qt5: Update to 1.2.7., guix-commits, 2023/04/12
- 217/244: gnu: execline: Update to 2.9.3.0., guix-commits, 2023/04/12
- 191/244: gnu: fcitx5-chinese-addons: Update to 5.0.17., guix-commits, 2023/04/12
- 195/244: gnu: garcon: Update to 4.18.1., guix-commits, 2023/04/12
- 157/244: gnu: seer-gdb: Update to 1.16., guix-commits, 2023/04/12
- 227/244: gnu: ijs: Fix cross-building to riscv64-linux., guix-commits, 2023/04/12
- 213/244: gnu: haproxy: Update to 2.7.6., guix-commits, 2023/04/12
- 188/244: gnu: fcitx5-gtk: Update to 5.0.23., guix-commits, 2023/04/12
- 203/244: gnu: xfburn: Update to 0.7.0., guix-commits, 2023/04/12
- 165/244: gnu: pyzo: Update to 4.12.8., guix-commits, 2023/04/12
- 238/244: gnu: heimdal: Apply patch to fix CVE-2022-45142.,
guix-commits <=
- 237/244: gnu: heimdal: Update to 7.8.0 [fixes CVE-2022-44640]., guix-commits, 2023/04/12
- 244/244: gnu: ruby-rubyzip: Re-instate all tests., guix-commits, 2023/04/12
- 241/244: services: nginx: Make logging level configurable., guix-commits, 2023/04/12
- 228/244: gnu: qpdf: Fix cross-building., guix-commits, 2023/04/12
- 234/244: gnu: opendht: Update to 2.5.2., guix-commits, 2023/04/12
- 173/244: gnu: Add emacs-flymake-popon., guix-commits, 2023/04/12
- 196/244: gnu: xfce4-panel: Update to 4.18.3., guix-commits, 2023/04/12
- 186/244: gnu: fcitx5: Update to 5.0.23., guix-commits, 2023/04/12
- 221/244: gnu: s6-rc: Update to 0.5.4.1., guix-commits, 2023/04/12
- 183/244: gnu: gerbil: Use G-expressions., guix-commits, 2023/04/12