Описание
The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | released | 7.5.0+dfsg-1ubuntu0.4 |
| devel | needed | |
| esm-apps/jammy | needs-triage | |
| esm-apps/noble | needed | |
| esm-infra-legacy/trusty | released | 1.6~git20131207+dfsg-1ubuntu1.2+esm4 |
| esm-infra/bionic | released | 7.5.0+dfsg-1ubuntu0.4 |
| esm-infra/focal | released | 7.7.0+dfsg-1ubuntu1.4 |
| esm-infra/xenial | released | 1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm4 |
| focal | released | 7.7.0+dfsg-1ubuntu1.4 |
| jammy | needs-triage |
Показывать по
EPSS
7.5 High
CVSS3
Связанные уязвимости
The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.
The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.
The fix for CVE-2022-3437 included changing memcmp to be constant time ...
EPSS
7.5 High
CVSS3