gnu: heimdal: Update to 7.4.0.

DoneSubmitted by Alex Vong.
Details
5 participants
  • Alex Vong
  • 宋文武
  • Leo Famulari
  • Christopher Baines
  • Ricardo Wurmus
Owner
unassigned
Severity
normal
A
A
Alex Vong wrote on 18 Jul 2017 10:26
[PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
(address . guix-patches@gnu.org)
87wp76kv68.fsf@gmail.com
Tags: security
Hello,
THis patch upgrades heimdal to its latest version, fixingCVE-2017-11103. Here are a few remarks:
1. Upstream switches to github for hosting2. A lots of libraries are bundled3. Many db tests fail4. It does not build reproducibly
I decide to submit this despite many db tests fail because I think weshould fix CVE-2017-11103 asap.
From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Tue, 18 Jul 2017 06:36:48 +0800Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
* gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.[source]: Update source uri.[arguments]: Adjust #:configure-flags and build phases accordingly.[inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.--- gnu/packages/kerberos.scm | 69 ++++++++++++++++++++++++++++++++++++----------- 1 file changed, 54 insertions(+), 15 deletions(-)
Toggle diff (124 lines)diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scmindex 58f619770..5682a0add 100644--- a/gnu/packages/kerberos.scm+++ b/gnu/packages/kerberos.scm@@ -5,6 +5,7 @@ ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org> ;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org>+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;;@@ -23,6 +24,7 @@ (define-module (gnu packages kerberos) #:use-module (gnu packages)+ #:use-module (gnu packages autotools) #:use-module (gnu packages bison) #:use-module (gnu packages perl) #:use-module (gnu packages gnupg)@@ -32,6 +34,7 @@ #:use-module (gnu packages compression) #:use-module (gnu packages databases) #:use-module (gnu packages readline)+ #:use-module (gnu packages texinfo) #:use-module (gnu packages tls) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages)@@ -136,24 +139,30 @@ secure manner through client-server mutual authentication via tickets.") (define-public heimdal (package (name "heimdal")- (version "1.5.3")+ (version "7.4.0") (source (origin (method url-fetch)- (uri (string-append "http://www.h5l.org/dist/src/heimdal-"- version ".tar.gz"))+ (uri (string-append "https://github.com/" name "/" name+ "/releases/download/" name "-" version+ "/" name "-" version ".tar.gz")) (sha256 (base32- "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))+ "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x")) (modules '((guix build utils)))- (snippet+ (snippet ;FIXME: remove bundled libraries '(substitute* "configure" (("User=.*$") "User=Guix\n") (("Date=.*$") "Date=2017\n"))))) (build-system gnu-build-system) (arguments- '(#:configure-flags (list- ;; Work around a linker error.- "CFLAGS=-pthread"+ '(#:modules ((guix build gnu-build-system)+ (guix build utils)+ (srfi srfi-26))++ #:configure-flags (list+ (string-append "CPPFLAGS=-D_PATH_BSHELL="+ (assoc-ref %build-inputs "bash")+ "/bin/sh") ;; Avoid 7 MiB of .a files. "--disable-static"@@ -167,17 +176,47 @@ secure manner through client-server mutual authentication via tickets.") (assoc-ref %build-inputs "readline") "/include")) #:phases (modify-phases %standard-phases+ (add-after 'unpack 'pre-build+ (lambda _+ (for-each (lambda (file) ;fix sh paths+ (substitute* file+ (("/bin/sh")+ (which "sh"))))+ '("appl/afsutil/pagsh.c" "tools/Makefile.am"))+ (substitute* "lib/roken/getxxyyy.c" ;set user during test+ (("user = getenv\\(\"USER\"\\);")+ (format #f+ "#ifndef TEST_GETXXYYY+#error \"TEST_GETXXYYY is not defined\"+#endif+user = \"~a\";+"+ (passwd:name (getpwuid (getuid))))))+ #t))++ (add-after 'pre-build 'autogen+ (lambda _+ (zero? (system* "sh" "autogen.sh"))))+ (add-before 'check 'skip-tests (lambda _- ;; The test simply runs 'ftp --version && ftp --help'- ;; but that fails in the chroot because 'ftp' tries to- ;; do a service lookup before printing the help/version.- (substitute* "appl/ftp/ftp/Makefile.in"- (("^CHECK_LOCAL =.*")- "CHECK_LOCAL = no-check-local\n"))+ ;; skip db tests for now+ ;; FIXME: figure out why they fail+ (call-with-output-file "tests/db/have-db.in"+ (cut format <> "#!~a~%exit 1~%" (which "sh"))) #t)))))+ (native-inputs `(("e2fsprogs" ,e2fsprogs))) ;for 'compile_et'- (inputs `(("readline" ,readline)+ (inputs `(("autoconf" ,autoconf) ;for autogen+ ("automake" ,automake)+ ("libtool" ,libtool)+ ("perl" ,perl)+ ("perl-json" ,perl-json)++ ("texinfo" ,texinfo) ;for doc+ ("unzip" ,unzip) ;for test++ ("readline" ,readline) ("bdb" ,bdb) ("e2fsprogs" ,e2fsprogs))) ;for libcom_err (home-page "http://www.h5l.org/")-- 2.13.3
Cheers,Alex
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlltxi8ACgkQxYq4eRf1Ea4gfA//e9GKYG/w5iq8LJFijWQdM257FCQ9xY1aznR5qj7YIJwvQsPrnbVfUp2RZffK9LPd82gWO+k5I15/iiJu4djsP+8nuvTqxGJB670tbzoCKjq4NCANtZXwzi92mmb7fwYdCyiyYhPi0boayyfCdzMl5az71JuwSGefgPPXmt9O062j1DEIZrEctgRXlEdIYkW4Y7auHYml4xzP1PONUDiOINrpHa6BRsfqageMKYJ0HEjZaY8ZSDE4P66P2In6ZwhOnEIOfQQV1rqCUezfGm9YAkP8X1JvWcmVpWJFW7EDSCKLa1JlfC+eTUrWluLVr1j3pOAzZBAtTvCY9HgOOglHfcSoiaOt4xpDeTUfhRDFIKQWY/fjlMstgXHc1mTSNBHy8KwW7pd8v/PpSl0qJrmDrMqNoKnOtRjKksgbFijoEZkgcn5BNPviWdJdK6QaFc30fjxzSJsmopG5OSS1HcfkOEjM7euQtcScyCYjq+ZkdpJ0l56RieTVkOQSgYCKbsUZPhPG4wMQzmboF2GyXyP6cuMJue9UW+eAvneF2MIRVqwNUgyLXs6zFDIEk/vl4YFfyg72YPL6Qye60voyvxjMO6l1WCH5vnMygKXBYZQBOQM1COVF29QbSDatCehFSmK5L0xSGQV+eQZrVa5vsVhKF0dXh+5yYuPtP3Tz+TT/GiM==AWHe-----END PGP SIGNATURE-----
L
L
Leo Famulari wrote on 18 Jul 2017 17:49
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)
20170718154906.GB16798@jasmine.lan
On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
Toggle quote (3 lines)> THis patch upgrades heimdal to its latest version, fixing> CVE-2017-11103. Here are a few remarks:
Thanks! We also need to look at our samba package, which bundles heimdal(we should fix that).
