gnu: heimdal: Update to 7.4.0.

  • Done
  • quality assurance status badge
Details
5 participants
  • Alex Vong
  • ???
  • Leo Famulari
  • Christopher Baines
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Alex Vong
Severity
normal
A
A
Alex Vong wrote on 18 Jul 2017 10:26
[PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
(address . guix-patches@gnu.org)
87wp76kv68.fsf@gmail.com
Tags: security

Hello,

THis patch upgrades heimdal to its latest version, fixing
CVE-2017-11103. Here are a few remarks:

1. Upstream switches to github for hosting
2. A lots of libraries are bundled
3. Many db tests fail
4. It does not build reproducibly

I decide to submit this despite many db tests fail because I think we
should fix CVE-2017-11103 asap.
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlltxi8ACgkQxYq4eRf1
Ea4gfA//e9GKYG/w5iq8LJFijWQdM257FCQ9xY1aznR5qj7YIJwvQsPrnbVfUp2R
ZffK9LPd82gWO+k5I15/iiJu4djsP+8nuvTqxGJB670tbzoCKjq4NCANtZXwzi92
mmb7fwYdCyiyYhPi0boayyfCdzMl5az71JuwSGefgPPXmt9O062j1DEIZrEctgRX
lEdIYkW4Y7auHYml4xzP1PONUDiOINrpHa6BRsfqageMKYJ0HEjZaY8ZSDE4P66P
2In6ZwhOnEIOfQQV1rqCUezfGm9YAkP8X1JvWcmVpWJFW7EDSCKLa1JlfC+eTUrW
luLVr1j3pOAzZBAtTvCY9HgOOglHfcSoiaOt4xpDeTUfhRDFIKQWY/fjlMstgXHc
1mTSNBHy8KwW7pd8v/PpSl0qJrmDrMqNoKnOtRjKksgbFijoEZkgcn5BNPviWdJd
K6QaFc30fjxzSJsmopG5OSS1HcfkOEjM7euQtcScyCYjq+ZkdpJ0l56RieTVkOQS
gYCKbsUZPhPG4wMQzmboF2GyXyP6cuMJue9UW+eAvneF2MIRVqwNUgyLXs6zFDIE
k/vl4YFfyg72YPL6Qye60voyvxjMO6l1WCH5vnMygKXBYZQBOQM1COVF29QbSDat
CehFSmK5L0xSGQV+eQZrVa5vsVhKF0dXh+5yYuPtP3Tz+TT/GiM=
=AWHe
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 18 Jul 2017 17:49
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)
20170718154906.GB16798@jasmine.lan
On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
Toggle quote (3 lines)
> THis patch upgrades heimdal to its latest version, fixing
> CVE-2017-11103. Here are a few remarks:

Thanks! We also need to look at our samba package, which bundles heimdal
(we should fix that).

Toggle quote (2 lines)
> 1. Upstream switches to github for hosting

Okay.

Toggle quote (2 lines)
> 2. A lots of libraries are bundled

Which directory are they in? We should take a look at them and weigh the
risk of adding new vulnerabilities through the use of (possibly old and
unmaintained) bundled libraries.

If things look complicated, maybe it's possible to apply a patch to this
older Heimdal while we figure everything out.

Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
long-term-support distro. I noticed an unrelated patch for Heimdal
1.6 here:

Toggle quote (2 lines)
> 3. Many db tests fail

Do you think they are a problem in practice? Ludovic, you added Heimdal,
what do you think about this big version bump?

Toggle quote (2 lines)
> 4. It does not build reproducibly

Not great but also not a blocker.

Toggle quote (19 lines)
> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.

> #:phases (modify-phases %standard-phases
> + (add-after 'unpack 'pre-build
> + (lambda _
> + (for-each (lambda (file) ;fix sh paths
> + (substitute* file
> + (("/bin/sh")
> + (which "sh"))))
> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))

Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
the generated Makefile directly?
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlluLe4ACgkQJkb6MLrK
fwgD7hAAv3heJSRc60o2L4Wxwyk7MXpKb/qufSPeBnO3NWPlb8U1QEJNxlfsA/HO
olwwZ4rQ2YnD/MZrZu1b+suIvAe10mgHNXRmetrvxLHfEmtgq5xJave/6jvdf9w3
XwGyIolYzkR+WcsGtO1JWnVMi+q1L7gQBff592b1YeiJEjXgHQt20e8BG5eUvR2S
BKkuVmsHgeaRiDii/eL50Ji3Cmr3gxb10k+tL1sDfIa2C/7/aZG4VDWwVRv4WmNL
F6jC2KMOcMwIjPl+UTKY85yBIoTLZcQD+Gz1NgdJQyXMpOMAA7rI6H6SUwFolSqR
FMPdxaqjLgpEBR5R6kU5CHDde4gXpnVIdkNG7AXwnI/76fLXFG6Wkl+Q4JGhwOyh
Mm+Ox9ZRcAj4BXCdCYRLp/LHzGUlmOXkEzaGAGm7nYLzx8o/rMsLmh23R+axWmx/
9c/CZODZJ2EOdTpR74mjKLd9W41zXeKlwxzfXh9DV/ujwfT7cjBZ0aO5yhalG2Zi
+ZsHQw+VmHESQeexcN4MALTklTl3TY9SWJ6WndrT35pS+OhOoacahe1Lm/0VCT7+
AChM0XTxeSW/T+4NMoH2dv9GEBtextXqjbQCyNyvfpkNG/Y4mkw+M4SJX7isVF9/
CX0lwqzVY1dmpqjDl/0XcEiLnAAsQEnNBfyX66ti/ft9iLC21rw=
=tyqk
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 18 Jul 2017 17:51
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)
20170718155119.GA12939@jasmine.lan
On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
Toggle quote (7 lines)
> On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
> > THis patch upgrades heimdal to its latest version, fixing
> > CVE-2017-11103. Here are a few remarks:
>
> Thanks! We also need to look at our samba package, which bundles heimdal
> (we should fix that).

This vulnerability in samba's bundled heimdal was fixed in
81dfbffc5480699f79ea23a82bf8a4a557176670. Perhaps we can find inspiration
for a patch there, if necessary.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlluLncACgkQJkb6MLrK
fwg2khAA8SWOo7dx42C1EB/tgevr09n8Cg8XMKozSkhC7N6MbqwZrzjOAyIj/2NA
hjKnhr/IeLxOc3BEIeOO4Y+t6om8xuFwsE9NdPwt/hdWSp/KQDuAy08lBxvsXhtp
9U+78fOUcf9ZRf/8RTQfRlDZ7NVAjLENIDRONqz1soYTFquSUbBWBgIh5l/E7mrr
B4Bm+ymN/2rqJzR+qd5QgpcdBTBCkWa8UWmcv0AosOYFcI35cIZ8V2+SpqG489II
YfyS/Voi8Wy508X8AmvRXR7SnNTaDsx3u38hahLph0EV0wrFtl07TctBi5rSNX2t
t+yLbiZC9qe+nYR2foHMdSnceZdQHY149Q80MdN41ln4mfNIohW7bwEMVd26oYFr
t4Mwa/zJWz7b8ymiTSk0LmY6u2cwtgNnLQG1kAWNGk9R5K60QfKh+iDwEubYlvRj
sqvVzinKhuSiOKWKZGcg/aNXRYffBdhFE8YbCpuMXTnfCjY1HAyn3Hy2l6QEbwZd
3SuKNlk2VYBOYMs/K+QGyFWKRLltu6t3YhVJu2rWer+eHUBArssswTmfOp+x0DWd
GeDkEA2QFxRePe6zJ2r929XZZeiyfgOUSf8KtK/QQfSuwCf9AxvYb64CHPXAdtci
gEvZbZPQO30AavyVKuMoNqnk7WbiS63HLiHvQV2rln7HYP8v3Rg=
=ZgPj
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 18 Jul 2017 17:53
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)
20170718155335.GA15745@jasmine.lan
On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
Toggle quote (5 lines)
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a

