[Buildroot] [PATCH 1/1] package/heimdal: security bump to version 7.7.1

Thomas Petazzoni thomas.petazzoni at bootlin.com
Wed Nov 23 22:35:23 UTC 2022 

On Wed, 23 Nov 2022 23:24:01 +0100
Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:

> This release fixes the following Security Vulnerabilities:
> 
> - CVE-2022-42898 PAC parse integer overflows
> - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and
>   arcfour
> - CVE-2022-41916 Fix Unicode normalization read of 1 bytes past end of
>   array
> - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
> - CVE-2021-3671 A null pointer de-reference when handling missing sname
>   in TGS-REQ
> - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
> 
>   Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
>   on the Common Vulnerability Scoring System (CVSS) v3, as we believe
>   it should be possible to get an RCE on a KDC, which means that
>   credentials can be compromised that can be used to impersonate
>   anyone in a realm or forest of realms.
> 
>   Heimdal's ASN.1 compiler generates code that allows specially
>   crafted DER encodings of CHOICEs to invoke the wrong free function
>   on the decoded structure upon decode error. This is known to impact
>   the Heimdal KDC, leading to an invalid free() of an address partly
>   or wholly under the control of the attacker, in turn leading to a
>   potential remote code execution (RCE) vulnerability.
> 
>   This error affects the DER codec for all extensible CHOICE types
>   used in Heimdal, though not all cases will be exploitable. We have
>   not completed a thorough analysis of all the Heimdal components
>   affected, thus the Kerberos client, the X.509 library, and other
>   parts, may be affected as well.
> 
>   This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
>   only affect Heimdal 1.6 and up. It was first reported by Douglas
>   Bagnall, though it had been found independently by the Heimdal
>   maintainers via fuzzing a few weeks earlier.
> 
>   While no zero-day exploit is known, such an exploit will likely be
>   available soon after public disclosure.
> 
> - CVE-2019-14870: Validate client attributes in protocol-transition
> 
> - CVE-2019-14870: Apply forwardable policy in protocol-transition
> - CVE-2019-14870: Always lookup impersonate client in DB
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
>  package/heimdal/heimdal.hash | 4 ++--
>  package/heimdal/heimdal.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

More information about the buildroot mailing list