From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 18 11:49:10 2017 Received: (at 27749) by debbugs.gnu.org; 18 Jul 2017 15:49:10 +0000 Received: from localhost ([127.0.0.1]:46819 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dXUkI-0007a2-5T for submit@debbugs.gnu.org; Tue, 18 Jul 2017 11:49:10 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:49703) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dXUkG-0007Zv-Rz for 27749@debbugs.gnu.org; Tue, 18 Jul 2017 11:49:09 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 0FCB220AF5; Tue, 18 Jul 2017 11:49:08 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Tue, 18 Jul 2017 11:49:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=HG812aSA0S2rQNy8zkmW4zS97dI37hqVV5kAOE 5zfqg=; b=znplruQvJkSIXP6Os9H3Yje+NqIlUZ3XjWdZkrPHav7m23JXw0ngkU jO+VG4ACUw+k89W4FjqHV2m19rXWFbQyJmFYwzxnKDGIdYYwQY5LzpmUdhpyUX52 5IKdZFi+Ahhd6C5W5UHNGgve23lnqzsh+e4NLqW0YYOallRBzkcYo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=HG812aSA0S2rQNy8zk mW4zS97dI37hqVV5kAOE5zfqg=; b=DapcZiINpkad7wT3vt4uaR6Bs26gGIEY6g ku+mM7eiDof0alHTL6brLJaXQQnGj/LRhzib5pEofOsubiYOF0bV16ImY9NsPuHL rZ9C46uzBqk8smMFdEi4PxoTAb4S1+HVwlyyu8GEdRLD9M7bnrc0MQaY/VhGvjDM 3gJhBQ9OKslg626QXjQb3Rl44wlK9nxOH73Q33mdA1jftyfTnfk0lsQMY8RcUWKL vEexPFWnAsaC6cwhVtYlIM81V3fgC47eqAbmZBDS1McBCo/CCkHPFsYlFTciv8fT NhIid6408MpsT1p85CEjJFOHzDnSKXb21YvoS9JHReW17o2B3hBw== X-ME-Sender: X-Sasl-enc: 31ZZUoCt5hfEQCWOe/MQTxEHIH1nORYpHs7FsOZ4YaOZ 1500392947 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id BC490248CD; Tue, 18 Jul 2017 11:49:07 -0400 (EDT) Date: Tue, 18 Jul 2017 11:49:06 -0400 From: Leo Famulari To: Alex Vong Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. Message-ID: <20170718154906.GB16798@jasmine.lan> References: <87wp76kv68.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="8GpibOaaTibBMecb" Content-Disposition: inline In-Reply-To: <87wp76kv68.fsf@gmail.com> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 27749 Cc: 27749@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) --8GpibOaaTibBMecb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote: > THis patch upgrades heimdal to its latest version, fixing > CVE-2017-11103. Here are a few remarks: Thanks! We also need to look at our samba package, which bundles heimdal (we should fix that). > 1. Upstream switches to github for hosting Okay. > 2. A lots of libraries are bundled Which directory are they in? We should take a look at them and weigh the risk of adding new vulnerabilities through the use of (possibly old and unmaintained) bundled libraries. If things look complicated, maybe it's possible to apply a patch to this older Heimdal while we figure everything out. Maybe we can find a patch for CVE-2017-11103 from Red Hat or another long-term-support distro. I noticed an unrelated patch for Heimdal 1.6 here: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=3Ddebian= /jessie&id=3D6d27073da8b45b5c67ca4ad74696489e49c4df1a > 3. Many db tests fail Do you think they are a problem in practice? Ludovic, you added Heimdal, what do you think about this big version bump? > 4. It does not build reproducibly Not great but also not a blocker. > From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001 > From: Alex Vong > Date: Tue, 18 Jul 2017 06:36:48 +0800 > Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. >=20 > * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0. > [source]: Update source uri. > [arguments]: Adjust #:configure-flags and build phases accordingly. > [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo. > #:phases (modify-phases %standard-phases > + (add-after 'unpack 'pre-build > + (lambda _ > + (for-each (lambda (file) ;fix sh paths > + (substitute* file > + (("/bin/sh") > + (which "sh")))) > + '("appl/afsutil/pagsh.c" "tools/Makefile= =2Eam")) Do we re-bootstrap because we edit Makefile.am? Is it possible to edit the generated Makefile directly? --8GpibOaaTibBMecb Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlluLe4ACgkQJkb6MLrK fwgD7hAAv3heJSRc60o2L4Wxwyk7MXpKb/qufSPeBnO3NWPlb8U1QEJNxlfsA/HO olwwZ4rQ2YnD/MZrZu1b+suIvAe10mgHNXRmetrvxLHfEmtgq5xJave/6jvdf9w3 XwGyIolYzkR+WcsGtO1JWnVMi+q1L7gQBff592b1YeiJEjXgHQt20e8BG5eUvR2S BKkuVmsHgeaRiDii/eL50Ji3Cmr3gxb10k+tL1sDfIa2C/7/aZG4VDWwVRv4WmNL F6jC2KMOcMwIjPl+UTKY85yBIoTLZcQD+Gz1NgdJQyXMpOMAA7rI6H6SUwFolSqR FMPdxaqjLgpEBR5R6kU5CHDde4gXpnVIdkNG7AXwnI/76fLXFG6Wkl+Q4JGhwOyh Mm+Ox9ZRcAj4BXCdCYRLp/LHzGUlmOXkEzaGAGm7nYLzx8o/rMsLmh23R+axWmx/ 9c/CZODZJ2EOdTpR74mjKLd9W41zXeKlwxzfXh9DV/ujwfT7cjBZ0aO5yhalG2Zi +ZsHQw+VmHESQeexcN4MALTklTl3TY9SWJ6WndrT35pS+OhOoacahe1Lm/0VCT7+ AChM0XTxeSW/T+4NMoH2dv9GEBtextXqjbQCyNyvfpkNG/Y4mkw+M4SJX7isVF9/ CX0lwqzVY1dmpqjDl/0XcEiLnAAsQEnNBfyX66ti/ft9iLC21rw= =tyqk -----END PGP SIGNATURE----- --8GpibOaaTibBMecb--