Bug 31530 - heimdal new security issue CVE-2022-45142
Summary: heimdal new security issue CVE-2022-45142
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-02-09 17:25 CET by David Walser
Modified: 2023-03-18 23:18 CET (History)
6 users (show)

See Also:
Source RPM: heimdal-7.7.1-1.2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-02-09 17:25:35 CET
A security issue in heimdal has been announced on February 8:
https://www.openwall.com/lists/oss-security/2023/02/08/1

The fix for CVE-2022-3437 (Bug 31172) has a logic error.

A patch to fix the issue is in the message linked above.

Mageia 8 is also affected.
Comment 1 David Walser 2023-02-09 17:39:31 CET
Debian has issued an advisory for this on February 8:
https://www.debian.org/security/2023/dsa-5344
Comment 2 David Walser 2023-02-09 17:44:10 CET
(In reply to David Walser from comment #1)
> Debian has issued an advisory for this on February 8:
> https://www.debian.org/security/2023/dsa-5344

as has Ubuntu:
https://ubuntu.com/security/notices/USN-5849-1
Comment 3 Marja Van Waes 2023-02-09 21:03:09 CET
Assigning to our registered heimdal maintainer.

CC: (none) => marja11
Assignee: bugsquad => guillomovitch

Comment 4 David Walser 2023-02-11 19:43:24 CET
Fixed in heimdal-7.8.0-2.mga9 by Guillaume.

Version: Cauldron => 8

Comment 5 Nicolas Salguero 2023-03-13 14:40:47 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted. (CVE-2022-45142)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45142
https://www.openwall.com/lists/oss-security/2023/02/08/1
https://www.debian.org/security/2023/dsa-5344
https://ubuntu.com/security/notices/USN-5849-1
========================

Updated packages in core/updates_testing:
========================
heimdal-devel-7.7.1-1.3.mga8
heimdal-devel-doc-7.7.1-1.3.mga8
heimdal-libs-7.7.1-1.3.mga8
heimdal-server-7.7.1-1.3.mga8
heimdal-workstation-7.7.1-1.3.mga8

from SRPM:
heimdal-7.7.1-1.3.mga8.src.rpm

Source RPM: heimdal-7.8.0-1.mga9.src.rpm => heimdal-7.7.1-1.2.mga8.src.rpm
Status: NEW => ASSIGNED
Assignee: guillomovitch => qa-bugs
CC: (none) => nicolas.salguero

Comment 6 Herman Viaene 2023-03-16 10:37:36 CET
MGA8-64 MATE on Acer Aspire 5253
On selecting heimdal-devel, I get
The following packages have to be removed for others to be upgraded:
curl-examples-7.74.0-1.11.mga8.noarch
 (due to unsatisfied curl-devel >= 1:7.74.0-1.11.mga8)
lib64curl-devel-7.74.0-1.11.mga8.x86_64
 (due to missing devel(libgssapi_krb5(64bit)))
lib64dcmtk-devel-3.6.5-3.1.mga8.x86_64
 (due to missing devel(libwrap(64bit)))
lib64gsasl-devel-1.8.1-2.1.mga8.x86_64
 (due to missing devel(libgssapi_krb5(64bit)))
lib64krb53-devel-1.18.3-1.3.mga8.x86_64
 (due to conflicts with heimdal-devel-7.7.1-1.3.mga8.x86_64)
lib64nsl-devel-1.3.0-2.mga8.x86_64
 (due to unsatisfied pkgconfig(libtirpc) >= 1.0.1)
lib64qt5network-devel-5.15.2-4.8.mga8.x86_64
 (due to missing devel(libgssapi_krb5(64bit)))
lib64qt5positioning-devel-5.15.2-1.mga8.x86_64
 (due to missing devel(libQt5Network(64bit)),
  due to missing pkgconfig(Qt5Qml),
  due to missing devel(libQt5Qml(64bit)),
  due to missing pkgconfig(Qt5Quick),
  due to missing devel(libQt5Quick(64bit)))
lib64qt5qml-devel-5.15.2-1.mga8.x86_64
 (due to missing devel(libQt5Network(64bit)),
  due to missing pkgconfig(Qt5Network))
lib64qt5qmlmodels-devel-5.15.2-1.mga8.x86_64
 (due to missing pkgconfig(Qt5Qml),
  due to missing devel(libQt5Qml(64bit)))
lib64qt5quick-devel-5.15.2-1.mga8.x86_64
 (due to missing devel(libQt5Network(64bit)),
  due to missing pkgconfig(Qt5Qml),
  due to missing devel(libQt5Qml(64bit)),
  due to missing devel(libQt5QmlModels(64bit)),
  due to missing pkgconfig(Qt5QmlModels))
lib64qt5webchannel-devel-5.15.2-1.mga8.x86_64
 (due to missing pkgconfig(Qt5Qml),
  due to missing devel(libQt5Qml(64bit)))
lib64qt5webkit-devel-5.212.0-1.alpha4.6.mga8.x86_64
 (due to missing devel(libQt5Network(64bit)),
  due to missing pkgconfig(Qt5Network),
  due to missing devel(libQt5Qml(64bit)),
  due to missing devel(libQt5Quick(64bit)),
  due to missing devel(libQt5Positioning(64bit)),
  due to missing devel(libQt5WebChannel(64bit)))
lib64qt5webkitwidgets-devel-5.212.0-1.alpha4.6.mga8.x86_64
 (due to missing devel(libQt5Network(64bit)),
  due to missing pkgconfig(Qt5Network),
  due to missing devel(libQt5WebKit(64bit)),
  due to missing pkgconfig(Qt5WebKit))
lib64soup-devel-2.72.0-1.mga8.x86_64
 (due to missing devel(libgssapi_krb5(64bit)))
lib64ssh-devel-0.9.6-1.mga8.x86_64
 (due to missing devel(libgssapi_krb5(64bit)))
lib64tirpc-devel-1.3.3-1.mga8.x86_64
 (due to missing devel(libgssapi_krb5(64bit)))
lib64webkit2-devel-2.38.5-1.mga8.x86_64
 (due to missing pkgconfig(libsoup-2.4),
  due to missing devel(libsoup-2.4(64bit)))
lib64wkhtmltox-devel-0.12.5-4.1.mga8.x86_64
 (due to missing devel(libQt5Network(64bit)),
  due to missing devel(libQt5WebKit(64bit)),
  due to missing devel(libQt5WebKitWidgets(64bit)))
lib64wrap-devel-7.6-51.mga8.x86_64
 (due to missing devel(libnsl(64bit)))

