CVE-2022-45142 – Gentoo Linux Security Advisory 202310-06

https://notcve.org/view.php?id=CVE-2022-45142

08 Feb 2023 — The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted. Helmut Grohne discovered a flaw in Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos. The... • https://security.gentoo.org/glsa/202310-06 • CWE-354: Improper Validation of Integrity Check Value •