I'm not sure what version of heimdal FreeBSD packages, but they are
offering a patch for this, linked from their advisory:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlluLv8ACgkQJkb6MLrK
fwj0Qg//Yq8CbzXiWrZ0431Ha4etQsuQ4Aoh/na52UhHD5fav0qPthO7vkACiYUt
qUh4IGlo9uvjJ+FvLT+ukgSs5HmkZUm+gr7IfOfTfudQ0q1ovMRNylMdX+JHzirj
JFzC6bWW1B+rXU+6VubFDDVP1bhGVQvb/3B0pQkgHqBW/PW3tJCNfa2blxrOGPHV
BMjRY4qfz1foymYhiQlLOiL7+2GKrkIKpsrvpH3kZvwZFqIXXIAtU9pY2pG3t3/j
g3BOWWgOKVSKKP84NobcZ4n7iPzY/QLaqL58v4vJIOlFxb4yzfEC84RJQy/aS7YB
oozDlmGo+0RH9jVLPSjqn+QrFxEVh4fTeuANvwZWQWHrdGiaxirPxG+YMuxO8SsN
uoJ/NYFBd+Z5ZPmdFhiZ8jdjdJqiQcmlWLoQNkzDTr2G6QFaDkkL6MDBW12vtydi
7Jr9xhnrvyaOrWmP+UjbrujC7r3FO6RJqPdvjF4GQYfCWZEiwAxKgQMdusVvKu2q
kg4RLxCnrghxAJMFLBIxPNbaVgmWhJE5KXFWcchbyut+STqOAvcENfzCHPPVLBK5
wh3kTLQdWVg6snVxv1avCKfrLaTb5f1dp97TYuJ0/s7nHePwIhqjupjIuukPKbR/
TOsXeIFdhqGfbUtfme8GBem0Xq6On6+A1H7m2pNPbctfjunOi2M=
=tHm/
-----END PGP SIGNATURE-----


A
A
Alex Vong wrote on 19 Jul 2017 11:22
(name . Leo Famulari)(address . leo@famulari.name)(address . 27749@debbugs.gnu.org)
87bmogzspe.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:

[...]
Toggle quote (6 lines)
>> 2. A lots of libraries are bundled
>
> Which directory are they in? We should take a look at them and weigh the
> risk of adding new vulnerabilities through the use of (possibly old and
> unmaintained) bundled libraries.
>
They live in lib/. Also the configure script provides options to use
system library instead of bundled ones.

Toggle quote (8 lines)
> If things look complicated, maybe it's possible to apply a patch to this
> older Heimdal while we figure everything out.
>
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a
>
Agree, we should patch the old version first and deal with the bundled
libraries and test failures later.

Toggle quote (5 lines)
>> 3. Many db tests fail
>
> Do you think they are a problem in practice? Ludovic, you added Heimdal,
> what do you think about this big version bump?
>
I don't know. I am hoping some test failures will disappear after we
remove bundled libraries.

Toggle quote (26 lines)
>> 4. It does not build reproducibly
>
> Not great but also not a blocker.
>
>> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Tue, 18 Jul 2017 06:36:48 +0800
>> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>>
>> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
>> [source]: Update source uri.
>> [arguments]: Adjust #:configure-flags and build phases accordingly.
>> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
>
>> #:phases (modify-phases %standard-phases
>> + (add-after 'unpack 'pre-build
>> + (lambda _
>> + (for-each (lambda (file) ;fix sh paths
>> + (substitute* file
>> + (("/bin/sh")
>> + (which "sh"))))
>> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
>
> Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
> the generated Makefile directly?

I will try but personally I prefer patching the source and re-generate
the generated files. Patching the generated files feel like a hack to
me. What do you think?

Thanks for the suggestions!

Here is the patch:
From fedc82524dcc8d0e8052a4837d7864fe84ca6f8e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 19 Jul 2017 17:01:47 +0800
Subject: [PATCH] gnu: heimdal: Fix CVE-2017-11103.

