[Buildroot] [PATCH 1/1] package/heimdal: security bump to version 7.7.1
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Wed Nov 23 22:35:23 UTC 2022
On Wed, 23 Nov 2022 23:24:01 +0100
Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
> This release fixes the following Security Vulnerabilities:
>
> - CVE-2022-42898 PAC parse integer overflows
> - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and
> arcfour
> - CVE-2022-41916 Fix Unicode normalization read of 1 bytes past end of
> array
> - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
> - CVE-2021-3671 A null pointer de-reference when handling missing sname
> in TGS-REQ
> - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
>
> Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
> on the Common Vulnerability Scoring System (CVSS) v3, as we believe
> it should be possible to get an RCE on a KDC, which means that
> credentials can be compromised that can be used to impersonate
> anyone in a realm or forest of realms.
>
> Heimdal's ASN.1 compiler generates code that allows specially
> crafted DER encodings of CHOICEs to invoke the wrong free function
> on the decoded structure upon decode error. This is known to impact
> the Heimdal KDC, leading to an invalid free() of an address partly
> or wholly under the control of the attacker, in turn leading to a
> potential remote code execution (RCE) vulnerability.
>
> This error affects the DER codec for all extensible CHOICE types
> used in Heimdal, though not all cases will be exploitable. We have
> not completed a thorough analysis of all the Heimdal components
> affected, thus the Kerberos client, the X.509 library, and other
> parts, may be affected as well.
>
> This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
> only affect Heimdal 1.6 and up. It was first reported by Douglas
> Bagnall, though it had been found independently by the Heimdal
> maintainers via fuzzing a few weeks earlier.
>
> While no zero-day exploit is known, such an exploit will likely be
> available soon after public disclosure.
>
> - CVE-2019-14870: Validate client attributes in protocol-transition
>
> - CVE-2019-14870: Apply forwardable policy in protocol-transition
> - CVE-2019-14870: Always lookup impersonate client in DB
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
> package/heimdal/heimdal.hash | 4 ++--
> package/heimdal/heimdal.mk | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list