Re: [OE-core] [oe][meta-networking][kirkstone][PATCH V2 1/1] samba: fix CVE-2022-3437
Please ignore this patch
Regards,
Archana
From: openembedded-core@lists.openembedded.org
on behalf of Polampalli, Archana via
lists.openembedded.org
Sent: Friday, June 16, 2023 5:40 PM
To: openembedded-core@lists.openembedded.org
Cc: G Pillai, Hari
Subject: [OE-core] [oe][meta-networking][kirkstone][PATCH V2 1/1] samba: fix
CVE-2022-3437
A heap-based buffer overflow vulnerability was found in Samba within
the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The
DES and Triple-DES decryption routines in the Heimdal GSSAPI library
allow a length-limited write buffer overflow on malloc() allocated
memory when presented with a maliciously small packet. This flaw
allows a remote user to send specially crafted malicious data to the
application, possibly resulting in a denial of service (DoS) attack.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-3437
Upstream patches:
https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3
https://github.com/heimdal/heimdal/commit/c9cc34334bd64b08fe91a2f720262462e9f6bb49
https://github.com/heimdal/heimdal/commit/a587a4bcb28d5b9047f332573b1e7c8f89ca3edd
https://github.com/heimdal/heimdal/commit/c758910eaad3c0de2cfb68830a661c4739675a7d
https://github.com/heimdal/heimdal/commit/414b2a77fd61c26d64562e3800dc5578d9d0f15d
https://github.com/heimdal/heimdal/commit/be9bbd93ed8f204b4bc1b92d1bc3c16aac194696
https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2
https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef
Signed-off-by: Archana Polampalli
---
.../samba/samba/CVE-2022-3437-0001.patch | 77 +++
.../samba/samba/CVE-2022-3437-0002.patch | 35 +
.../samba/samba/CVE-2022-3437-0003.patch | 50
.../samba/samba/CVE-2022-3437-0004.patch | 57 ++
.../samba/samba/CVE-2022-3437-0005.patch | 37 +
.../samba/samba/CVE-2022-3437-0006.patch | 65
.../samba/samba/CVE-2022-3437-0007.patch | 39 ++
.../samba/samba/CVE-2022-3437-0008.patch | 48
.../samba/samba_4.14.14.bb| 8 ++
9 files changed, 416 insertions(+)
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch
diff --git
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
new file mode 100644
index 0..abc778b73
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
@@ -0,0 +1,77 @@
+From f6edaafcfefd843ca1b1a041f942a853d85ee7c3 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton
+Date: Wed, 12 Oct 2022 13:57:13 +1300
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() for arcfour
+ unwrap
+
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton
+Reviewed-by: Andrew Bartlett
+
+Upstream-Status: Backport
[https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3]
+CVE: CVE-2022-3437
+
+Signed-off-by: Archana Polampalli
+---
+ lib/gssapi/krb5/arcfour.c | 16
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index a61f768..4fc46ce 100644
+--- a/lib/gssapi/krb5/arcfour.c
b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ return GSS_S_FAILURE;
+ }
+
+-cmp = ct_memcmp(cksum_data, p + 8, 8);
++cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
+ if (cmp) {
+ *minor_status = 0;
+ return GSS_S_BAD_MIC;
+@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ _gsskrb5_decode_be_om_uint32(SND_SEQ, _number);
+
+ if (context_handle->more_flags & LOCAL)
+- cmp = memcmp(_SEQ[4], "\xff\xff\xff\xff", 4);
++ cmp = (ct_memcmp(_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
+ else
+- cmp = memcmp(_SEQ[4], "\x00\x00\x00\x00", 4);
++ cmp = (ct_memcmp(_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
+
+ memset(SND_SEQ, 0, sizeof(SND_SEQ));
+ if (cmp != 0) {
+@@ -656,9 +656,9 @@ OM_uint32
[OE-core] [oe][meta-networking][kirkstone][PATCH V2 1/1] samba: fix CVE-2022-3437
A heap-based buffer overflow vulnerability was found in Samba within
the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The
DES and Triple-DES decryption routines in the Heimdal GSSAPI library
allow a length-limited write buffer overflow on malloc() allocated
memory when presented with a maliciously small packet. This flaw
allows a remote user to send specially crafted malicious data to the
application, possibly resulting in a denial of service (DoS) attack.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-3437
Upstream patches:
https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3
https://github.com/heimdal/heimdal/commit/c9cc34334bd64b08fe91a2f720262462e9f6bb49
https://github.com/heimdal/heimdal/commit/a587a4bcb28d5b9047f332573b1e7c8f89ca3edd
https://github.com/heimdal/heimdal/commit/c758910eaad3c0de2cfb68830a661c4739675a7d
https://github.com/heimdal/heimdal/commit/414b2a77fd61c26d64562e3800dc5578d9d0f15d
https://github.com/heimdal/heimdal/commit/be9bbd93ed8f204b4bc1b92d1bc3c16aac194696
https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2
https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef
Signed-off-by: Archana Polampalli
---
.../samba/samba/CVE-2022-3437-0001.patch | 77 +++
.../samba/samba/CVE-2022-3437-0002.patch | 35 +
.../samba/samba/CVE-2022-3437-0003.patch | 50
.../samba/samba/CVE-2022-3437-0004.patch | 57 ++
.../samba/samba/CVE-2022-3437-0005.patch | 37 +
.../samba/samba/CVE-2022-3437-0006.patch | 65
.../samba/samba/CVE-2022-3437-0007.patch | 39 ++
.../samba/samba/CVE-2022-3437-0008.patch | 48
.../samba/samba_4.14.14.bb| 8 ++
9 files changed, 416 insertions(+)
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch
create mode 100644
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch
diff --git
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
new file mode 100644
index 0..abc778b73
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
@@ -0,0 +1,77 @@
+From f6edaafcfefd843ca1b1a041f942a853d85ee7c3 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton
+Date: Wed, 12 Oct 2022 13:57:13 +1300
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() for arcfour
+ unwrap
+
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton
+Reviewed-by: Andrew Bartlett
+
+Upstream-Status: Backport
[https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3]
+CVE: CVE-2022-3437
+
+Signed-off-by: Archana Polampalli
+---
+ lib/gssapi/krb5/arcfour.c | 16
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index a61f768..4fc46ce 100644
+--- a/lib/gssapi/krb5/arcfour.c
b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ return GSS_S_FAILURE;
+ }
+
+-cmp = ct_memcmp(cksum_data, p + 8, 8);
++cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
+ if (cmp) {
+ *minor_status = 0;
+ return GSS_S_BAD_MIC;
+@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ _gsskrb5_decode_be_om_uint32(SND_SEQ, _number);
+
+ if (context_handle->more_flags & LOCAL)
+- cmp = memcmp(_SEQ[4], "\xff\xff\xff\xff", 4);
++ cmp = (ct_memcmp(_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
+ else
+- cmp = memcmp(_SEQ[4], "\x00\x00\x00\x00", 4);
++ cmp = (ct_memcmp(_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
+
+ memset(SND_SEQ, 0, sizeof(SND_SEQ));
+ if (cmp != 0) {
+@@ -656,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ _gsskrb5_decode_be_om_uint32(SND_SEQ, _number);
+
+ if (context_handle->more_flags & LOCAL)
+- cmp = memcmp(_SEQ[4], "\xff\xff\xff\xff", 4);
++ cmp = (ct_memcmp(_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
+ else
+- cmp = memcmp(_SEQ[4], "\x00\x00\x00\x00", 4);
++ cmp = (ct_memcmp(_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
+
+ if (cmp != 0) {
+