* gnu/packages/patches/heimdal-CVE-2017-11103.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kerberos.scm (heimdal)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/kerberos.scm | 1 +
gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 +++++++++++++++++++++++
3 files changed, 47 insertions(+)
create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch

Toggle diff (77 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 92ad112cf..d2ae454c0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,7 @@ dist_patch_DATA = \
%D%/packages/patches/hdf-eos5-remove-gctp.patch \
%D%/packages/patches/hdf-eos5-fix-szip.patch \
%D%/packages/patches/hdf-eos5-fortrantests.patch \
+ %D%/packages/patches/heimdal-CVE-2017-11103.patch \
%D%/packages/patches/higan-remove-march-native-flag.patch \
%D%/packages/patches/hubbub-sort-entities.patch \
%D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..3b0050fc1 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,7 @@ secure manner through client-server mutual authentication via tickets.")
(sha256
(base32
"19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+ (patches (search-patches "heimdal-CVE-2017-11103.patch"))
(modules '((guix build utils)))
(snippet
'(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 000000000..d76f0df36
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'. Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+ /* check server referral and save principal */
+ ret = _krb5_principalname2krb5_principal (context,
+ &tmp_principal,
+- rep->kdc_rep.ticket.sname,
+- rep->kdc_rep.ticket.realm);
++ rep->enc_part.sname,
++ rep->enc_part.srealm);
+ if (ret)
+ goto out;
+ if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+--
+2.13.3
+
--
2.13.3
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllvJO0ACgkQxYq4eRf1
Ea57ZBAAk2OiiDkgnO/KfAAuR9F24kCCM7aNa2tmccDlDgI6RKr5dMQUnvmrBU7h
LI7yvMq523kkxKFA+31p/pjhrBSCZsGEe4UIJDtPEcS+h3IgwHTBOB0stV2HqxlS
tuL/v1wK7ZcyrhN4qPWQfjGS7gim35TY5e/p/vFL+JhALom1o9PuxA1blAVGdbTL
XJAKWyh9jALmYswFtxQMOntYqy3O9yKfWP4oVGf/3+mhywByEBJ5Kca7ipJDvGKg
GzLKTCm/x6VT7RuGlUDaClre0PJkB8i26JhNjvWDu59BKqNnrKI7TmcxOi1hlKSj
hxUNy50M2iWgDQEsysEoGNkZgUeGQRPsD3Kt8c0gqpe7yszf8kXcVQGnE1FwBKlx
2wQymH5EQlB4541qQIOBoy/FvRI+p+iPeiCSxDO/J4sFACcLNWakMyjuUcKEhYO0
S7/AuFKhhuvZwuadMA2JWI9glSPVo6FyMvfAMeSo1H2Kw7iHDkJgmIepFLpLZR9l
ssmrL2tDoutFbjrYq5LOG6N3DcDn12hfCZ24wZiORZP5E6S7389RN4GlmAabgNQm
ypGI+fd5kPfSwBo3rQqJPBdPetsAyOedYc7uYNMJo+OT7s0hA/LzB0bcZiFAfeez
ROPTnzg/CEqNM16TDUYZ5YE6IZN2g3dNtKY6WmqCs+/xquxXylg=
=oKma
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 19 Jul 2017 13:04
(name . Leo Famulari)(address . leo@famulari.name)(address . 27749@debbugs.gnu.org)
877ez4znze.fsf@gmail.com
I find out that our version of heimdal is also affected by
CVE-2017-6594. So I amend the previous patch to fix it as well.

Changes to 'NEWS' and files in 'tests/' does not apply, so I remove
them. Also, I change hunk#4 of 'kdc/krb5tgs.c' so that it applies.

