{"id":"CVE-2022-45142","details":"The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding \"!= 0\" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.","modified":"2026-04-16T04:34:43.851629134Z","published":"2023-03-06T23:15:11.233Z","related":["CGA-95p5-5mpq-3743","openSUSE-SU-2024:12846-1"],"references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202310-06"},{"type":"ARTICLE","url":"https://www.openwall.com/lists/oss-security/2023/02/08/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/heimdal/heimdal","events":[{"introduced":"0"},{"last_affected":"78077c39e355766221383ee48c8b9be0459a82a4"},{"introduced":"0"},{"last_affected":"a6cf94577c0d1e5bca5304342e4ddffb18255afe"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"7.7.1"},{"introduced":"0"},{"last_affected":"7.8.0"}]}}],"versions":["git2svn-syncpoint-master","heimdal-1.3.0pre1","heimdal-1.3.0pre10","heimdal-1.3.0pre11","heimdal-1.3.0pre3","heimdal-1.3.0pre4","heimdal-1.3.0pre5","heimdal-1.3.0pre6","heimdal-1.3.0pre7","heimdal-1.3.0pre8","heimdal-1.3.0pre9","heimdal-1.3.0rc1","heimdal-1.5pre1","heimdal-1.5pre2","heimdal-7.0.1","heimdal-7.0.2","heimdal-7.0.3","heimdal-7.1.0","heimdal-7.1rc1","heimdal-7.2.0","heimdal-7.3.0","heimdal-7.4.0","heimdal-7.5.0","heimdal-7.6.0","heimdal-7.7.0","heimdal-7.7.1","heimdal-7.8.0","switch-from-svn-to-git","upstream-1.4.0+git20101228.dfsg.1","upstream-1.4.0+git20110220.dfsg.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-45142.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}