5abaf08664
When CVE-2022-3437 was fixed by changing memcmp to be a constant time and the workaround for th e compiler was to add "!=0". However the logic implmented was inverted resulting in CVE-2022-4152. Reported by: Timothy E Zingelman <zingelman _AT_ fnal.gov> MFC after: 1 day Security: CVE-2022-4152 Security: https://www.cve.org/CVERecord?id=CVE-2022-45142 Security: https://nvd.nist.gov/vuln/detail/CVE-2022-45142 Security: https://security-tracker.debian.org/tracker/CVE-2022-45142 Security: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2022-45142 Security: https://bugzilla.samba.org/show_bug.cgi?id=15296 Security: https://www.openwall.com/lists/oss-security/2023/02/08/1 |
||
|---|---|---|
| .. | ||
| heimdal | ||
| openssh | ||
| openssl | ||
| README | ||
$FreeBSD$ This directory is for the EXACT same use as src/contrib, except it holds crypto sources. In other words, this holds raw sources obtained from various third party vendors, with FreeBSD patches applied. No compilation is done from this directory, it is all done from the src/secure directory. The separation between src/contrib and src/crypto is the result of an old USA law, which made these sources export controlled, so they had to be kept separate.