It used to be:

foo
foo*
+bar
+bar*
baz
baz*

Now it is:

foo
foo*
+bar
+bar*
<empty-line>

Here is the updated patch:
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllvPNUACgkQxYq4eRf1
Ea4XYw//WCt4vRs9l3gnTiIPTC30PJ+UIiaaUI6hwjH0ZEIkIBS1QxogtezHhMvq
rfuCRJl6DeHea7R/4hk3nJJD64fjM7oRRgGZzLsEj/WSDHaXAShCis16SghYXYN/
WQ/TWSLrcgY5FJi+q6UdnNpLVCXNsJmLvd0ztUgx7DhhOjxY6BXM2gqqWNavCHUQ
l1ZwFSWV94v9MB48tC10/LLgbj/CuzcAo7krl4SCsji02HixRUq7qxjwmMBD0sVA
ty8Q+6s7SkMgR36Q/YKpUgAHaOglJugotq0Gimhy1TQFrREvaZ8xUVw1tIyqgj9b
VYu6taCcp/Jl7TfMsMB+fDopoz/3LwosgP0K4lNca4uzAC2vY+u0Q9wGQdMQF7ID
ACe3SP6xvPH8sjK1/u95HcD2HGTFVfOMQF84FYcSkU1z9Yvvhr8xUMRCwVKhov8f
Y2QbNCoEsAOFP0WKJiwR/bSIlOJ6oyRd+up/USxx7BFbPMx2FnHWWMXgy3xOi1Jh
FkhDKADtudTFmgseeZsZUlwJCO3a/hGd2/7P8XuJlEC9YyMXVcxrf3PDpNvkjHsi
HlaO4TarKS1U8BTz+Bl4F6XWgqdJwqU9o6WhrJCoRqKWGIQxusYeHcuT07BxcxXs
kEmG+HyD7LaFqU7zI9oMd4eB28uXBU0j34gO6Xw8M4e+GsQK7M8=
=kh3f
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 20 Jul 2017 14:48
[PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
(address . control@debbugs.gnu.org)
87bmofjmua.fsf@gmail.com
package guix-patches
retitle 27749 [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
thanks
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllwpp0ACgkQxYq4eRf1
Ea5iJxAAmGCmZF4N1ievXflVEDXy4ptK/SpprENgSP8nclBhOkmlEbfgtzgye8Fe
/8J6yWYvBkH8u49dYgC6YaNWJxonWoyYCA/zDFd/c+P9B5/Zt/v9+7n0psqtBKki
1OB78NIEqk3uOYSqBluUW32F2qSOIzp7eR8EEYpEjpmCY3+JxWW5ACDbeHtoJiVp
MN0v7e7wK4V32PQmYwRnTX3XOc5BMQd8iY+o5AToVsmvl1mx5oj8yoEi/OvW7wGQ
5QS0yhg5OVZt6ZnKcI4zp03giwjfRYU5K7LJ8mX2VYi8Y7LEoixW4/lYJWJp6A4K
kowjAnm/wzKuA6jAc/sG1ZN3+TlJuZp4s7lf27jqcbSSSqErhAIf/ShQrCHt7Zpc
hrre0xH+e7hU119v7whTggQrZNwH2IbrHJXffEAlVUHDqe28MxntUOB0t7KZGYoe
sL8FTrWVQGkD78qlqFviM75mXlxwpkGeIEJnu5jbFxo4w1dQSpV55RAsuhLq9pxg
QSZDasaYPw51XobMNrtV1iTqf9XeghnRDZ/Nnfo0Af/PHk1a68ABlxs4f6042Hwm
99IeXYcDu64tqQ/4T/UttrRnz84pWzhWh8c0Zm0m7RNABp8H2PvCpdrFufnebvhO
MWgPYR8Seva0PVMIA6uC71iAieZWzBAUPdqDwAfMjOxl07jj3ow=
=xS9s
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 20 Jul 2017 21:51
Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)
20170720195134.GA19680@jasmine.lan
On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
Toggle quote (12 lines)
> Here is the updated patch:
>
> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Wed, 19 Jul 2017 17:01:47 +0800
> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>
> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.

Thanks! I recreated the commit since the patch no longer applied to
'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.

I'm leaving this bug open for now so we can discuss the update.

