new file mode 100644
@@ -0,0 +1,38 @@
+From eb87af0c2d189c25294c7daf483a47b03af80c2c Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 17 Nov 2021 20:00:29 -0500
+Subject: [PATCH] lib/wind: find_normalize read past end of array
+
+find_normalize() can under some circumstances read one element
+beyond the input array. The contents are discarded immediately
+without further use.
+
+This change prevents the unintended read.
+
+(cherry picked from commit 357a38fc7fb582ae73f4b7f4a90a4b0b871b149e)
+
+Change-Id: Ia2759a5632d64f7fa6553f879b5bbbf43ba3513e
+
+Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c]
+CVE: CVE-2022-41916
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/wind/normalize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/wind/normalize.c b/lib/wind/normalize.c
+index 20e8a4a04b..8f3991d10e 100644
+--- a/lib/wind/normalize.c
++++ b/lib/wind/normalize.c
+@@ -227,9 +227,9 @@ find_composition(const uint32_t *in, unsigned in_len)
+ unsigned i;
+
+ if (n % 5 == 0) {
+- cur = *in++;
+ if (in_len-- == 0)
+ return c->val;
++ cur = *in++;
+ }
+
+ i = cur >> 16;
@@ -31,6 +31,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
file://CVE-2022-45142.patch;patchdir=source4/heimdal \
+ file://CVE-2022-41916.patch;patchdir=source4/heimdal \
"
SRC_URI:append:libc-musl = " \
Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. Versions prior to 7.7.1 are vulnerable to a denial of service vulnerability in Heimdal's PKI certificate validation library, affecting the KDC (via PKINIT) and kinit (via PKINIT), as well as any third-party applications using Heimdal's libhx509. Users should upgrade to Heimdal 7.7.1 or 7.8. There are no known workarounds for this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2022-41916 Upstream patches: https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> --- .../samba/samba/CVE-2022-41916.patch | 38 +++++++++++++++++++ .../samba/samba_4.14.14.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch