Debian Bug report logs -
#1024187
heimdal: CVE-2022-44640 CVE-2022-42898 CVE-2022-3437 CVE-2021-44758
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Brian May <bam@debian.org>
:
Bug#1024187
; Package src:heimdal
.
(Tue, 15 Nov 2022 21:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Brian May <bam@debian.org>
.
(Tue, 15 Nov 2022 21:30:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: heimdal
Version: 7.7.0+dfsg-6
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for heimdal.
CVE-2022-44640[0]:
| Invalid free in ASN.1 codec
CVE-2022-42898[1]:
| krb5_pac_parse() buffer parsing vulnerability
CVE-2022-3437[2]:
| Buffer overflow in Heimdal unwrap_des3()
CVE-2021-44758[3]:
| spnego: send_reject when no mech selected
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
From the 7.7.1 release notes[4]:
| This release fixes the following Security Vulnerabilities:
|
| CVE-2022-42898 PAC parse integer overflows
|
| CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
|
| CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
|
| CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
|
| Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
| on the Common Vulnerability Scoring System (CVSS) v3, as we believe
| it should be possible to get an RCE on a KDC, which means that
| credentials can be compromised that can be used to impersonate
| anyone in a realm or forest of realms.
|
| Heimdal's ASN.1 compiler generates code that allows specially
| crafted DER encodings of CHOICEs to invoke the wrong free function
| on the decoded structure upon decode error. This is known to impact
| the Heimdal KDC, leading to an invalid free() of an address partly
| or wholly under the control of the attacker, in turn leading to a
| potential remote code execution (RCE) vulnerability.
|
| This error affects the DER codec for all extensible CHOICE types
| used in Heimdal, though not all cases will be exploitable. We have
| not completed a thorough analysis of all the Heimdal components
| affected, thus the Kerberos client, the X.509 library, and other
| parts, may be affected as well.
|
| This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
| only affect Heimdal 1.6 and up. It was first reported by Douglas
| Bagnall, though it had been found independently by the Heimdal
| maintainers via fuzzing a few weeks earlier.
|
| While no zero-day exploit is known, such an exploit will likely be
| available soon after public disclosure.
|
| CVE-2019-14870: Validate client attributes in protocol-transition
|
| CVE-2019-14870: Apply forwardable policy in protocol-transition
|
| CVE-2019-14870: Always lookup impersonate client in DB
(CVE-2019-14870 was already fixed earlier in unstable)
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-44640
https://www.cve.org/CVERecord?id=CVE-2022-44640
[1] https://security-tracker.debian.org/tracker/CVE-2022-42898
https://www.cve.org/CVERecord?id=CVE-2022-42898
[2] https://security-tracker.debian.org/tracker/CVE-2022-3437
https://www.cve.org/CVERecord?id=CVE-2022-3437
[3] https://security-tracker.debian.org/tracker/CVE-2021-44758
https://www.cve.org/CVERecord?id=CVE-2021-44758
[4] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.7.1
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Nov 16 07:17:18 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.