Improper Validation of Integrity Check Value Affecting heimdal package, versions <7.5.0+dfsg-1ubuntu0.4
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UBUNTU1804-HEIMDAL-3315890
- published 8 Feb 2023
- disclosed 6 Mar 2023
Introduced: 8 Feb 2023
CVE-2022-45142 Open this link in a new tabHow to fix?
Upgrade Ubuntu:18.04 heimdal to version 7.5.0+dfsg-1ubuntu0.4 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream heimdal package and not the heimdal package as distributed by Ubuntu.
See How to fix? for Ubuntu:18.04 relevant fixed versions and status.
The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.