You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 lines
1.3 KiB
37 lines
1.3 KiB
https://bugs.gentoo.org/893722
|
|
https://www.openwall.com/lists/oss-security/2023/02/08/1
|
|
|
|
From: Helmut Grohne <helmut@...divi.de>
|
|
Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
|
|
|
|
The referenced commit attempted to fix miscompilations with gcc-9 and
|
|
gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
|
|
it also inverted the result of the comparison in two occasions. This
|
|
inversion happened during backporting the patch to 7.7.1 and 7.8.0.
|
|
|
|
Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
|
|
for arcfour unwrap")
|
|
Signed-off-by: Helmut Grohne <helmut@...divi.de>
|
|
--- a/lib/gssapi/krb5/arcfour.c
|
|
+++ b/lib/gssapi/krb5/arcfour.c
|
|
@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
|
|
return GSS_S_FAILURE;
|
|
}
|
|
|
|
- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
|
|
+ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
|
|
if (cmp) {
|
|
*minor_status = 0;
|
|
return GSS_S_BAD_MIC;
|
|
@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
|
|
return GSS_S_FAILURE;
|
|
}
|
|
|
|
- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
|
|
+ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
|
|
if (cmp) {
|
|
_gsskrb5_release_buffer(minor_status, output_message_buffer);
|
|
*minor_status = 0;
|
|
--
|
|
2.38.1
|