By the way everyone, the vulnerability disclosure / promotion web page,
https://orpheus-lyre.info, has a nice primer on the bug (warning, the
page plays music automatically). Thanks for including that, Alex.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllxCcYACgkQJkb6MLrK
fwgj/w//Xl6oPFlyPw1vkIslntrASlZ1lhMF+s9zllthNPa496tgl/0HehQwkm0k
AqM6ggMh5L52DRRu+oKCKFP81PT0tQ6G4jmRM2NhR3/DpU3zmrGPhbu5ipxh2jPS
eb1aKIon6v9KaUjlwHJ1+KHYiZQQSQLh6pobDUlFMsrC039M6mHMRLqd6z6fh6Ya
eq1A9hk8GYxOW3kJpfoRcLEWT+qkSCJZTu2rLvvIDKSTXFaUQFsYbi5TNEVZhMaY
WOg55elGGOKf8X985DsiPoFrRQmINuMX4q+ghnvEZzl56Z4PylC3hVOSSBpajMsW
ZXgQFiXlhnNv+tuhDvTJFOvodKoevBHfUxRt6yZOCIvxd5dkmOAuVYFvTLLlfeV1
pR76RoEr0d6Pvo3sfVUVxyfXjzF5uYn/pYdDTgydMtFGMrUoZAsNzjDLSH0JWrxx
80ORA5x7szKyt4qI1/BWlBXbZCIc8IcIVi8rLonts/lIPa4nccnNMl+GuCewMq2c
ELDjkh55+mKR/RbFlSpyTmK5TNhdXGEEmWwf5EMOcKXXztHzigrkM0N20ADWWaGw
mdKt7TTALzscwjV4lSTLBTo/Z+aTP5piVp7we/Gqk5CRcmdGUBaLCSWFgIutd4rb
FXSDPjWPk8rdF9kNRC2YL72BY+rov6lIhQ6pP21PwhTiR5LiwJ8=
=Z7sr
-----END PGP SIGNATURE-----


R
R
Ricardo Wurmus wrote on 18 Oct 2017 23:31
(name . Alex Vong)(address . alexvong1995@gmail.com)
871sm03zyd.fsf@elephly.net
Hi Alex,

Toggle quote (18 lines)
> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>> Here is the updated patch:
>>
>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>
>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>
> Thanks! I recreated the commit since the patch no longer applied to
> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>
> I'm leaving this bug open for now so we can discuss the update.

As mentioned before, the new release bundles a bunch of third party
libraries. It is not clear to me if *all* things under “lib” are
external libraries or if some of them are part of the source code of
heimdal.

Can we learn from the Debian package for heimdal here?

I think we really ought to update from the very old version we are using
currently.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
R
R
Ricardo Wurmus wrote on 19 Oct 2017 00:44
control message for bug #27749
(address . control@debbugs.gnu.org)
E1e54NT-0007TO-DR@debbugs.gnu.org
retitle 27749 gnu: heimdal: Update to 7.4.0.
A
A
Alex Vong wrote on 19 Oct 2017 16:57
Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
(name . Ricardo Wurmus)(address . rekado@elephly.net)
87vajbchiv.fsf@gmail.com
Ricardo Wurmus <rekado@elephly.net> writes:

Toggle quote (25 lines)
> Hi Alex,
>
>> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>>> Here is the updated patch:
>>>
>>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>>> From: Alex Vong <alexvong1995@gmail.com>
>>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>>
>>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>>> * gnu/local.mk (dist_patch_DATA): Add them.
>>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>>
>> Thanks! I recreated the commit since the patch no longer applied to
>> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>>
>> I'm leaving this bug open for now so we can discuss the update.
>
> As mentioned before, the new release bundles a bunch of third party
> libraries. It is not clear to me if *all* things under “lib” are
> external libraries or if some of them are part of the source code of
> heimdal.
>
No, I don't think so. At least the heimdal/ subdirectory[0] should
contain non-third-party code.

Toggle quote (2 lines)
> Can we learn from the Debian package for heimdal here?
>
Good suggestion, I think the Build-Depends field in [1] will help. For
exmaples, we should not use the bundled sqlite.