Toggle quote (2 lines)> 1. Upstream switches to github for hosting
Okay.
Toggle quote (2 lines)> 2. A lots of libraries are bundled
Which directory are they in? We should take a look at them and weigh therisk of adding new vulnerabilities through the use of (possibly old andunmaintained) bundled libraries.
If things look complicated, maybe it's possible to apply a patch to thisolder Heimdal while we figure everything out.
Maybe we can find a patch for CVE-2017-11103 from Red Hat or anotherlong-term-support distro. I noticed an unrelated patch for Heimdal1.6 here:https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a
Toggle quote (2 lines)> 3. Many db tests fail
Do you think they are a problem in practice? Ludovic, you added Heimdal,what do you think about this big version bump?
Toggle quote (2 lines)> 4. It does not build reproducibly
Not great but also not a blocker.
Toggle quote (19 lines)> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001> From: Alex Vong <alexvong1995@gmail.com>> Date: Tue, 18 Jul 2017 06:36:48 +0800> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].> > * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.> [source]: Update source uri.> [arguments]: Adjust #:configure-flags and build phases accordingly.> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
> #:phases (modify-phases %standard-phases> + (add-after 'unpack 'pre-build> + (lambda _> + (for-each (lambda (file) ;fix sh paths> + (substitute* file> + (("/bin/sh")> + (which "sh"))))> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
Do we re-bootstrap because we edit Makefile.am? Is it possible to editthe generated Makefile directly?
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlluLe4ACgkQJkb6MLrKfwgD7hAAv3heJSRc60o2L4Wxwyk7MXpKb/qufSPeBnO3NWPlb8U1QEJNxlfsA/HOolwwZ4rQ2YnD/MZrZu1b+suIvAe10mgHNXRmetrvxLHfEmtgq5xJave/6jvdf9w3XwGyIolYzkR+WcsGtO1JWnVMi+q1L7gQBff592b1YeiJEjXgHQt20e8BG5eUvR2SBKkuVmsHgeaRiDii/eL50Ji3Cmr3gxb10k+tL1sDfIa2C/7/aZG4VDWwVRv4WmNLF6jC2KMOcMwIjPl+UTKY85yBIoTLZcQD+Gz1NgdJQyXMpOMAA7rI6H6SUwFolSqRFMPdxaqjLgpEBR5R6kU5CHDde4gXpnVIdkNG7AXwnI/76fLXFG6Wkl+Q4JGhwOyhMm+Ox9ZRcAj4BXCdCYRLp/LHzGUlmOXkEzaGAGm7nYLzx8o/rMsLmh23R+axWmx/9c/CZODZJ2EOdTpR74mjKLd9W41zXeKlwxzfXh9DV/ujwfT7cjBZ0aO5yhalG2Zi+ZsHQw+VmHESQeexcN4MALTklTl3TY9SWJ6WndrT35pS+OhOoacahe1Lm/0VCT7+AChM0XTxeSW/T+4NMoH2dv9GEBtextXqjbQCyNyvfpkNG/Y4mkw+M4SJX7isVF9/CX0lwqzVY1dmpqjDl/0XcEiLnAAsQEnNBfyX66ti/ft9iLC21rw==tyqk-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 18 Jul 2017 17:51
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)
20170718155119.GA12939@jasmine.lan
On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
Toggle quote (7 lines)> On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:> > THis patch upgrades heimdal to its latest version, fixing> > CVE-2017-11103. Here are a few remarks:> > Thanks! We also need to look at our samba package, which bundles heimdal> (we should fix that).
