Re: [OE-core] [PATCH] samba: fix CVE-2022-45142

2023-06-16 Thread Polampalli, Archana via lists.openembedded.org 
Please ignore this patch

Regards,
Archana

From: openembedded-core@lists.openembedded.org 
 on behalf of Polampalli, Archana via 
lists.openembedded.org 
Sent: Friday, June 16, 2023 5:34 PM
To: openembedded-core@lists.openembedded.org 

Cc: G Pillai, Hari 
Subject: [OE-core] [PATCH] samba: fix CVE-2022-45142

The fix for CVE-2022-3437 included changing memcmp to be constant
time and a workaround for a compiler bug by adding "!= 0"
comparisons to the result of memcmp. When these patches were
backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and
possibly other branches) a logic inversion sneaked in causing the
validation of message integrity codes in gssapi/arcfour to be inverted.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-45142

Upstream patches:
https://www.openwall.com/lists/oss-security/2023/02/08/1
https://github.com/heimdal/heimdal/commit/5f63215d0d82678233fdfb1c07f4b421f57c528b

Signed-off-by: Archana Polampalli 
---
 .../samba/samba/CVE-2022-45142.patch  | 51 +++
 .../samba/samba_4.14.14.bb|  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch

diff --git 
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch 
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch
new file mode 100644
index 0..d6b9826e4
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch
@@ -0,0 +1,51 @@
+From: Helmut Grohne 
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne 
+
+Upstream-Status: Backport 
[https://www.openwall.com/lists/oss-security/2023/02/08/1]
+CVE: CVE-2022-45142
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
 b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+ if (cmp) {
+   *minor_status = 0;
+   return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+ if (cmp) {
+   _gsskrb5_release_buffer(minor_status, output_message_buffer);
+   *minor_status = 0;
+--
+2.38.1
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb 
b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index 39ba85194..cc07d51dc 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -30,6 +30,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://CVE-2022-3437-0006.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
+   file://CVE-2022-45142.patch;patchdir=source4/heimdal \
"

 SRC_URI:append:libc-musl = " \
--
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183018): 
https://lists.openembedded.org/g/openembedded-core/message/183018
Mute This Topic: https://lists.openembedded.org/mt/99568906/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] samba: fix CVE-2022-45142

2023-06-16 Thread Polampalli, Archana via lists.openembedded.org 
The fix for CVE-2022-3437 included changing memcmp to be constant
time and a workaround for a compiler bug by adding "!= 0"
comparisons to the result of memcmp. When these patches were
backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and
possibly other branches) a logic inversion sneaked in causing the
validation of message integrity codes in gssapi/arcfour to be inverted.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-45142

Upstream patches:
https://www.openwall.com/lists/oss-security/2023/02/08/1
https://github.com/heimdal/heimdal/commit/5f63215d0d82678233fdfb1c07f4b421f57c528b

Signed-off-by: Archana Polampalli 
---
 .../samba/samba/CVE-2022-45142.patch  | 51 +++
 .../samba/samba_4.14.14.bb|  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch

diff --git 
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch 
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch
new file mode 100644
index 0..d6b9826e4
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch
@@ -0,0 +1,51 @@
+From: Helmut Grohne 
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne 
+
+Upstream-Status: Backport 
[https://www.openwall.com/lists/oss-security/2023/02/08/1]
+CVE: CVE-2022-45142
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
 b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+ if (cmp) {
+   *minor_status = 0;
+   return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+ if (cmp) {
+   _gsskrb5_release_buffer(minor_status, output_message_buffer);
+   *minor_status = 0;
+--
+2.38.1
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb 
b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index 39ba85194..cc07d51dc 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -30,6 +30,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://CVE-2022-3437-0006.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
+   file://CVE-2022-45142.patch;patchdir=source4/heimdal \
"
 
 SRC_URI:append:libc-musl = " \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183010): 
https://lists.openembedded.org/g/openembedded-core/message/183010
Mute This Topic: https://lists.openembedded.org/mt/99568906/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-