From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id iA+xLwnhNGRtEgEASxT56A (envelope-from ) for ; Tue, 11 Apr 2023 06:24:41 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id 2NfFLwnhNGTtcQEA9RJhRA (envelope-from ) for ; Tue, 11 Apr 2023 06:24:41 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2788F3F64B for ; Tue, 11 Apr 2023 06:24:41 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pm5Y6-0006WN-Ij; Tue, 11 Apr 2023 00:24:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pm5Y3-0006VL-Ha for guix-patches@gnu.org; Tue, 11 Apr 2023 00:24:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pm5Y2-0002Hu-Sp for guix-patches@gnu.org; Tue, 11 Apr 2023 00:24:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pm5Y2-0003Od-OC for guix-patches@gnu.org; Tue, 11 Apr 2023 00:24:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#62760] [PATCH v2 2/3] gnu: heimdal: Patch for CVE-2022-45142. Resent-From: Felix Lechner Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 11 Apr 2023 04:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 62760 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 62760@debbugs.gnu.org Cc: Felix Lechner , Leo Famulari Received: via spool by 62760-submit@debbugs.gnu.org id=B62760.168118700713000 (code B ref 62760); Tue, 11 Apr 2023 04:24:02 +0000 Received: (at 62760) by debbugs.gnu.org; 11 Apr 2023 04:23:27 +0000 Received: from localhost ([127.0.0.1]:36297 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pm5XS-0003Nb-Pk for submit@debbugs.gnu.org; Tue, 11 Apr 2023 00:23:27 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:38294) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pm5XQ-0003N6-92 for 62760@debbugs.gnu.org; Tue, 11 Apr 2023 00:23:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=CRMH2peYPgWU9N/ S+jNxg6KJqZk5DyzJDzaMjeEebBY=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=e24JfXl+xvULuA299oGW+8Xde4U8bNp/BsGxQv7v 8+lueTLuZMsL+YSk2dOu/EUchivV+OVMBzSsUJUwnJdh15nOHkmIUkL45PoyDA0UUYaK97 Qs92pMjQd5TlM+VYUkdSwSGTS/pM4gZ2/YcFS0tJrydi2JLrFDf1siukRHB+g= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id e259bef0 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Tue, 11 Apr 2023 04:23:23 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 3229d00c; Tue, 11 Apr 2023 04:23:22 +0000 (UTC) Date: Mon, 10 Apr 2023 21:23:12 -0700 Message-Id: <6458bcfc33fec031de1a1574a8e073ac04d1ea3e.1681186993.git.felix.lechner@lease-up.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com> References: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Felix Lechner X-ACL-Warn: , Felix Lechner via Guix-patches From: Felix Lechner via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1681187081; a=rsa-sha256; cv=none; b=aCLY5G4RYe+oFbTf1fh/o8ut4niB676IDrsuT6MDr82NupYp430YDSyp8Aap6FJr8jyGgD cOteMjlwTEZAbgWYQ1BCR7qEGn+Msdlq6p0sj95zI4urQJBRuQ+UllqJEi0UBywFb+456W /2EHk2gwYkDVa+EAhpD5PTE/ga3rexMWb5dlO+NoCvhvsp3zbcFx3nMLeLtVP+aEfKux0p MVa4nIt6WG9oYHBbZJi7BQmwDdhqXaAPRteUFo0Jw7oTbduV1mk6hq01tIYdlQmjibo5uK q43jMJTi7b0kGTRHQadmvWBtzcz80uwRitpfyY1cXXZov5cphKE86thauyv8Wg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=e24JfXl+; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1681187081; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=9r0WWn3ZqTX3VrFj6oSXaZjXIBvzK8Z8tewriR7rLcY=; b=SlrcmHlnLAjVpwJ+9GTlMUDoS51HD7BE/iNRMj4bG/cCq2zlHTz+J9KbWBMZZ4rOGxFnVN 6Dj1e0JB9NHYn/FLhp0659RngAGB9bTyRugx/nqzD5uey6X3/kCXVRAg3Ajv+Vu3pI34t0 Utg/ukA65ul4tpWhM45ErZptWVFQWJNAkHCx1oyQCAjOZbDBXUYOnyvY+Z73h69xCItbIk vTadRqXqIEGFDG5wrV+Iv729rCBEI+n8Vqq1RP37B5BK06bldkF2sNGm3xS3KMCOhhTDyi LhGLqdywWTCaAl3ZyGWeHoy1WPNUmHrr1b4ycEDa6x3IngGgkyIBhn72pO92qQ== Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=e24JfXl+; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Scanner: scn0.migadu.com X-Migadu-Spam-Score: -4.32 X-Spam-Score: -4.32 X-Migadu-Queue-Id: 2788F3F64B X-TUID: /jYEDzKaGT7w Several recent Heimdal releases are affected by the serious vulnerability CVE-2022-45142, which NIST scored as "7.5 HIGH". [1] At the time of writing, the upstream developers had not yet cut any releases post-7.8.0, which is why the patch is being applied here. The patch was extracted from Helmut Grohne's public vulnerability disclosure. [2] [1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142 [2] https://www.openwall.com/lists/oss-security/2023/02/08/1 * gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142. --- gnu/local.mk | 1 + gnu/packages/kerberos.scm | 2 + .../patches/heimdal-CVE-2022-45142.patch | 49 +++++++++++++++++++ 3 files changed, 52 insertions(+) create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch diff --git a/gnu/local.mk b/gnu/local.mk index b7e19b6bc2..f4cd3f448a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1327,6 +1327,7 @@ dist_patch_DATA = \ %D%/packages/patches/hdf-eos5-remove-gctp.patch \ %D%/packages/patches/hdf-eos5-fix-szip.patch \ %D%/packages/patches/hdf-eos5-fortrantests.patch \ + %D%/packages/patches/heimdal-CVE-2022-45142.patch \ %D%/packages/patches/helm-fix-gcc-9-build.patch \ %D%/packages/patches/http-parser-CVE-2020-8287.patch \ %D%/packages/patches/htslib-for-stringtie.patch \ diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index ae4efcbc23..0faf879e35 100644 --- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -176,6 +176,8 @@ (define-public heimdal (sha256 (base32 "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx")) + (patches (search-patches + "heimdal-CVE-2022-45142.patch")) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/heimdal-CVE-2022-45142.patch b/gnu/packages/patches/heimdal-CVE-2022-45142.patch new file mode 100644 index 0000000000..a7258a937c --- /dev/null +++ b/gnu/packages/patches/heimdal-CVE-2022-45142.patch @@ -0,0 +1,49 @@ +From: Helmut Grohne +Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions + +The referenced commit attempted to fix miscompilations with gcc-9 and +gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately, +it also inverted the result of the comparison in two occasions. This +inversion happened during backporting the patch to 7.7.1 and 7.8.0. + +Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp() + for arcfour unwrap") +Signed-off-by: Helmut Grohne +--- + lib/gssapi/krb5/arcfour.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Changes since v1: + * Fix typo in commit message. + * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman. + +Changes since v2: + * Add CVE identifier. + +NB (Felix Lechner): The message above and the patch below were taken from the +disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1 + +diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c +index e838d007a..eee6ad72f 100644 +--- a/lib/gssapi/krb5/arcfour.c ++++ b/lib/gssapi/krb5/arcfour.c +@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0); ++ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0); + if (cmp) { + *minor_status = 0; + return GSS_S_BAD_MIC; +@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */ ++ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */ + if (cmp) { + _gsskrb5_release_buffer(minor_status, output_message_buffer); + *minor_status = 0; +-- +2.38.1 -- 2.39.2