This vulnerability in samba's bundled heimdal was fixed in81dfbffc5480699f79ea23a82bf8a4a557176670. Perhaps we can find inspirationfor a patch there, if necessary.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlluLncACgkQJkb6MLrKfwg2khAA8SWOo7dx42C1EB/tgevr09n8Cg8XMKozSkhC7N6MbqwZrzjOAyIj/2NAhjKnhr/IeLxOc3BEIeOO4Y+t6om8xuFwsE9NdPwt/hdWSp/KQDuAy08lBxvsXhtp9U+78fOUcf9ZRf/8RTQfRlDZ7NVAjLENIDRONqz1soYTFquSUbBWBgIh5l/E7mrrB4Bm+ymN/2rqJzR+qd5QgpcdBTBCkWa8UWmcv0AosOYFcI35cIZ8V2+SpqG489IIYfyS/Voi8Wy508X8AmvRXR7SnNTaDsx3u38hahLph0EV0wrFtl07TctBi5rSNX2tt+yLbiZC9qe+nYR2foHMdSnceZdQHY149Q80MdN41ln4mfNIohW7bwEMVd26oYFrt4Mwa/zJWz7b8ymiTSk0LmY6u2cwtgNnLQG1kAWNGk9R5K60QfKh+iDwEubYlvRjsqvVzinKhuSiOKWKZGcg/aNXRYffBdhFE8YbCpuMXTnfCjY1HAyn3Hy2l6QEbwZd3SuKNlk2VYBOYMs/K+QGyFWKRLltu6t3YhVJu2rWer+eHUBArssswTmfOp+x0DWdGeDkEA2QFxRePe6zJ2r929XZZeiyfgOUSf8KtK/QQfSuwCf9AxvYb64CHPXAdtcigEvZbZPQO30AavyVKuMoNqnk7WbiS63HLiHvQV2rln7HYP8v3Rg==ZgPj-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 18 Jul 2017 17:53
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)
20170718155335.GA15745@jasmine.lan
On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
Toggle quote (5 lines)> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another> long-term-support distro. I noticed an unrelated patch for Heimdal> 1.6 here:> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a
I'm not sure what version of heimdal FreeBSD packages, but they areoffering a patch for this, linked from their advisory:
https://www.freebsd.org/security/advisories/FreeBSD-SA-17:05.heimdal.asc
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlluLv8ACgkQJkb6MLrKfwj0Qg//Yq8CbzXiWrZ0431Ha4etQsuQ4Aoh/na52UhHD5fav0qPthO7vkACiYUtqUh4IGlo9uvjJ+FvLT+ukgSs5HmkZUm+gr7IfOfTfudQ0q1ovMRNylMdX+JHzirjJFzC6bWW1B+rXU+6VubFDDVP1bhGVQvb/3B0pQkgHqBW/PW3tJCNfa2blxrOGPHVBMjRY4qfz1foymYhiQlLOiL7+2GKrkIKpsrvpH3kZvwZFqIXXIAtU9pY2pG3t3/jg3BOWWgOKVSKKP84NobcZ4n7iPzY/QLaqL58v4vJIOlFxb4yzfEC84RJQy/aS7YBoozDlmGo+0RH9jVLPSjqn+QrFxEVh4fTeuANvwZWQWHrdGiaxirPxG+YMuxO8SsNuoJ/NYFBd+Z5ZPmdFhiZ8jdjdJqiQcmlWLoQNkzDTr2G6QFaDkkL6MDBW12vtydi7Jr9xhnrvyaOrWmP+UjbrujC7r3FO6RJqPdvjF4GQYfCWZEiwAxKgQMdusVvKu2qkg4RLxCnrghxAJMFLBIxPNbaVgmWhJE5KXFWcchbyut+STqOAvcENfzCHPPVLBK5wh3kTLQdWVg6snVxv1avCKfrLaTb5f1dp97TYuJ0/s7nHePwIhqjupjIuukPKbR/TOsXeIFdhqGfbUtfme8GBem0Xq6On6+A1H7m2pNPbctfjunOi2M==tHm/-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 19 Jul 2017 11:22
(name . Leo Famulari)(address . leo@famulari.name)(address . 27749@debbugs.gnu.org)
87bmogzspe.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:
[...]
Toggle quote (6 lines)>> 2. A lots of libraries are bundled>> Which directory are they in? We should take a look at them and weigh the> risk of adding new vulnerabilities through the use of (possibly old and> unmaintained) bundled libraries.>
They live in lib/. Also the configure script provides options to usesystem library instead of bundled ones.
Toggle quote (8 lines)> If things look complicated, maybe it's possible to apply a patch to this> older Heimdal while we figure everything out.>> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another> long-term-support distro. I noticed an unrelated patch for Heimdal> 1.6 here:> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a>
Agree, we should patch the old version first and deal with the bundledlibraries and test failures later.
Toggle quote (5 lines)>> 3. Many db tests fail>> Do you think they are a problem in practice? Ludovic, you added Heimdal,> what do you think about this big version bump?>
I don't know. I am hoping some test failures will disappear after weremove bundled libraries.
Toggle quote (26 lines)>> 4. It does not build reproducibly>> Not great but also not a blocker.>>> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001>> From: Alex Vong <alexvong1995@gmail.com>>> Date: Tue, 18 Jul 2017 06:36:48 +0800>> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].>> >> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.>> [source]: Update source uri.>> [arguments]: Adjust #:configure-flags and build phases accordingly.>> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.>>> #:phases (modify-phases %standard-phases>> + (add-after 'unpack 'pre-build>> + (lambda _>> + (for-each (lambda (file) ;fix sh paths>> + (substitute* file>> + (("/bin/sh")>> + (which "sh"))))>> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))>> Do we re-bootstrap because we edit Makefile.am? Is it possible to edit> the generated Makefile directly?
I will try but personally I prefer patching the source and re-generatethe generated files. Patching the generated files feel like a hack tome. What do you think?
Thanks for the suggestions!
Here is the patch:
From fedc82524dcc8d0e8052a4837d7864fe84ca6f8e Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Wed, 19 Jul 2017 17:01:47 +0800Subject: [PATCH] gnu: heimdal: Fix CVE-2017-11103.
* gnu/packages/patches/heimdal-CVE-2017-11103.patch: New file.* gnu/local.mk (dist_patch_DATA): Add it.* gnu/packages/kerberos.scm (heimdal)[source]: Use it.--- gnu/local.mk | 1 + gnu/packages/kerberos.scm | 1 + gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 +++++++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch
