| commit | 9c9dac2b169255bad9071eea99fa90b980dde767 | |
| author | Nicolas Williams <nico@twosigma.com> | |
| Wed, 10 Mar 2021 22:49:04 +0000 (10 16:49 -0600) | ||
| committer | Nicolas Williams <nico@twosigma.com> | |
| Tue, 15 Nov 2022 23:51:45 +0000 (15 17:51 -0600) | ||
| tree | 9da3942ee30771efae7fcd0fe01a0e8ab089037e | treesnapshot (tar.gz zip) |
| parent | 2a4210b7e99a9126b29aeb1e58cc327069d01097 | commitdiff |
asn1: CVE-2022-44640 invalid free in ASN.1 codec
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all CHOICE types used in
Heimdal, though not all cases will be exploitable. We have not
completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal since 2005. It was first reported by
Douglas Bagnall, though it had been found independently by the
Heimdal maintainers via fuzzing a few weeks earlier.
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all CHOICE types used in
Heimdal, though not all cases will be exploitable. We have not
completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal since 2005. It was first reported by
Douglas Bagnall, though it had been found independently by the
Heimdal maintainers via fuzzing a few weeks earlier.