CC: (none) => herman.viaene

Comment 7 David Walser 2023-03-16 13:57:03 CET
Looks like you have a mix of other packages from updates_testing installed.  Either downgrade those or enable updates_testing.
Comment 8 Herman Viaene 2023-03-16 14:53:17 CET
I use QARepo to load only the rpm's specified in the update bug. Thus the contents of QArepo is always small, I clear it before the next bug.
What you suggest is that dependencies of other recent updates that I tested and are still pending, are causing this?
Comment 9 Dave Hodgins 2023-03-16 15:36:24 CET
Normally devel packages are not installed as part of testing as they are
used for compiling programs that use the packages being installed. The
main exception is the kernel devel packages that are needed to compile
dkms packages.

Don't include the devel packages when using qa repo.

CC: (none) => davidwhodgins

Comment 10 Herman Viaene 2023-03-16 16:04:26 CET
OK, easy enough, that installs OK
Ref bug 31172 for testing:
 systemctl start heimdal-kdc
# systemctl -l status heimdal-kdc
● heimdal-kdc.service - Heimdal KDC is a Kerberos 5 Key Distribution Center ser>
     Loaded: loaded (/usr/lib/systemd/system/heimdal-kdc.service; disabled; ven>
     Active: active (running) since Thu 2023-03-16 15:56:56 CET; 59s ago
       Docs: man:kdc(8)
             info:heimdal
             http://www.h5l.org/
   Main PID: 14393 (kdc)
      Tasks: 3 (limit: 4364)
     Memory: 1.7M
        CPU: 46ms
     CGroup: /system.slice/heimdal-kdc.service
             ├─14393 /usr/libexec/kdc
             ├─14395 /usr/libexec/kdc
             └─14396 /usr/libexec/kdc

Mar 16 15:56:56 mach7.hviaene.thuis systemd[1]: Started Heimdal KDC is a Kerber>
[root@mach7 ~]# kadmin
kadmin: kadm5_init_with_password: No KDC found for realm HVIAENE.THUIS
This makes sense.
$ verify_krb5_conf 
verify_krb5_conf: krb5_config_parse_file: open /home/tester8/.krb5/config: No such file or directory
verify_krb5_conf: krb5_config_parse_file: //etc/krb5.conf:3: binding before section

Seems all OK

Whiteboard: (none) => MGA8-64-OK

Comment 11 David Walser 2023-03-16 16:15:18 CET
(In reply to Herman Viaene from comment #8)
> I use QARepo to load only the rpm's specified in the update bug. Thus the
> contents of QArepo is always small, I clear it before the next bug.
> What you suggest is that dependencies of other recent updates that I tested
> and are still pending, are causing this?

Yes, exactly.
Comment 12 Thomas Andrews 2023-03-16 20:00:07 CET
Validating. Advisory in comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-17 23:46:23 CET

Keywords: (none) => advisory

Comment 13 Mageia Robot 2023-03-18 23:18:24 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0098.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.