Re: [OE-core] [oe][meta-networking][kirkstone][PATCH V2 1/1] samba: fix CVE-2022-3437
Please ignore this patch Regards, Archana From: openembedded-core@lists.openembedded.org on behalf of Polampalli, Archana via lists.openembedded.org Sent: Friday, June 16, 2023 5:40 PM To: openembedded-core@lists.openembedded.org Cc: G Pillai, Hari Subject: [OE-core] [oe][meta-networking][kirkstone][PATCH V2 1/1] samba: fix CVE-2022-3437 A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack. References: https://nvd.nist.gov/vuln/detail/CVE-2022-3437 Upstream patches: https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3 https://github.com/heimdal/heimdal/commit/c9cc34334bd64b08fe91a2f720262462e9f6bb49 https://github.com/heimdal/heimdal/commit/a587a4bcb28d5b9047f332573b1e7c8f89ca3edd https://github.com/heimdal/heimdal/commit/c758910eaad3c0de2cfb68830a661c4739675a7d https://github.com/heimdal/heimdal/commit/414b2a77fd61c26d64562e3800dc5578d9d0f15d https://github.com/heimdal/heimdal/commit/be9bbd93ed8f204b4bc1b92d1bc3c16aac194696 https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2 https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef Signed-off-by: Archana Polampalli --- .../samba/samba/CVE-2022-3437-0001.patch | 77 +++ .../samba/samba/CVE-2022-3437-0002.patch | 35 + .../samba/samba/CVE-2022-3437-0003.patch | 50 .../samba/samba/CVE-2022-3437-0004.patch | 57 ++ .../samba/samba/CVE-2022-3437-0005.patch | 37 + .../samba/samba/CVE-2022-3437-0006.patch | 65 .../samba/samba/CVE-2022-3437-0007.patch | 39 ++ .../samba/samba/CVE-2022-3437-0008.patch | 48 .../samba/samba_4.14.14.bb| 8 ++ 9 files changed, 416 insertions(+) create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch new file mode 100644 index 0..abc778b73 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch @@ -0,0 +1,77 @@ +From f6edaafcfefd843ca1b1a041f942a853d85ee7c3 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 12 Oct 2022 13:57:13 +1300 +Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() for arcfour + unwrap + +Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3] +CVE: CVE-2022-3437 + +Signed-off-by: Archana Polampalli +--- + lib/gssapi/krb5/arcfour.c | 16 + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c +index a61f768..4fc46ce 100644 +--- a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c +@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + return GSS_S_FAILURE; + } + +-cmp = ct_memcmp(cksum_data, p + 8, 8); ++cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0); + if (cmp) { + *minor_status = 0; + return GSS_S_BAD_MIC; +@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + _gsskrb5_decode_be_om_uint32(SND_SEQ, _number); + + if (context_handle->more_flags & LOCAL) +- cmp = memcmp(_SEQ[4], "\xff\xff\xff\xff", 4); ++ cmp = (ct_memcmp(_SEQ[4], "\xff\xff\xff\xff", 4) != 0); + else +- cmp = memcmp(_SEQ[4], "\x00\x00\x00\x00", 4); ++ cmp = (ct_memcmp(_SEQ[4], "\x00\x00\x00\x00", 4) != 0); + + memset(SND_SEQ, 0, sizeof(SND_SEQ)); + if (cmp != 0) { +@@ -656,9 +656,9 @@ OM_uint32
[OE-core] [oe][meta-networking][kirkstone][PATCH V2 1/1] samba: fix CVE-2022-3437
A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack. References: https://nvd.nist.gov/vuln/detail/CVE-2022-3437 Upstream patches: https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3 https://github.com/heimdal/heimdal/commit/c9cc34334bd64b08fe91a2f720262462e9f6bb49 https://github.com/heimdal/heimdal/commit/a587a4bcb28d5b9047f332573b1e7c8f89ca3edd https://github.com/heimdal/heimdal/commit/c758910eaad3c0de2cfb68830a661c4739675a7d https://github.com/heimdal/heimdal/commit/414b2a77fd61c26d64562e3800dc5578d9d0f15d https://github.com/heimdal/heimdal/commit/be9bbd93ed8f204b4bc1b92d1bc3c16aac194696 https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2 https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef Signed-off-by: Archana Polampalli --- .../samba/samba/CVE-2022-3437-0001.patch | 77 +++ .../samba/samba/CVE-2022-3437-0002.patch | 35 + .../samba/samba/CVE-2022-3437-0003.patch | 50 .../samba/samba/CVE-2022-3437-0004.patch | 57 ++ .../samba/samba/CVE-2022-3437-0005.patch | 37 + .../samba/samba/CVE-2022-3437-0006.patch | 65 .../samba/samba/CVE-2022-3437-0007.patch | 39 ++ .../samba/samba/CVE-2022-3437-0008.patch | 48 .../samba/samba_4.14.14.bb| 8 ++ 9 files changed, 416 insertions(+) create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch new file mode 100644 index 0..abc778b73 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch @@ -0,0 +1,77 @@ +From f6edaafcfefd843ca1b1a041f942a853d85ee7c3 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 12 Oct 2022 13:57:13 +1300 +Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() for arcfour + unwrap + +Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton +Reviewed-by: Andrew Bartlett + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3] +CVE: CVE-2022-3437 + +Signed-off-by: Archana Polampalli +--- + lib/gssapi/krb5/arcfour.c | 16 + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c +index a61f768..4fc46ce 100644 +--- a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c +@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + return GSS_S_FAILURE; + } + +-cmp = ct_memcmp(cksum_data, p + 8, 8); ++cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0); + if (cmp) { + *minor_status = 0; + return GSS_S_BAD_MIC; +@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + _gsskrb5_decode_be_om_uint32(SND_SEQ, _number); + + if (context_handle->more_flags & LOCAL) +- cmp = memcmp(_SEQ[4], "\xff\xff\xff\xff", 4); ++ cmp = (ct_memcmp(_SEQ[4], "\xff\xff\xff\xff", 4) != 0); + else +- cmp = memcmp(_SEQ[4], "\x00\x00\x00\x00", 4); ++ cmp = (ct_memcmp(_SEQ[4], "\x00\x00\x00\x00", 4) != 0); + + memset(SND_SEQ, 0, sizeof(SND_SEQ)); + if (cmp != 0) { +@@ -656,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + _gsskrb5_decode_be_om_uint32(SND_SEQ, _number); + + if (context_handle->more_flags & LOCAL) +- cmp = memcmp(_SEQ[4], "\xff\xff\xff\xff", 4); ++ cmp = (ct_memcmp(_SEQ[4], "\xff\xff\xff\xff", 4) != 0); + else +- cmp = memcmp(_SEQ[4], "\x00\x00\x00\x00", 4); ++ cmp = (ct_memcmp(_SEQ[4], "\x00\x00\x00\x00", 4) != 0); + + if (cmp != 0) { +