CVE-2022-45142

Name
CVE-2022-45142
Description
The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://www.openwall.com/lists/oss-security/2023/02/08/1
GENTOO https://security.gentoo.org/glsa/202310-06

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:heimdal_project:heimdal:7.8.0:*:*:*:*:*:*:* heimdal == None == 7.8.0
cpe:2.3:a:heimdal_project:heimdal:7.7.1:*:*:*:*:*:*:* heimdal == None == 7.7.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
heimdal 3.16-main 7.7.1-r0 Leonardo Arena <rnalrd@alpinelinux.org> fixed
heimdal 3.15-main 7.7.1-r0 Leonardo Arena <rnalrd@alpinelinux.org> fixed
heimdal 3.14-main 7.7.1-r1 Leonardo Arena <rnalrd@alpinelinux.org> fixed
heimdal 3.17-main 7.8.0-r1 Leonardo Arena <rnalrd@alpinelinux.org> fixed
heimdal 3.18-main 7.8.0-r3 Leonardo Arena <rnalrd@alpinelinux.org> fixed
heimdal 3.19-main 7.8.0-r3 Leonardo Arena <rnalrd@alpinelinux.org> fixed
heimdal 3.20-main 7.8.0-r3 Leonardo Arena <rnalrd@alpinelinux.org> fixed
heimdal edge-main 7.8.0-r4 Leonardo Arena <rnalrd@alpinelinux.org> fixed