Toggle diff (77 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 92ad112cf..d2ae454c0 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -691,6 +691,7 @@ dist_patch_DATA = \ %D%/packages/patches/hdf-eos5-remove-gctp.patch \ %D%/packages/patches/hdf-eos5-fix-szip.patch \ %D%/packages/patches/hdf-eos5-fortrantests.patch \+ %D%/packages/patches/heimdal-CVE-2017-11103.patch \ %D%/packages/patches/higan-remove-march-native-flag.patch \ %D%/packages/patches/hubbub-sort-entities.patch \ %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scmindex 58f619770..3b0050fc1 100644--- a/gnu/packages/kerberos.scm+++ b/gnu/packages/kerberos.scm@@ -144,6 +144,7 @@ secure manner through client-server mutual authentication via tickets.") (sha256 (base32 "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))+ (patches (search-patches "heimdal-CVE-2017-11103.patch")) (modules '((guix build utils))) (snippet '(substitute* "configure"diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patchnew file mode 100644index 000000000..d76f0df36--- /dev/null+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch@@ -0,0 +1,45 @@+Fix CVE-2017-11103:++https://orpheus-lyre.info/+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103+https://security-tracker.debian.org/tracker/CVE-2017-11103++Patch lifted from upstream source repository:++https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea++From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001+From: Jeffrey Altman <jaltman@secure-endpoints.com>+Date: Wed, 12 Apr 2017 15:40:42 -0400+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation++In _krb5_extract_ticket() the KDC-REP service name must be obtained from+encrypted version stored in 'enc_part' instead of the unencrypted version+stored in 'ticket'. Use of the unecrypted version provides an+opportunity for successful server impersonation and other attacks.++Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.++Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c+---+ lib/krb5/ticket.c | 4 ++--+ 1 file changed, 2 insertions(+), 2 deletions(-)++diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c+index d95d96d1b..b8d81c6ad 100644+--- a/lib/krb5/ticket.c++++ b/lib/krb5/ticket.c+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,+ /* check server referral and save principal */+ ret = _krb5_principalname2krb5_principal (context,+ &tmp_principal,+- rep->kdc_rep.ticket.sname,+- rep->kdc_rep.ticket.realm);++ rep->enc_part.sname,++ rep->enc_part.srealm);+ if (ret)+ goto out;+ if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){+-- +2.13.3+-- 2.13.3
Cheers,Alex
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllvJO0ACgkQxYq4eRf1Ea57ZBAAk2OiiDkgnO/KfAAuR9F24kCCM7aNa2tmccDlDgI6RKr5dMQUnvmrBU7hLI7yvMq523kkxKFA+31p/pjhrBSCZsGEe4UIJDtPEcS+h3IgwHTBOB0stV2HqxlStuL/v1wK7ZcyrhN4qPWQfjGS7gim35TY5e/p/vFL+JhALom1o9PuxA1blAVGdbTLXJAKWyh9jALmYswFtxQMOntYqy3O9yKfWP4oVGf/3+mhywByEBJ5Kca7ipJDvGKgGzLKTCm/x6VT7RuGlUDaClre0PJkB8i26JhNjvWDu59BKqNnrKI7TmcxOi1hlKSjhxUNy50M2iWgDQEsysEoGNkZgUeGQRPsD3Kt8c0gqpe7yszf8kXcVQGnE1FwBKlx2wQymH5EQlB4541qQIOBoy/FvRI+p+iPeiCSxDO/J4sFACcLNWakMyjuUcKEhYO0S7/AuFKhhuvZwuadMA2JWI9glSPVo6FyMvfAMeSo1H2Kw7iHDkJgmIepFLpLZR9lssmrL2tDoutFbjrYq5LOG6N3DcDn12hfCZ24wZiORZP5E6S7389RN4GlmAabgNQmypGI+fd5kPfSwBo3rQqJPBdPetsAyOedYc7uYNMJo+OT7s0hA/LzB0bcZiFAfeezROPTnzg/CEqNM16TDUYZ5YE6IZN2g3dNtKY6WmqCs+/xquxXylg==oKma-----END PGP SIGNATURE-----
A
A
Alex Vong wrote on 19 Jul 2017 13:04
(name . Leo Famulari)(address . leo@famulari.name)(address . 27749@debbugs.gnu.org)
877ez4znze.fsf@gmail.com
I find out that our version of heimdal is also affected byCVE-2017-6594. So I amend the previous patch to fix it as well.
Changes to 'NEWS' and files in 'tests/' does not apply, so I removethem. Also, I change hunk#4 of 'kdc/krb5tgs.c' so that it applies.
It used to be:
foofoo*+bar+bar*bazbaz*
Now it is:
foofoo*+bar+bar*<empty-line>
Here is the updated patch:
From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Wed, 19 Jul 2017 17:01:47 +0800Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
* gnu/packages/patches/heimdal-CVE-2017-6594.patch,gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.* gnu/local.mk (dist_patch_DATA): Add them.* gnu/packages/kerberos.scm (heimdal)[source]: Use them.--- gnu/local.mk | 2 + gnu/packages/kerberos.scm | 2 + gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 ++++++++++++ gnu/packages/patches/heimdal-CVE-2017-6594.patch | 85 +++++++++++++++++++++++ 4 files changed, 134 insertions(+) create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch create mode 100644 gnu/packages/patches/heimdal-CVE-2017-6594.patch
Toggle diff (170 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 92ad112cf..5f4bc47a0 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -691,6 +691,8 @@ dist_patch_DATA = \ %D%/packages/patches/hdf-eos5-remove-gctp.patch \ %D%/packages/patches/hdf-eos5-fix-szip.patch \ %D%/packages/patches/hdf-eos5-fortrantests.patch \+ %D%/packages/patches/heimdal-CVE-2017-6594.patch \+ %D%/packages/patches/heimdal-CVE-2017-11103.patch \ %D%/packages/patches/higan-remove-march-native-flag.patch \ %D%/packages/patches/hubbub-sort-entities.patch \ %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scmindex 58f619770..59fd944c6 100644--- a/gnu/packages/kerberos.scm+++ b/gnu/packages/kerberos.scm@@ -144,6 +144,8 @@ secure manner through client-server mutual authentication via tickets.") (sha256 (base32 "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))+ (patches (search-patches "heimdal-CVE-2017-6594.patch"+ "heimdal-CVE-2017-11103.patch")) (modules '((guix build utils))) (snippet '(substitute* "configure"diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patchnew file mode 100644index 000000000..d76f0df36--- /dev/null+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch@@ -0,0 +1,45 @@+Fix CVE-2017-11103:++https://orpheus-lyre.info/+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103+https://security-tracker.debian.org/tracker/CVE-2017-11103++Patch lifted from upstream source repository:++https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea++From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001+From: Jeffrey Altman <jaltman@secure-endpoints.com>+Date: Wed, 12 Apr 2017 15:40:42 -0400+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation++In _krb5_extract_ticket() the KDC-REP service name must be obtained from+encrypted version stored in 'enc_part' instead of the unencrypted version+stored in 'ticket'. Use of the unecrypted version provides an+opportunity for successful server impersonation and other attacks.++Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.++Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c+---+ lib/krb5/ticket.c | 4 ++--+ 1 file changed, 2 insertions(+), 2 deletions(-)++diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c+index d95d96d1b..b8d81c6ad 100644+--- a/lib/krb5/ticket.c++++ b/lib/krb5/ticket.c+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,+ /* check server referral and save principal */+ ret = _krb5_principalname2krb5_principal (context,+ &tmp_principal,+- rep->kdc_rep.ticket.sname,+- rep->kdc_rep.ticket.realm);++ rep->enc_part.sname,++ rep->enc_part.srealm);+ if (ret)+ goto out;+ if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){+-- +2.13.3+diff --git a/gnu/packages/patches/heimdal-CVE-2017-6594.patch b/gnu/packages/patches/heimdal-CVE-2017-6594.patchnew file mode 100644index 000000000..714af6030--- /dev/null+++ b/gnu/packages/patches/heimdal-CVE-2017-6594.patch@@ -0,0 +1,85 @@+Fix CVE-2017-6594:++https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594+https://security-tracker.debian.org/tracker/CVE-2017-6594++Patch lifted from upstream source repository:++https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837++To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and+files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified.++From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001+From: Viktor Dukhovni <viktor@twosigma.com>+Date: Wed, 10 Aug 2016 23:31:14 +0000+Subject: [PATCH] Fix transit path validation CVE-2017-6594++Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm+to not be added to the transit path of issued tickets. This may, in+some cases, enable bypass of capath policy in Heimdal versions 1.5+through 7.2.++Note, this may break sites that rely on the bug. With the bug some+incomplete [capaths] worked, that should not have. These may now break+authentication in some cross-realm configurations.+---+ NEWS | 14 +++++++++++++++ kdc/krb5tgs.c | 12 ++++++++++--+ tests/kdc/check-kdc.in | 17 ++++++++++++++++++ tests/kdc/krb5.conf.in | 4 +++++ 4 files changed, 45 insertions(+), 2 deletions(-)++diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c+index 6048b9c55..98503812f 100644+--- a/kdc/krb5tgs.c++++ b/kdc/krb5tgs.c+@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context,+ "Decoding transited encoding");+ return ret;+ }++++ /*++ * If the realm of the presented tgt is neither the client nor the server++ * realm, it is a transit realm and must be added to transited set.++ */+ if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {+- /* not us, so add the previous realm to transited set */+ if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {+ ret = ERANGE;+ goto free_realms;+@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context,+ const char *server_name,+ hdb_entry_ex *client,+ krb5_principal client_principal,++ const char *tgt_realm,+ hdb_entry_ex *krbtgt,+ krb5_enctype krbtgt_etype,+ krb5_principals spp,+@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context,+ &tgt->transited, &et,+ krb5_principal_get_realm(context, client_principal),+ krb5_principal_get_realm(context, server->entry.principal),+- krb5_principal_get_realm(context, krbtgt->entry.principal));++ tgt_realm);+ if(ret)+ goto out;+ +@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context,+ krb5_keyblock sessionkey;+ krb5_kvno kvno;+ krb5_data rspac;++ const char *tgt_realm = /* Realm of TGT issuer */++ krb5_principal_get_realm(context, krbtgt->entry.principal);++@@ -2324,6 +2331,7 @@ server_lookup:+ spn,+ client,+ cp,++ tgt_realm,+ krbtgt_out,+ tkey_sign->key.keytype,+ spp,+-- +2.13.3+-- 2.13.3
Cheers,Alex
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllvPNUACgkQxYq4eRf1Ea4XYw//WCt4vRs9l3gnTiIPTC30PJ+UIiaaUI6hwjH0ZEIkIBS1QxogtezHhMvqrfuCRJl6DeHea7R/4hk3nJJD64fjM7oRRgGZzLsEj/WSDHaXAShCis16SghYXYN/WQ/TWSLrcgY5FJi+q6UdnNpLVCXNsJmLvd0ztUgx7DhhOjxY6BXM2gqqWNavCHUQl1ZwFSWV94v9MB48tC10/LLgbj/CuzcAo7krl4SCsji02HixRUq7qxjwmMBD0sVAty8Q+6s7SkMgR36Q/YKpUgAHaOglJugotq0Gimhy1TQFrREvaZ8xUVw1tIyqgj9bVYu6taCcp/Jl7TfMsMB+fDopoz/3LwosgP0K4lNca4uzAC2vY+u0Q9wGQdMQF7IDACe3SP6xvPH8sjK1/u95HcD2HGTFVfOMQF84FYcSkU1z9Yvvhr8xUMRCwVKhov8fY2QbNCoEsAOFP0WKJiwR/bSIlOJ6oyRd+up/USxx7BFbPMx2FnHWWMXgy3xOi1JhFkhDKADtudTFmgseeZsZUlwJCO3a/hGd2/7P8XuJlEC9YyMXVcxrf3PDpNvkjHsiHlaO4TarKS1U8BTz+Bl4F6XWgqdJwqU9o6WhrJCoRqKWGIQxusYeHcuT07BxcxXskEmG+HyD7LaFqU7zI9oMd4eB28uXBU0j34gO6Xw8M4e+GsQK7M8==kh3f-----END PGP SIGNATURE-----
A
A
Alex Vong wrote on 20 Jul 2017 14:48
[PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
(address . control@debbugs.gnu.org)
87bmofjmua.fsf@gmail.com
package guix-patchesretitle 27749 [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.thanks
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllwpp0ACgkQxYq4eRf1Ea5iJxAAmGCmZF4N1ievXflVEDXy4ptK/SpprENgSP8nclBhOkmlEbfgtzgye8Fe/8J6yWYvBkH8u49dYgC6YaNWJxonWoyYCA/zDFd/c+P9B5/Zt/v9+7n0psqtBKki1OB78NIEqk3uOYSqBluUW32F2qSOIzp7eR8EEYpEjpmCY3+JxWW5ACDbeHtoJiVpMN0v7e7wK4V32PQmYwRnTX3XOc5BMQd8iY+o5AToVsmvl1mx5oj8yoEi/OvW7wGQ5QS0yhg5OVZt6ZnKcI4zp03giwjfRYU5K7LJ8mX2VYi8Y7LEoixW4/lYJWJp6A4KkowjAnm/wzKuA6jAc/sG1ZN3+TlJuZp4s7lf27jqcbSSSqErhAIf/ShQrCHt7Zpchrre0xH+e7hU119v7whTggQrZNwH2IbrHJXffEAlVUHDqe28MxntUOB0t7KZGYoesL8FTrWVQGkD78qlqFviM75mXlxwpkGeIEJnu5jbFxo4w1dQSpV55RAsuhLq9pxgQSZDasaYPw51XobMNrtV1iTqf9XeghnRDZ/Nnfo0Af/PHk1a68ABlxs4f6042Hwm99IeXYcDu64tqQ/4T/UttrRnz84pWzhWh8c0Zm0m7RNABp8H2PvCpdrFufnebvhOMWgPYR8Seva0PVMIA6uC71iAieZWzBAUPdqDwAfMjOxl07jj3ow==xS9s-----END PGP SIGNATURE-----
L
L
Leo Famulari wrote on 20 Jul 2017 21:51
Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)
20170720195134.GA19680@jasmine.lan
On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
Toggle quote (12 lines)> Here is the updated patch:> > From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001> From: Alex Vong <alexvong1995@gmail.com>> Date: Wed, 19 Jul 2017 17:01:47 +0800> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.> > * gnu/packages/patches/heimdal-CVE-2017-6594.patch,> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.> * gnu/local.mk (dist_patch_DATA): Add them.> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
Thanks! I recreated the commit since the patch no longer applied to'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
I'm leaving this bug open for now so we can discuss the update.
