Ubuntu
heimdal package

CVE-2022-44640 affects the version of heimdal on ubuntu 22.04 - could it be updated?

Bug #2054916 reported by Dag Hovland
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
heimdal (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Triaged
Undecided
Unassigned

Bug Description

I am running ubuntu 22.04. The version of heimdal installed (7.7.0) is vunerable to CVE-2022-44640, which is categorised as critical by some (crowdstrike falcon at least). Is is possible to upgrade it to some non-vulnerable version?

CVE References

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

In Debian, this was fixed in 7.7.0+dfsg-2+deb11u1 in bullseye(-security) - i.e., 7.7.0+dfsg-2 was still affeected.

7.7.0+dfsg-3 includes a fix for a different CVE:

heimdal (7.7.0+dfsg-3) unstable; urgency=high

  * Fix CVE-2021-3671: A null pointer de-reference was found in the way
    samba kerberos server handled missing sname in TGS-REQ. Closes: #996586.
  * Fix autoconf 2.7 issues

In focal, this was fixed in 7.7.0+dfsg-1ubuntu1.3 on Wed, 11 Jan 2023

  * SECURITY UPDATE: invalid free
    - debian/patches/CVE-2022-44640.patch: relocates a call to fprintf and
      parameters when calling it in decode_type() in lib/asn1/gen_decode.c
      and add a call to fprintf in free_type() in lib/asn1/gen_free.c.
    - CVE-2022-44640

In jammy, we have 7.7.0+dfsg-3ubuntu1. As mentioned above, 7.7.0+dfsg-3 does not include the fix for the mentioned CVE. Moreover, our delta in this release is just former delta being carried by the merge:

heimdal (7.7.0+dfsg-3ubuntu1) jammy; urgency=medium

  * Merge with Debian unstable (LP: #1946860). Remaining changes:
    - Disable lto, to regain dep on roken, otherwise dependencies on amd64
      are different to i386 resulting in different files on amd64 and
      i386. LP #1934936
    - Remove symbol rk_closefrom@HEIMDAL_ROKEN_1.0 1.4.0+git20110226
      (LP #1945787)

Therefore, this does seem to still be affected by the CVE, as reported.

Changed in heimdal (Ubuntu):
status: New → Triaged
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
Revision history for this message
Dag Hovland (hovlanddag) wrote :

Unfortunately, I am completely new to ubuntu packaging. The documentation on update procedures in the post above points to https://canonical-ubuntu-packaging-guide.readthedocs-hosted.com/en/latest/ , which is under work, and seems to recommend only experienced packagers to make packages at the moment. Also I do not have a running kerberos server so testing would not really be possible. Sorry about this. If you can point me in the direction of documentation on packaging, and it is ok for someone else to test the setup, then I can give it a shot.

Paride Legovini (paride)
Changed in heimdal (Ubuntu Focal):
status: New → Fix Released
Changed in heimdal (Ubuntu Jammy):
status: New → Triaged
Changed in heimdal (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.