The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/45xxx/CVE-2022-45142.json",
"cna_assigner": "redhat",
"cwe_ids": [
"CWE-354"
]
}{
"source": "CPE_STRING",
"cpe": [
"cpe:2.3:a:heimdal_project:heimdal:7.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:heimdal_project:heimdal:7.8.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "7.7.1"
},
{
"last_affected": "7.7.1"
},
{
"introduced": "7.8.0"
},
{
"last_affected": "7.8.0"
}
]
}