By the way everyone, the vulnerability disclosure / promotion web page,https://orpheus-lyre.info, has a nice primer on the bug (warning, thepage plays music automatically). Thanks for including that, Alex.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllxCcYACgkQJkb6MLrKfwgj/w//Xl6oPFlyPw1vkIslntrASlZ1lhMF+s9zllthNPa496tgl/0HehQwkm0kAqM6ggMh5L52DRRu+oKCKFP81PT0tQ6G4jmRM2NhR3/DpU3zmrGPhbu5ipxh2jPSeb1aKIon6v9KaUjlwHJ1+KHYiZQQSQLh6pobDUlFMsrC039M6mHMRLqd6z6fh6Yaeq1A9hk8GYxOW3kJpfoRcLEWT+qkSCJZTu2rLvvIDKSTXFaUQFsYbi5TNEVZhMaYWOg55elGGOKf8X985DsiPoFrRQmINuMX4q+ghnvEZzl56Z4PylC3hVOSSBpajMsWZXgQFiXlhnNv+tuhDvTJFOvodKoevBHfUxRt6yZOCIvxd5dkmOAuVYFvTLLlfeV1pR76RoEr0d6Pvo3sfVUVxyfXjzF5uYn/pYdDTgydMtFGMrUoZAsNzjDLSH0JWrxx80ORA5x7szKyt4qI1/BWlBXbZCIc8IcIVi8rLonts/lIPa4nccnNMl+GuCewMq2cELDjkh55+mKR/RbFlSpyTmK5TNhdXGEEmWwf5EMOcKXXztHzigrkM0N20ADWWaGwmdKt7TTALzscwjV4lSTLBTo/Z+aTP5piVp7we/Gqk5CRcmdGUBaLCSWFgIutd4rbFXSDPjWPk8rdF9kNRC2YL72BY+rov6lIhQ6pP21PwhTiR5LiwJ8==Z7sr-----END PGP SIGNATURE-----

R
R
Ricardo Wurmus wrote on 18 Oct 2017 23:31
(name . Alex Vong)(address . alexvong1995@gmail.com)
871sm03zyd.fsf@elephly.net
Hi Alex,
Toggle quote (18 lines)> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:>> Here is the updated patch:>>>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001>> From: Alex Vong <alexvong1995@gmail.com>>> Date: Wed, 19 Jul 2017 17:01:47 +0800>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.>>>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.>> * gnu/local.mk (dist_patch_DATA): Add them.>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.>> Thanks! I recreated the commit since the patch no longer applied to> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.>> I'm leaving this bug open for now so we can discuss the update.
As mentioned before, the new release bundles a bunch of third partylibraries. It is not clear to me if *all* things under “lib” areexternal libraries or if some of them are part of the source code ofheimdal.
Can we learn from the Debian package for heimdal here?
I think we really ought to update from the very old version we are usingcurrently.
--Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAChttps://elephly.net
R
R
Ricardo Wurmus wrote on 19 Oct 2017 00:44
control message for bug #27749
(address . control@debbugs.gnu.org)
E1e54NT-0007TO-DR@debbugs.gnu.org
retitle 27749 gnu: heimdal: Update to 7.4.0.
A
A
Alex Vong wrote on 19 Oct 2017 16:57
Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
(name . Ricardo Wurmus)(address . rekado@elephly.net)
87vajbchiv.fsf@gmail.com
Ricardo Wurmus <rekado@elephly.net> writes:
Toggle quote (25 lines)> Hi Alex,>>> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:>>> Here is the updated patch:>>>>>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001>>> From: Alex Vong <alexvong1995@gmail.com>>>> Date: Wed, 19 Jul 2017 17:01:47 +0800>>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.>>>>>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,>>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.>>> * gnu/local.mk (dist_patch_DATA): Add them.>>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.>>>> Thanks! I recreated the commit since the patch no longer applied to>> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.>>>> I'm leaving this bug open for now so we can discuss the update.>> As mentioned before, the new release bundles a bunch of third party> libraries. It is not clear to me if *all* things under “lib” are> external libraries or if some of them are part of the source code of> heimdal.>
No, I don't think so. At least the heimdal/ subdirectory[0] shouldcontain non-third-party code.
Toggle quote (2 lines)> Can we learn from the Debian package for heimdal here?>
Good suggestion, I think the Build-Depends field in [1] will help. Forexmaples, we should not use the bundled sqlite.
Toggle quote (3 lines)> I think we really ought to update from the very old version we are using> currently.>
Agree, our version is even older than the one in Debian old stable.
