Leo Famulari writes: [...] >> 2. A lots of libraries are bundled > > Which directory are they in? We should take a look at them and weigh the > risk of adding new vulnerabilities through the use of (possibly old and > unmaintained) bundled libraries. > They live in lib/. Also the configure script provides options to use system library instead of bundled ones. > If things look complicated, maybe it's possible to apply a patch to this > older Heimdal while we figure everything out. > > Maybe we can find a patch for CVE-2017-11103 from Red Hat or another > long-term-support distro. I noticed an unrelated patch for Heimdal > 1.6 here: > https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a > Agree, we should patch the old version first and deal with the bundled libraries and test failures later. >> 3. Many db tests fail > > Do you think they are a problem in practice? Ludovic, you added Heimdal, > what do you think about this big version bump? > I don't know. I am hoping some test failures will disappear after we remove bundled libraries. >> 4. It does not build reproducibly > > Not great but also not a blocker. > >> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001 >> From: Alex Vong >> Date: Tue, 18 Jul 2017 06:36:48 +0800 >> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. >> >> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0. >> [source]: Update source uri. >> [arguments]: Adjust #:configure-flags and build phases accordingly. >> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo. > >> #:phases (modify-phases %standard-phases >> + (add-after 'unpack 'pre-build >> + (lambda _ >> + (for-each (lambda (file) ;fix sh paths >> + (substitute* file >> + (("/bin/sh") >> + (which "sh")))) >> + '("appl/afsutil/pagsh.c" "tools/Makefile.am")) > > Do we re-bootstrap because we edit Makefile.am? Is it possible to edit > the generated Makefile directly? I will try but personally I prefer patching the source and re-generate the generated files. Patching the generated files feel like a hack to me. What do you think? Thanks for the suggestions! Here is the patch: