Source: heimdal Version: 7.7.0+dfsg-6 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for heimdal. CVE-2022-44640[0]: | Invalid free in ASN.1 codec CVE-2022-42898[1]: | krb5_pac_parse() buffer parsing vulnerability CVE-2022-3437[2]: | Buffer overflow in Heimdal unwrap_des3() CVE-2021-44758[3]: | spnego: send_reject when no mech selected If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. >From the 7.7.1 release notes[4]: | This release fixes the following Security Vulnerabilities: | | CVE-2022-42898 PAC parse integer overflows | | CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour | | CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors | | CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec | | Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0 | on the Common Vulnerability Scoring System (CVSS) v3, as we believe | it should be possible to get an RCE on a KDC, which means that | credentials can be compromised that can be used to impersonate | anyone in a realm or forest of realms. | | Heimdal's ASN.1 compiler generates code that allows specially | crafted DER encodings of CHOICEs to invoke the wrong free function | on the decoded structure upon decode error. This is known to impact | the Heimdal KDC, leading to an invalid free() of an address partly | or wholly under the control of the attacker, in turn leading to a | potential remote code execution (RCE) vulnerability. | | This error affects the DER codec for all extensible CHOICE types | used in Heimdal, though not all cases will be exploitable. We have | not completed a thorough analysis of all the Heimdal components | affected, thus the Kerberos client, the X.509 library, and other | parts, may be affected as well. | | This bug has been in Heimdal's ASN.1 compiler since 2005, but it may | only affect Heimdal 1.6 and up. It was first reported by Douglas | Bagnall, though it had been found independently by the Heimdal | maintainers via fuzzing a few weeks earlier. | | While no zero-day exploit is known, such an exploit will likely be | available soon after public disclosure. | | CVE-2019-14870: Validate client attributes in protocol-transition | | CVE-2019-14870: Apply forwardable policy in protocol-transition | | CVE-2019-14870: Always lookup impersonate client in DB (CVE-2019-14870 was already fixed earlier in unstable) For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-44640 https://www.cve.org/CVERecord?id=CVE-2022-44640 [1] https://security-tracker.debian.org/tracker/CVE-2022-42898 https://www.cve.org/CVERecord?id=CVE-2022-42898 [2] https://security-tracker.debian.org/tracker/CVE-2022-3437 https://www.cve.org/CVERecord?id=CVE-2022-3437 [3] https://security-tracker.debian.org/tracker/CVE-2021-44758 https://www.cve.org/CVERecord?id=CVE-2021-44758 [4] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.7.1 Regards, Salvatore