CVE-2022-45142: 
NixOS vulnerability analysis and mitigation

CVE-2022-45142 is a vulnerability in Heimdal's GSSAPI implementation that emerged from an attempt to fix a previous vulnerability (CVE-2022-3437). The issue affects Heimdal versions 7.7.1 and 7.8.0 branches, where a logic inversion occurred during the backporting of patches, causing incorrect validation of message integrity codes in gssapi/arcfour. This vulnerability was discovered on December 9, 2022, by Helmut Grohne during the backporting of patches (Openwall Mailing List).

The vulnerability stems from a logic inversion that occurred when fixing CVE-2022-3437, which involved changing memcmp to be constant time and adding '!= 0' comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches, the validation of message integrity codes in gssapi/arcfour was accidentally inverted. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD Database).

The vulnerability could allow an attacker to cause a denial of service and potentially bypass message integrity checks in affected Heimdal installations. This issue affects multiple Linux distributions including certain versions of Debian, Fedora, and Ubuntu (Openwall Mailing List).

Users are advised to upgrade to patched versions of Heimdal. For Ubuntu users, specific package versions have been released to address this vulnerability, including libgssapi3-heimdal version 7.7.0+dfsg-1ubuntu1.4 for Ubuntu 20.04 and corresponding versions for other Ubuntu releases. After updating, any applications using Heimdal libraries need to be restarted (Ubuntu Security Notice).