Toggle quote (6 lines)> --> Ricardo>> GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC> https://elephly.net
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlnovUkACgkQxYq4eRf1Ea4B2g//YD3cKmklgFhFoeYmjIzw2YvqGBdKa+N2ktuelNSGkCM8QCCKV6AmSOoKfjvNyxoKfq79Syir6s9zqBh1gs16YAXYBuUGsJHwfoKAmqjvMh5i+6qxlhh0mt3YHW4A7cnM/5S3et/LU44Mtu9NjQupaNqCKb6UCOlPa7iBjnQ6+FMMihzNQGbBqNgWgOFLZUOPl5kZLaNahk0VF9YojCVOSZdL/GjdD0HCLZqI7TSgRqPeSXb6YJk8CvG3JEVDc+H8tmYSKZ2gIGfuClVaBhKPQ/bPV88EQklF54GQhhSsMjent6kCpgCbminYo+tVNIio7xh2SVDLOvKqP6hATBaiESct3ylfBoC3GJbkdUrtFKzIRURS4QsLdYK3oyGiEWOXESWEnlAdZNXIkmbCdYevzyCCLKq6n9tJ9+jO5CPAa+N/L3wZQK/8DAcUN2a/s1mfhSedsb1ugj9jRsN8O+i0+Z9jPiXbvwTYBy9g3P9JUoHEeb1WXoymj9KFGiBLqsgDUNKfZELgpqutkNJAfp1uwQR4Ekr1rvbYpBLrCfvX0wpSqvqZSSSV8QQgNXTyZwqYLQb4BGbnPFs8ypbgfbrgRtwiNFLZq+y3LM6dXw7EZyyVbPWGe+0CmX2sM1gV75fnV+wHI9XC0FTS8/1VBW9ui1ZXRDzGHvSLtKGzjwkI4Y8==4lsb-----END PGP SIGNATURE-----
A
A
Alex Vong wrote on 21 Oct 2017 11:52
(name . Ricardo Wurmus)(address . rekado@elephly.net)
87k1zon7yd.fsf@gmail.com
Hello,
This is the new patch. It is basically the first patch but with thesqlite and libedit bundled dependecies removed. I don't know if thereare any other bundled dependencies so I am asking this on the heimdalmailing list.
Also, since I am not a user of heimdal, we need someone to check if thenew version does work properly (as some test failures occur).
From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Tue, 18 Jul 2017 06:36:48 +0800Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
* gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.[source]: Update source uri.[arguments]: Adjust #:configure-flags and build phases accordingly.[inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzipand sqlite.--- gnu/packages/kerberos.scm | 86 +++++++++++++++++++++++++++++++++++------------ 1 file changed, 64 insertions(+), 22 deletions(-)
Toggle diff (128 lines)diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scmindex 801b4e44a..fde310e65 100644--- a/gnu/packages/kerberos.scm+++ b/gnu/packages/kerberos.scm@@ -6,6 +6,7 @@ ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org> ;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;;@@ -145,16 +146,15 @@ secure manner through client-server mutual authentication via tickets.") (define-public heimdal (package (name "heimdal")- (version "1.5.3")+ (version "7.4.0") (source (origin (method url-fetch)- (uri (string-append "http://www.h5l.org/dist/src/heimdal-"- version ".tar.gz"))+ (uri (string-append "https://github.com/" name "/" name+ "/releases/download/" name "-" version+ "/" name "-" version ".tar.gz")) (sha256 (base32- "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))- (patches (search-patches "heimdal-CVE-2017-6594.patch"- "heimdal-CVE-2017-11103.patch"))+ "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x")) (modules '((guix build utils))) (snippet '(substitute* "configure"@@ -162,33 +162,75 @@ secure manner through client-server mutual authentication via tickets.") (("Date=.*$") "Date=2017\n"))))) (build-system gnu-build-system) (arguments- '(#:configure-flags (list- ;; Work around a linker error.- "CFLAGS=-pthread"+ '(#:modules ((guix build gnu-build-system)+ (guix build utils)+ (srfi srfi-26))++ #:configure-flags (list+ (string-append "CPPFLAGS=-D_PATH_BSHELL="+ (assoc-ref %build-inputs "bash")+ "/bin/sh") ;; Avoid 7 MiB of .a files. "--disable-static" ;; Do not build libedit.- (string-append- "--with-readline-lib="- (assoc-ref %build-inputs "readline") "/lib")- (string-append- "--with-readline-include="- (assoc-ref %build-inputs "readline") "/include"))+ (string-append "--with-readline="+ (assoc-ref %build-inputs "readline"))++ ;; Do not build sqlite.+ (string-append "--with-sqlite3="+ (assoc-ref %build-inputs "sqlite"))) #:phases (modify-phases %standard-phases+ (add-after 'unpack 'pre-build+ (lambda _+ (for-each (lambda (file) ;fix sh paths+ (substitute* file+ (("/bin/sh")+ (which "sh"))))+ '("appl/afsutil/pagsh.c" "tools/Makefile.am"))+ (substitute* "lib/roken/getxxyyy.c" ;set user during test+ (("user = getenv\\(\"USER\"\\);")+ (format #f+ "#ifndef TEST_GETXXYYY+#error \"TEST_GETXXYYY is not defined\"+#endif+user = \"~a\";+"+ (passwd:name (getpwuid (getuid))))))+ #t))++ (add-after 'pre-build 'autogen+ (lambda _+ (zero? (system* "sh" "autogen.sh"))))++ ;; FIXME: figure out the complete list of bundled libraries+ (add-after 'configure 'remove-bundled-libraries+ (lambda _+ (for-each delete-file-recursively+ '("lib/libedit" "lib/sqlite"))))+ (add-before 'check 'skip-tests (lambda _- ;; The test simply runs 'ftp --version && ftp --help'- ;; but that fails in the chroot because 'ftp' tries to- ;; do a service lookup before printing the help/version.- (substitute* "appl/ftp/ftp/Makefile.in"- (("^CHECK_LOCAL =.*")- "CHECK_LOCAL = no-check-local\n"))+ ;; skip db tests for now+ ;; FIXME: figure out why they fail+ (call-with-output-file "tests/db/have-db.in"+ (cut format <> "#!~a~%exit 1~%" (which "sh"))) #t)))))+ (native-inputs `(("e2fsprogs" ,e2fsprogs))) ;for 'compile_et'- (inputs `(("readline" ,readline)+ (inputs `(("autoconf" ,autoconf) ;for autogen+ ("automake" ,automake)+ ("libtool" ,libtool)+ ("perl" ,perl)+ ("perl-json" ,perl-json)++ ("texinfo" ,texinfo) ;for doc+ ("unzip" ,unzip) ;for test++ ("readline" ,readline)+ ("sqlite" ,sqlite) ("bdb" ,bdb) ("e2fsprogs" ,e2fsprogs))) ;for libcom_err (home-page "http://www.h5l.org/")-- 2.14.2
Cheers,Alex
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlnrGPoACgkQxYq4eRf1Ea4eKRAAlhzW4SoYKsplNxPmnDurV3xetKX54sZAeourh6yET3nftVkCQAci6WTum3erDk3uFEY++uYlymgiV/SI9qZr7zupVCgN1QMZuBE8JcbsmDVyf03CPqM0I3BE25neMjEniNR06K5XBzv3WFR6j2O7UaZTQ3ELA779N5+X+oYT/ujjNOzRUsHHdMn10Js/083JrVdfs51yKyAc44OPJzADzqntAj7e2+tFtCarJ9qLs6W4iyqqCs3W1qlphYIcpM5e+AFjWpsZkzTnN5DU3mLtgMZO+BIxLcWSkDXi0Tgq5Crw018sc36y2+xj9R3DYeh7LJfybxGP9dgo++a1ZzKu2Xt5NGk31SLE77U+tqdvc7S3ZkXLG9t+77mx7mHxMAnQRzbcC3a3m4mnlq47h2CwXsF119s4AdVy2AwQ8gZYnpTewU5EJmlS0CTcB+bmncJdGlKlvIgGOnAb/0wkLwoYjvbUzMg6WOs9LG4hxmdMm9gMNbUeCTfJva0FcpfM4UkaZF3mN4dzen7xvoW1lkAE/ByDGiMUh3TJY0JLb2wOyEdLgzgUJNFBjxMX2pNVE7KKiYAWLbYJQg7FpzIAUe5Hmc2IfrIfcUxFk7lHEtftTJ8p6PCTeuAUqPpYBNR1z8icEQ798XOVYK6ef/k8kkJEUAo9s0+7I5amFJ8iN5J9H+A==EbAc-----END PGP SIGNATURE-----
L
L
Leo Famulari wrote on 26 Nov 2017 23:59
(name . Alex Vong)(address . alexvong1995@gmail.com)
20171126225942.GB10571@jasmine.lan
On Sat, Oct 21, 2017 at 05:52:58PM +0800, Alex Vong wrote:
Toggle quote (22 lines)> Hello,> > This is the new patch. It is basically the first patch but with the> sqlite and libedit bundled dependecies removed. I don't know if there> are any other bundled dependencies so I am asking this on the heimdal> mailing list.> > Also, since I am not a user of heimdal, we need someone to check if the> new version does work properly (as some test failures occur).>
> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001> From: Alex Vong <alexvong1995@gmail.com>> Date: Tue, 18 Jul 2017 06:36:48 +0800> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.> > * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.> [source]: Update source uri.> [arguments]: Adjust #:configure-flags and build phases accordingly.> [inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip> and sqlite.
What's the status of this patch? Did anyone test it?
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlobR14ACgkQJkb6MLrKfwiDXhAAswS0UCYh/cEhwFoHQDmIgu7S+dnI/h9m9f5seFopqchMyBMUiCTOyEKIxaDgw2wEVcVKtSX/zYzWKeb4iBXnsdk2rl9Sk5txRbXr6dCtW0WyCnJgCBDgZG1xeHfh7oLK0V00l1FbL0Kw4KHIeiraYugiYYBUTa6LYKF2x/XKCOZDbrc8qXS0M2vRwX4uxNscuYuf7x9qX5wvuskOtkM+jcs0ggNR6C32OoDD2BlbRmezGjvqnwpot5Z1PekqFs/EGvFVl9AiQZrexISKvOuAOX7Z/NQ2f9caNsWiZKNlUXQNtEAngJU5C4OdoX89B614YqI32yLEYG3n5WHuhVyHMZBUY3z6CvtsiNzg1frEqx7757xq/8YGwkPbAa90gAzQ4aOul2HED3MgMKR+y6MWGKFFx3wNImJfUC4JKhoMt/q3d3K8o4oTIP+iesRcjlftfYUqc1aO3K2dbZK6R8wyuxFsZVxlUBPpAUaaRgYBV4e4IjGA/Ja2PhGHswHhbaBVZhWsFGVLflvbOpI5sES9BFlX57fEQp15UUh1IUAlyzZi5n0cLE9tncsC1ONwg1CfaACdRvrUR0CU65g8zqzjZr/pNsKCr1eXUjtWd2WfnALnucenA58DamaKmFlgF4cDkkOnLoCL7rgEQZP+tKCycaeABU2TC/Jxz9o8mzaJ0os==1A3/-----END PGP SIGNATURE-----

C
C
Christopher Baines wrote on 19 Mar 2018 09:21
control message for bug #27749
(address . control@debbugs.gnu.org)
87in9s5vd2.fsf@cbaines.net
tags 27749 patch
宋文武 wrote on 10 Jun 2018 10:04
Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
(name . Alex Vong)(address . alexvong1995@gmail.com)
87fu1vgj9i.fsf@member.fsf.org
Alex Vong <alexvong1995@gmail.com> writes:
Toggle quote (16 lines)> Hello,>> This is the new patch. It is basically the first patch but with the> sqlite and libedit bundled dependecies removed. I don't know if there> are any other bundled dependencies so I am asking this on the heimdal> mailing list.>> Also, since I am not a user of heimdal, we need someone to check if the> new version does work properly (as some test failures occur).>> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001> From: Alex Vong <alexvong1995@gmail.com>> Date: Tue, 18 Jul 2017 06:36:48 +0800> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.>
Hello, I adjust this patch to version '7.5.0', and pushed, thank you!
Closing now :-)
Closed
A
A
Alex Vong wrote on 25 Jun 2018 05:16
(name . 宋文武)(address . iyzsong@member.fsf.org)
CADrxHD_kcNYV2tK_7+bd80W37uHpSjMfXK47ZPrNevGnZpn=Og@mail.gmail.com
Thanks for taking care of it!

On 10 June 2018 at 16:04, 宋文武 <iyzsong@member.fsf.org> wrote:
Toggle quote (22 lines)> Alex Vong <alexvong1995@gmail.com> writes:>> > Hello,> >> > This is the new patch. It is basically the first patch but with the> > sqlite and libedit bundled dependecies removed. I don't know if there> > are any other bundled dependencies so I am asking this on the heimdal> > mailing list.> >> > Also, since I am not a user of heimdal, we need someone to check if the> > new version does work properly (as some test failures occur).> >> > From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001> > From: Alex Vong <alexvong1995@gmail.com>> > Date: Tue, 18 Jul 2017 06:36:48 +0800> > Subject: [PATCH] gnu: heimdal: Update to 7.4.0.> >>> Hello, I adjust this patch to version '7.5.0', and pushed, thank you!>> Closing now :-)>
Attachment: file
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 27749@debbugs.gnu.org