Toggle quote (3 lines)
> I think we really ought to update from the very old version we are using
> currently.
>
Agree, our version is even older than the one in Debian old stable.

Toggle quote (6 lines)
> --
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
> https://elephly.net

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlnovUkACgkQxYq4eRf1
Ea4B2g//YD3cKmklgFhFoeYmjIzw2YvqGBdKa+N2ktuelNSGkCM8QCCKV6AmSOoK
fjvNyxoKfq79Syir6s9zqBh1gs16YAXYBuUGsJHwfoKAmqjvMh5i+6qxlhh0mt3Y
HW4A7cnM/5S3et/LU44Mtu9NjQupaNqCKb6UCOlPa7iBjnQ6+FMMihzNQGbBqNgW
gOFLZUOPl5kZLaNahk0VF9YojCVOSZdL/GjdD0HCLZqI7TSgRqPeSXb6YJk8CvG3
JEVDc+H8tmYSKZ2gIGfuClVaBhKPQ/bPV88EQklF54GQhhSsMjent6kCpgCbminY
o+tVNIio7xh2SVDLOvKqP6hATBaiESct3ylfBoC3GJbkdUrtFKzIRURS4QsLdYK3
oyGiEWOXESWEnlAdZNXIkmbCdYevzyCCLKq6n9tJ9+jO5CPAa+N/L3wZQK/8DAcU
N2a/s1mfhSedsb1ugj9jRsN8O+i0+Z9jPiXbvwTYBy9g3P9JUoHEeb1WXoymj9KF
GiBLqsgDUNKfZELgpqutkNJAfp1uwQR4Ekr1rvbYpBLrCfvX0wpSqvqZSSSV8QQg
NXTyZwqYLQb4BGbnPFs8ypbgfbrgRtwiNFLZq+y3LM6dXw7EZyyVbPWGe+0CmX2s
M1gV75fnV+wHI9XC0FTS8/1VBW9ui1ZXRDzGHvSLtKGzjwkI4Y8=
=4lsb
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 21 Oct 2017 11:52
(name . Ricardo Wurmus)(address . rekado@elephly.net)
87k1zon7yd.fsf@gmail.com
Hello,

This is the new patch. It is basically the first patch but with the
sqlite and libedit bundled dependecies removed. I don't know if there
are any other bundled dependencies so I am asking this on the heimdal
mailing list.

Also, since I am not a user of heimdal, we need someone to check if the
new version does work properly (as some test failures occur).
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlnrGPoACgkQxYq4eRf1
Ea4eKRAAlhzW4SoYKsplNxPmnDurV3xetKX54sZAeourh6yET3nftVkCQAci6WTu
m3erDk3uFEY++uYlymgiV/SI9qZr7zupVCgN1QMZuBE8JcbsmDVyf03CPqM0I3BE
25neMjEniNR06K5XBzv3WFR6j2O7UaZTQ3ELA779N5+X+oYT/ujjNOzRUsHHdMn1
0Js/083JrVdfs51yKyAc44OPJzADzqntAj7e2+tFtCarJ9qLs6W4iyqqCs3W1qlp
hYIcpM5e+AFjWpsZkzTnN5DU3mLtgMZO+BIxLcWSkDXi0Tgq5Crw018sc36y2+xj
9R3DYeh7LJfybxGP9dgo++a1ZzKu2Xt5NGk31SLE77U+tqdvc7S3ZkXLG9t+77mx
7mHxMAnQRzbcC3a3m4mnlq47h2CwXsF119s4AdVy2AwQ8gZYnpTewU5EJmlS0CTc
B+bmncJdGlKlvIgGOnAb/0wkLwoYjvbUzMg6WOs9LG4hxmdMm9gMNbUeCTfJva0F
cpfM4UkaZF3mN4dzen7xvoW1lkAE/ByDGiMUh3TJY0JLb2wOyEdLgzgUJNFBjxMX
2pNVE7KKiYAWLbYJQg7FpzIAUe5Hmc2IfrIfcUxFk7lHEtftTJ8p6PCTeuAUqPpY
BNR1z8icEQ798XOVYK6ef/k8kkJEUAo9s0+7I5amFJ8iN5J9H+A=
=EbAc
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 26 Nov 2017 23:59
(name . Alex Vong)(address . alexvong1995@gmail.com)
20171126225942.GB10571@jasmine.lan
On Sat, Oct 21, 2017 at 05:52:58PM +0800, Alex Vong wrote:
Toggle quote (22 lines)
> Hello,
>
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
>
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
>

> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
>
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip
> and sqlite.

