Re: [Buildroot] [PATCH 1/1] package/heimdal: security bump to version 7.7.1

From: Peter Korsgaard <peter@korsgaard.com>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/heimdal: security bump to version 7.7.1
Date: Sat, 26 Nov 2022 19:55:41 +0100	[thread overview]
Message-ID: <87edtpeeaa.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20221123222401.84489-1-fontaine.fabrice@gmail.com> (Fabrice Fontaine's message of "Wed, 23 Nov 2022 23:24:01 +0100")

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > This release fixes the following Security Vulnerabilities:
 > - CVE-2022-42898 PAC parse integer overflows
 > - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and
 >   arcfour
 > - CVE-2022-41916 Fix Unicode normalization read of 1 bytes past end of
 >   array
 > - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
 > - CVE-2021-3671 A null pointer de-reference when handling missing sname
 >   in TGS-REQ
 > - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec

 >   Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
 >   on the Common Vulnerability Scoring System (CVSS) v3, as we believe
 >   it should be possible to get an RCE on a KDC, which means that
 >   credentials can be compromised that can be used to impersonate
 >   anyone in a realm or forest of realms.

 >   Heimdal's ASN.1 compiler generates code that allows specially
 >   crafted DER encodings of CHOICEs to invoke the wrong free function
 >   on the decoded structure upon decode error. This is known to impact
 >   the Heimdal KDC, leading to an invalid free() of an address partly
 >   or wholly under the control of the attacker, in turn leading to a
 >   potential remote code execution (RCE) vulnerability.

 >   This error affects the DER codec for all extensible CHOICE types
 >   used in Heimdal, though not all cases will be exploitable. We have
 >   not completed a thorough analysis of all the Heimdal components
 >   affected, thus the Kerberos client, the X.509 library, and other
 >   parts, may be affected as well.

 >   This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
 >   only affect Heimdal 1.6 and up. It was first reported by Douglas
 >   Bagnall, though it had been found independently by the Heimdal
 >   maintainers via fuzzing a few weeks earlier.

 >   While no zero-day exploit is known, such an exploit will likely be
 >   available soon after public disclosure.

 > - CVE-2019-14870: Validate client attributes in protocol-transition

 > - CVE-2019-14870: Apply forwardable policy in protocol-transition
 > - CVE-2019-14870: Always lookup impersonate client in DB

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2022.08.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot