diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2023-03-10 01:03:52 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2023-03-16 17:44:41 +0000 |
| commit | 08ffa93d9f0e5c03b15e6f3326d5a0056bfc4a52 (patch) | |
| tree | fbd54cdeb963812d7eeb31b86aa8bb03175c528c | |
| parent | 61dad7633cd3eeacd734cdb0338331b751bd6ab0 (diff) | |
| download | src-08ffa93d9f0e5c03b15e6f3326d5a0056bfc4a52.tar.gz src-08ffa93d9f0e5c03b15e6f3326d5a0056bfc4a52.zip | |
heimdal: Fix CVE-2022-4152, signature validation error
When CVE-2022-3437 was fixed by changing memcmp to be a constant
time and the workaround for th e compiler was to add "!=0". However
the logic implmented was inverted resulting in CVE-2022-4152.
Reported by: Timothy E Zingelman <zingelman _AT_ fnal.gov>
Security: CVE-2022-4152
Security: https://www.cve.org/CVERecord?id=CVE-2022-45142
Security: https://nvd.nist.gov/vuln/detail/CVE-2022-45142
Security: https://security-tracker.debian.org/tracker/CVE-2022-45142
Security: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2022-45142
Security: https://bugzilla.samba.org/show_bug.cgi?id=15296
Security: https://www.openwall.com/lists/oss-security/2023/02/08/1
Approved by: re (cperciva)
(cherry picked from commit 5abaf0866445a61c11665fffc148ecd13a7bb9ac)
(cherry picked from commit 59c26d1a95a00418892e08341e3eae074c238680)
| -rw-r--r-- | crypto/heimdal/lib/gssapi/krb5/arcfour.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/crypto/heimdal/lib/gssapi/krb5/arcfour.c b/crypto/heimdal/lib/gssapi/krb5/arcfour.c index 3b8d452877dd..7d1143c95d83 100644 --- a/crypto/heimdal/lib/gssapi/krb5/arcfour.c +++ b/crypto/heimdal/lib/gssapi/krb5/arcfour.c @@ -307,7 +307,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, return GSS_S_FAILURE; } - cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0); + cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0); if (cmp) { *minor_status = 0; return GSS_S_BAD_MIC; @@ -695,7 +695,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, return GSS_S_FAILURE; } - cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */ + cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */ if (cmp) { _gsskrb5_release_buffer(minor_status, output_message_buffer); *minor_status = 0; |