What's the status of this patch? Did anyone test it?
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlobR14ACgkQJkb6MLrK
fwiDXhAAswS0UCYh/cEhwFoHQDmIgu7S+dnI/h9m9f5seFopqchMyBMUiCTOyEKI
xaDgw2wEVcVKtSX/zYzWKeb4iBXnsdk2rl9Sk5txRbXr6dCtW0WyCnJgCBDgZG1x
eHfh7oLK0V00l1FbL0Kw4KHIeiraYugiYYBUTa6LYKF2x/XKCOZDbrc8qXS0M2vR
wX4uxNscuYuf7x9qX5wvuskOtkM+jcs0ggNR6C32OoDD2BlbRmezGjvqnwpot5Z1
PekqFs/EGvFVl9AiQZrexISKvOuAOX7Z/NQ2f9caNsWiZKNlUXQNtEAngJU5C4Od
oX89B614YqI32yLEYG3n5WHuhVyHMZBUY3z6CvtsiNzg1frEqx7757xq/8YGwkPb
Aa90gAzQ4aOul2HED3MgMKR+y6MWGKFFx3wNImJfUC4JKhoMt/q3d3K8o4oTIP+i
esRcjlftfYUqc1aO3K2dbZK6R8wyuxFsZVxlUBPpAUaaRgYBV4e4IjGA/Ja2PhGH
swHhbaBVZhWsFGVLflvbOpI5sES9BFlX57fEQp15UUh1IUAlyzZi5n0cLE9tncsC
1ONwg1CfaACdRvrUR0CU65g8zqzjZr/pNsKCr1eXUjtWd2WfnALnucenA58DamaK
mFlgF4cDkkOnLoCL7rgEQZP+tKCycaeABU2TC/Jxz9o8mzaJ0os=
=1A3/
-----END PGP SIGNATURE-----


C
C
Christopher Baines wrote on 19 Mar 2018 09:21
control message for bug #27749
(address . control@debbugs.gnu.org)
87in9s5vd2.fsf@cbaines.net
tags 27749 patch
?
Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
(name . Alex Vong)(address . alexvong1995@gmail.com)
87fu1vgj9i.fsf@member.fsf.org
Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (16 lines)
> Hello,
>
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
>
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
>
> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
>

Hello, I adjust this patch to version '7.5.0', and pushed, thank you!

Closing now :-)
Closed
A
A
Alex Vong wrote on 25 Jun 2018 05:16
(name . ???)(address . iyzsong@member.fsf.org)
CADrxHD_kcNYV2tK_7+bd80W37uHpSjMfXK47ZPrNevGnZpn=Og@mail.gmail.com
Thanks for taking care of it!


On 10 June 2018 at 16:04, ??? <iyzsong@member.fsf.org> wrote:

Toggle quote (22 lines)
> Alex Vong <alexvong1995@gmail.com> writes:
>
> > Hello,
> >
> > This is the new patch. It is basically the first patch but with the
> > sqlite and libedit bundled dependecies removed. I don't know if there
> > are any other bundled dependencies so I am asking this on the heimdal
> > mailing list.
> >
> > Also, since I am not a user of heimdal, we need someone to check if the
> > new version does work properly (as some test failures occur).
> >
> > From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> > From: Alex Vong <alexvong1995@gmail.com>
> > Date: Tue, 18 Jul 2017 06:36:48 +0800
> > Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
> >
>
> Hello, I adjust this patch to version '7.5.0', and pushed, thank you!
>
> Closing now :-)
>
Attachment: file
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 27749@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 27749
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch