gnu: heimdal: Update to 7.4.0.

  • Done
  • quality assurance status badge
Details
5 participants
  • Alex Vong
  • ???
  • Leo Famulari
  • Christopher Baines
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Alex Vong
Severity
normal
A
A
Alex Vong wrote on 18 Jul 2017 10:26
[PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
(address . guix-patches@gnu.org)
87wp76kv68.fsf@gmail.com
Tags: security

Hello,

THis patch upgrades heimdal to its latest version, fixing
CVE-2017-11103. Here are a few remarks:

1. Upstream switches to github for hosting
2. A lots of libraries are bundled
3. Many db tests fail
4. It does not build reproducibly

I decide to submit this despite many db tests fail because I think we
should fix CVE-2017-11103 asap.
Attachment: 0001-gnu-heimdal-Update-to-7.4.0-fixes-CVE-2017-11103.patch
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlltxi8ACgkQxYq4eRf1
Ea4gfA//e9GKYG/w5iq8LJFijWQdM257FCQ9xY1aznR5qj7YIJwvQsPrnbVfUp2R
ZffK9LPd82gWO+k5I15/iiJu4djsP+8nuvTqxGJB670tbzoCKjq4NCANtZXwzi92
mmb7fwYdCyiyYhPi0boayyfCdzMl5az71JuwSGefgPPXmt9O062j1DEIZrEctgRX
lEdIYkW4Y7auHYml4xzP1PONUDiOINrpHa6BRsfqageMKYJ0HEjZaY8ZSDE4P66P
2In6ZwhOnEIOfQQV1rqCUezfGm9YAkP8X1JvWcmVpWJFW7EDSCKLa1JlfC+eTUrW
luLVr1j3pOAzZBAtTvCY9HgOOglHfcSoiaOt4xpDeTUfhRDFIKQWY/fjlMstgXHc
1mTSNBHy8KwW7pd8v/PpSl0qJrmDrMqNoKnOtRjKksgbFijoEZkgcn5BNPviWdJd
K6QaFc30fjxzSJsmopG5OSS1HcfkOEjM7euQtcScyCYjq+ZkdpJ0l56RieTVkOQS
gYCKbsUZPhPG4wMQzmboF2GyXyP6cuMJue9UW+eAvneF2MIRVqwNUgyLXs6zFDIE
k/vl4YFfyg72YPL6Qye60voyvxjMO6l1WCH5vnMygKXBYZQBOQM1COVF29QbSDat
CehFSmK5L0xSGQV+eQZrVa5vsVhKF0dXh+5yYuPtP3Tz+TT/GiM=
=AWHe
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 18 Jul 2017 17:49
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)
20170718154906.GB16798@jasmine.lan
On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
Toggle quote (3 lines)
> THis patch upgrades heimdal to its latest version, fixing
> CVE-2017-11103. Here are a few remarks:

Thanks! We also need to look at our samba package, which bundles heimdal
(we should fix that).

Toggle quote (2 lines)
> 1. Upstream switches to github for hosting

Okay.

Toggle quote (2 lines)
> 2. A lots of libraries are bundled

Which directory are they in? We should take a look at them and weigh the
risk of adding new vulnerabilities through the use of (possibly old and
unmaintained) bundled libraries.

If things look complicated, maybe it's possible to apply a patch to this
older Heimdal while we figure everything out.

Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
long-term-support distro. I noticed an unrelated patch for Heimdal
1.6 here:

Toggle quote (2 lines)
> 3. Many db tests fail

Do you think they are a problem in practice? Ludovic, you added Heimdal,
what do you think about this big version bump?

Toggle quote (2 lines)
> 4. It does not build reproducibly

Not great but also not a blocker.

Toggle quote (19 lines)
> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.

> #:phases (modify-phases %standard-phases
> + (add-after 'unpack 'pre-build
> + (lambda _
> + (for-each (lambda (file) ;fix sh paths
> + (substitute* file
> + (("/bin/sh")
> + (which "sh"))))
> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))

Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
the generated Makefile directly?
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlluLe4ACgkQJkb6MLrK
fwgD7hAAv3heJSRc60o2L4Wxwyk7MXpKb/qufSPeBnO3NWPlb8U1QEJNxlfsA/HO
olwwZ4rQ2YnD/MZrZu1b+suIvAe10mgHNXRmetrvxLHfEmtgq5xJave/6jvdf9w3
XwGyIolYzkR+WcsGtO1JWnVMi+q1L7gQBff592b1YeiJEjXgHQt20e8BG5eUvR2S
BKkuVmsHgeaRiDii/eL50Ji3Cmr3gxb10k+tL1sDfIa2C/7/aZG4VDWwVRv4WmNL
F6jC2KMOcMwIjPl+UTKY85yBIoTLZcQD+Gz1NgdJQyXMpOMAA7rI6H6SUwFolSqR
FMPdxaqjLgpEBR5R6kU5CHDde4gXpnVIdkNG7AXwnI/76fLXFG6Wkl+Q4JGhwOyh
Mm+Ox9ZRcAj4BXCdCYRLp/LHzGUlmOXkEzaGAGm7nYLzx8o/rMsLmh23R+axWmx/
9c/CZODZJ2EOdTpR74mjKLd9W41zXeKlwxzfXh9DV/ujwfT7cjBZ0aO5yhalG2Zi
+ZsHQw+VmHESQeexcN4MALTklTl3TY9SWJ6WndrT35pS+OhOoacahe1Lm/0VCT7+
AChM0XTxeSW/T+4NMoH2dv9GEBtextXqjbQCyNyvfpkNG/Y4mkw+M4SJX7isVF9/
CX0lwqzVY1dmpqjDl/0XcEiLnAAsQEnNBfyX66ti/ft9iLC21rw=
=tyqk
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 18 Jul 2017 17:51
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)
20170718155119.GA12939@jasmine.lan
On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
Toggle quote (7 lines)
> On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
> > THis patch upgrades heimdal to its latest version, fixing
> > CVE-2017-11103. Here are a few remarks:
>
> Thanks! We also need to look at our samba package, which bundles heimdal
> (we should fix that).

This vulnerability in samba's bundled heimdal was fixed in
81dfbffc5480699f79ea23a82bf8a4a557176670. Perhaps we can find inspiration
for a patch there, if necessary.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlluLncACgkQJkb6MLrK
fwg2khAA8SWOo7dx42C1EB/tgevr09n8Cg8XMKozSkhC7N6MbqwZrzjOAyIj/2NA
hjKnhr/IeLxOc3BEIeOO4Y+t6om8xuFwsE9NdPwt/hdWSp/KQDuAy08lBxvsXhtp
9U+78fOUcf9ZRf/8RTQfRlDZ7NVAjLENIDRONqz1soYTFquSUbBWBgIh5l/E7mrr
B4Bm+ymN/2rqJzR+qd5QgpcdBTBCkWa8UWmcv0AosOYFcI35cIZ8V2+SpqG489II
YfyS/Voi8Wy508X8AmvRXR7SnNTaDsx3u38hahLph0EV0wrFtl07TctBi5rSNX2t
t+yLbiZC9qe+nYR2foHMdSnceZdQHY149Q80MdN41ln4mfNIohW7bwEMVd26oYFr
t4Mwa/zJWz7b8ymiTSk0LmY6u2cwtgNnLQG1kAWNGk9R5K60QfKh+iDwEubYlvRj
sqvVzinKhuSiOKWKZGcg/aNXRYffBdhFE8YbCpuMXTnfCjY1HAyn3Hy2l6QEbwZd
3SuKNlk2VYBOYMs/K+QGyFWKRLltu6t3YhVJu2rWer+eHUBArssswTmfOp+x0DWd
GeDkEA2QFxRePe6zJ2r929XZZeiyfgOUSf8KtK/QQfSuwCf9AxvYb64CHPXAdtci
gEvZbZPQO30AavyVKuMoNqnk7WbiS63HLiHvQV2rln7HYP8v3Rg=
=ZgPj
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 18 Jul 2017 17:53
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)
20170718155335.GA15745@jasmine.lan
On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
Toggle quote (5 lines)
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a

I'm not sure what version of heimdal FreeBSD packages, but they are
offering a patch for this, linked from their advisory:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlluLv8ACgkQJkb6MLrK
fwj0Qg//Yq8CbzXiWrZ0431Ha4etQsuQ4Aoh/na52UhHD5fav0qPthO7vkACiYUt
qUh4IGlo9uvjJ+FvLT+ukgSs5HmkZUm+gr7IfOfTfudQ0q1ovMRNylMdX+JHzirj
JFzC6bWW1B+rXU+6VubFDDVP1bhGVQvb/3B0pQkgHqBW/PW3tJCNfa2blxrOGPHV
BMjRY4qfz1foymYhiQlLOiL7+2GKrkIKpsrvpH3kZvwZFqIXXIAtU9pY2pG3t3/j
g3BOWWgOKVSKKP84NobcZ4n7iPzY/QLaqL58v4vJIOlFxb4yzfEC84RJQy/aS7YB
oozDlmGo+0RH9jVLPSjqn+QrFxEVh4fTeuANvwZWQWHrdGiaxirPxG+YMuxO8SsN
uoJ/NYFBd+Z5ZPmdFhiZ8jdjdJqiQcmlWLoQNkzDTr2G6QFaDkkL6MDBW12vtydi
7Jr9xhnrvyaOrWmP+UjbrujC7r3FO6RJqPdvjF4GQYfCWZEiwAxKgQMdusVvKu2q
kg4RLxCnrghxAJMFLBIxPNbaVgmWhJE5KXFWcchbyut+STqOAvcENfzCHPPVLBK5
wh3kTLQdWVg6snVxv1avCKfrLaTb5f1dp97TYuJ0/s7nHePwIhqjupjIuukPKbR/
TOsXeIFdhqGfbUtfme8GBem0Xq6On6+A1H7m2pNPbctfjunOi2M=
=tHm/
-----END PGP SIGNATURE-----


A
A
Alex Vong wrote on 19 Jul 2017 11:22
(name . Leo Famulari)(address . leo@famulari.name)(address . 27749@debbugs.gnu.org)
87bmogzspe.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:

[...]
Toggle quote (6 lines)
>> 2. A lots of libraries are bundled
>
> Which directory are they in? We should take a look at them and weigh the
> risk of adding new vulnerabilities through the use of (possibly old and
> unmaintained) bundled libraries.
>
They live in lib/. Also the configure script provides options to use
system library instead of bundled ones.

Toggle quote (8 lines)
> If things look complicated, maybe it's possible to apply a patch to this
> older Heimdal while we figure everything out.
>
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a
>
Agree, we should patch the old version first and deal with the bundled
libraries and test failures later.

Toggle quote (5 lines)
>> 3. Many db tests fail
>
> Do you think they are a problem in practice? Ludovic, you added Heimdal,
> what do you think about this big version bump?
>
I don't know. I am hoping some test failures will disappear after we
remove bundled libraries.

Toggle quote (26 lines)
>> 4. It does not build reproducibly
>
> Not great but also not a blocker.
>
>> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Tue, 18 Jul 2017 06:36:48 +0800
>> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>>
>> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
>> [source]: Update source uri.
>> [arguments]: Adjust #:configure-flags and build phases accordingly.
>> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
>
>> #:phases (modify-phases %standard-phases
>> + (add-after 'unpack 'pre-build
>> + (lambda _
>> + (for-each (lambda (file) ;fix sh paths
>> + (substitute* file
>> + (("/bin/sh")
>> + (which "sh"))))
>> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
>
> Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
> the generated Makefile directly?

I will try but personally I prefer patching the source and re-generate
the generated files. Patching the generated files feel like a hack to
me. What do you think?

Thanks for the suggestions!

Here is the patch:
From fedc82524dcc8d0e8052a4837d7864fe84ca6f8e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 19 Jul 2017 17:01:47 +0800
Subject: [PATCH] gnu: heimdal: Fix CVE-2017-11103.

* gnu/packages/patches/heimdal-CVE-2017-11103.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kerberos.scm (heimdal)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/kerberos.scm | 1 +
gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 +++++++++++++++++++++++
3 files changed, 47 insertions(+)
create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch

Toggle diff (77 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 92ad112cf..d2ae454c0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,7 @@ dist_patch_DATA = \
%D%/packages/patches/hdf-eos5-remove-gctp.patch \
%D%/packages/patches/hdf-eos5-fix-szip.patch \
%D%/packages/patches/hdf-eos5-fortrantests.patch \
+ %D%/packages/patches/heimdal-CVE-2017-11103.patch \
%D%/packages/patches/higan-remove-march-native-flag.patch \
%D%/packages/patches/hubbub-sort-entities.patch \
%D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..3b0050fc1 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,7 @@ secure manner through client-server mutual authentication via tickets.")
(sha256
(base32
"19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+ (patches (search-patches "heimdal-CVE-2017-11103.patch"))
(modules '((guix build utils)))
(snippet
'(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 000000000..d76f0df36
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'. Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+ /* check server referral and save principal */
+ ret = _krb5_principalname2krb5_principal (context,
+ &tmp_principal,
+- rep->kdc_rep.ticket.sname,
+- rep->kdc_rep.ticket.realm);
++ rep->enc_part.sname,
++ rep->enc_part.srealm);
+ if (ret)
+ goto out;
+ if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+--
+2.13.3
+
--
2.13.3
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllvJO0ACgkQxYq4eRf1
Ea57ZBAAk2OiiDkgnO/KfAAuR9F24kCCM7aNa2tmccDlDgI6RKr5dMQUnvmrBU7h
LI7yvMq523kkxKFA+31p/pjhrBSCZsGEe4UIJDtPEcS+h3IgwHTBOB0stV2HqxlS
tuL/v1wK7ZcyrhN4qPWQfjGS7gim35TY5e/p/vFL+JhALom1o9PuxA1blAVGdbTL
XJAKWyh9jALmYswFtxQMOntYqy3O9yKfWP4oVGf/3+mhywByEBJ5Kca7ipJDvGKg
GzLKTCm/x6VT7RuGlUDaClre0PJkB8i26JhNjvWDu59BKqNnrKI7TmcxOi1hlKSj
hxUNy50M2iWgDQEsysEoGNkZgUeGQRPsD3Kt8c0gqpe7yszf8kXcVQGnE1FwBKlx
2wQymH5EQlB4541qQIOBoy/FvRI+p+iPeiCSxDO/J4sFACcLNWakMyjuUcKEhYO0
S7/AuFKhhuvZwuadMA2JWI9glSPVo6FyMvfAMeSo1H2Kw7iHDkJgmIepFLpLZR9l
ssmrL2tDoutFbjrYq5LOG6N3DcDn12hfCZ24wZiORZP5E6S7389RN4GlmAabgNQm
ypGI+fd5kPfSwBo3rQqJPBdPetsAyOedYc7uYNMJo+OT7s0hA/LzB0bcZiFAfeez
ROPTnzg/CEqNM16TDUYZ5YE6IZN2g3dNtKY6WmqCs+/xquxXylg=
=oKma
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 19 Jul 2017 13:04
(name . Leo Famulari)(address . leo@famulari.name)(address . 27749@debbugs.gnu.org)
877ez4znze.fsf@gmail.com
I find out that our version of heimdal is also affected by
CVE-2017-6594. So I amend the previous patch to fix it as well.

Changes to 'NEWS' and files in 'tests/' does not apply, so I remove
them. Also, I change hunk#4 of 'kdc/krb5tgs.c' so that it applies.

It used to be:

foo
foo*
+bar
+bar*
baz
baz*

Now it is:

foo
foo*
+bar
+bar*
<empty-line>

Here is the updated patch:
Attachment: 0001-gnu-heimdal-Fix-CVE-2017-6594-11103.patch
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllvPNUACgkQxYq4eRf1
Ea4XYw//WCt4vRs9l3gnTiIPTC30PJ+UIiaaUI6hwjH0ZEIkIBS1QxogtezHhMvq
rfuCRJl6DeHea7R/4hk3nJJD64fjM7oRRgGZzLsEj/WSDHaXAShCis16SghYXYN/
WQ/TWSLrcgY5FJi+q6UdnNpLVCXNsJmLvd0ztUgx7DhhOjxY6BXM2gqqWNavCHUQ
l1ZwFSWV94v9MB48tC10/LLgbj/CuzcAo7krl4SCsji02HixRUq7qxjwmMBD0sVA
ty8Q+6s7SkMgR36Q/YKpUgAHaOglJugotq0Gimhy1TQFrREvaZ8xUVw1tIyqgj9b
VYu6taCcp/Jl7TfMsMB+fDopoz/3LwosgP0K4lNca4uzAC2vY+u0Q9wGQdMQF7ID
ACe3SP6xvPH8sjK1/u95HcD2HGTFVfOMQF84FYcSkU1z9Yvvhr8xUMRCwVKhov8f
Y2QbNCoEsAOFP0WKJiwR/bSIlOJ6oyRd+up/USxx7BFbPMx2FnHWWMXgy3xOi1Jh
FkhDKADtudTFmgseeZsZUlwJCO3a/hGd2/7P8XuJlEC9YyMXVcxrf3PDpNvkjHsi
HlaO4TarKS1U8BTz+Bl4F6XWgqdJwqU9o6WhrJCoRqKWGIQxusYeHcuT07BxcxXs
kEmG+HyD7LaFqU7zI9oMd4eB28uXBU0j34gO6Xw8M4e+GsQK7M8=
=kh3f
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 20 Jul 2017 14:48
[PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
(address . control@debbugs.gnu.org)
87bmofjmua.fsf@gmail.com
package guix-patches
retitle 27749 [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
thanks
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllwpp0ACgkQxYq4eRf1
Ea5iJxAAmGCmZF4N1ievXflVEDXy4ptK/SpprENgSP8nclBhOkmlEbfgtzgye8Fe
/8J6yWYvBkH8u49dYgC6YaNWJxonWoyYCA/zDFd/c+P9B5/Zt/v9+7n0psqtBKki
1OB78NIEqk3uOYSqBluUW32F2qSOIzp7eR8EEYpEjpmCY3+JxWW5ACDbeHtoJiVp
MN0v7e7wK4V32PQmYwRnTX3XOc5BMQd8iY+o5AToVsmvl1mx5oj8yoEi/OvW7wGQ
5QS0yhg5OVZt6ZnKcI4zp03giwjfRYU5K7LJ8mX2VYi8Y7LEoixW4/lYJWJp6A4K
kowjAnm/wzKuA6jAc/sG1ZN3+TlJuZp4s7lf27jqcbSSSqErhAIf/ShQrCHt7Zpc
hrre0xH+e7hU119v7whTggQrZNwH2IbrHJXffEAlVUHDqe28MxntUOB0t7KZGYoe
sL8FTrWVQGkD78qlqFviM75mXlxwpkGeIEJnu5jbFxo4w1dQSpV55RAsuhLq9pxg
QSZDasaYPw51XobMNrtV1iTqf9XeghnRDZ/Nnfo0Af/PHk1a68ABlxs4f6042Hwm
99IeXYcDu64tqQ/4T/UttrRnz84pWzhWh8c0Zm0m7RNABp8H2PvCpdrFufnebvhO
MWgPYR8Seva0PVMIA6uC71iAieZWzBAUPdqDwAfMjOxl07jj3ow=
=xS9s
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 20 Jul 2017 21:51
Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27749@debbugs.gnu.org)
20170720195134.GA19680@jasmine.lan
On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
Toggle quote (12 lines)
> Here is the updated patch:
>
> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Wed, 19 Jul 2017 17:01:47 +0800
> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>
> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.

Thanks! I recreated the commit since the patch no longer applied to
'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.

I'm leaving this bug open for now so we can discuss the update.

By the way everyone, the vulnerability disclosure / promotion web page,
https://orpheus-lyre.info, has a nice primer on the bug (warning, the
page plays music automatically). Thanks for including that, Alex.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllxCcYACgkQJkb6MLrK
fwgj/w//Xl6oPFlyPw1vkIslntrASlZ1lhMF+s9zllthNPa496tgl/0HehQwkm0k
AqM6ggMh5L52DRRu+oKCKFP81PT0tQ6G4jmRM2NhR3/DpU3zmrGPhbu5ipxh2jPS
eb1aKIon6v9KaUjlwHJ1+KHYiZQQSQLh6pobDUlFMsrC039M6mHMRLqd6z6fh6Ya
eq1A9hk8GYxOW3kJpfoRcLEWT+qkSCJZTu2rLvvIDKSTXFaUQFsYbi5TNEVZhMaY
WOg55elGGOKf8X985DsiPoFrRQmINuMX4q+ghnvEZzl56Z4PylC3hVOSSBpajMsW
ZXgQFiXlhnNv+tuhDvTJFOvodKoevBHfUxRt6yZOCIvxd5dkmOAuVYFvTLLlfeV1
pR76RoEr0d6Pvo3sfVUVxyfXjzF5uYn/pYdDTgydMtFGMrUoZAsNzjDLSH0JWrxx
80ORA5x7szKyt4qI1/BWlBXbZCIc8IcIVi8rLonts/lIPa4nccnNMl+GuCewMq2c
ELDjkh55+mKR/RbFlSpyTmK5TNhdXGEEmWwf5EMOcKXXztHzigrkM0N20ADWWaGw
mdKt7TTALzscwjV4lSTLBTo/Z+aTP5piVp7we/Gqk5CRcmdGUBaLCSWFgIutd4rb
FXSDPjWPk8rdF9kNRC2YL72BY+rov6lIhQ6pP21PwhTiR5LiwJ8=
=Z7sr
-----END PGP SIGNATURE-----


R
R
Ricardo Wurmus wrote on 18 Oct 2017 23:31
(name . Alex Vong)(address . alexvong1995@gmail.com)
871sm03zyd.fsf@elephly.net
Hi Alex,

Toggle quote (18 lines)
> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>> Here is the updated patch:
>>
>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>
>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>
> Thanks! I recreated the commit since the patch no longer applied to
> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>
> I'm leaving this bug open for now so we can discuss the update.

As mentioned before, the new release bundles a bunch of third party
libraries. It is not clear to me if *all* things under “lib” are
external libraries or if some of them are part of the source code of
heimdal.

Can we learn from the Debian package for heimdal here?

I think we really ought to update from the very old version we are using
currently.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
R
R
Ricardo Wurmus wrote on 19 Oct 2017 00:44
control message for bug #27749
(address . control@debbugs.gnu.org)
E1e54NT-0007TO-DR@debbugs.gnu.org
retitle 27749 gnu: heimdal: Update to 7.4.0.
A
A
Alex Vong wrote on 19 Oct 2017 16:57
Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
(name . Ricardo Wurmus)(address . rekado@elephly.net)
87vajbchiv.fsf@gmail.com
Ricardo Wurmus <rekado@elephly.net> writes:

Toggle quote (25 lines)
> Hi Alex,
>
>> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>>> Here is the updated patch:
>>>
>>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>>> From: Alex Vong <alexvong1995@gmail.com>
>>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>>
>>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>>> * gnu/local.mk (dist_patch_DATA): Add them.
>>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>>
>> Thanks! I recreated the commit since the patch no longer applied to
>> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>>
>> I'm leaving this bug open for now so we can discuss the update.
>
> As mentioned before, the new release bundles a bunch of third party
> libraries. It is not clear to me if *all* things under “lib” are
> external libraries or if some of them are part of the source code of
> heimdal.
>
No, I don't think so. At least the heimdal/ subdirectory[0] should
contain non-third-party code.

Toggle quote (2 lines)
> Can we learn from the Debian package for heimdal here?
>
Good suggestion, I think the Build-Depends field in [1] will help. For
exmaples, we should not use the bundled sqlite.

Toggle quote (3 lines)
> I think we really ought to update from the very old version we are using
> currently.
>
Agree, our version is even older than the one in Debian old stable.

Toggle quote (6 lines)
> --
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
> https://elephly.net

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlnovUkACgkQxYq4eRf1
Ea4B2g//YD3cKmklgFhFoeYmjIzw2YvqGBdKa+N2ktuelNSGkCM8QCCKV6AmSOoK
fjvNyxoKfq79Syir6s9zqBh1gs16YAXYBuUGsJHwfoKAmqjvMh5i+6qxlhh0mt3Y
HW4A7cnM/5S3et/LU44Mtu9NjQupaNqCKb6UCOlPa7iBjnQ6+FMMihzNQGbBqNgW
gOFLZUOPl5kZLaNahk0VF9YojCVOSZdL/GjdD0HCLZqI7TSgRqPeSXb6YJk8CvG3
JEVDc+H8tmYSKZ2gIGfuClVaBhKPQ/bPV88EQklF54GQhhSsMjent6kCpgCbminY
o+tVNIio7xh2SVDLOvKqP6hATBaiESct3ylfBoC3GJbkdUrtFKzIRURS4QsLdYK3
oyGiEWOXESWEnlAdZNXIkmbCdYevzyCCLKq6n9tJ9+jO5CPAa+N/L3wZQK/8DAcU
N2a/s1mfhSedsb1ugj9jRsN8O+i0+Z9jPiXbvwTYBy9g3P9JUoHEeb1WXoymj9KF
GiBLqsgDUNKfZELgpqutkNJAfp1uwQR4Ekr1rvbYpBLrCfvX0wpSqvqZSSSV8QQg
NXTyZwqYLQb4BGbnPFs8ypbgfbrgRtwiNFLZq+y3LM6dXw7EZyyVbPWGe+0CmX2s
M1gV75fnV+wHI9XC0FTS8/1VBW9ui1ZXRDzGHvSLtKGzjwkI4Y8=
=4lsb
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 21 Oct 2017 11:52
(name . Ricardo Wurmus)(address . rekado@elephly.net)
87k1zon7yd.fsf@gmail.com
Hello,

This is the new patch. It is basically the first patch but with the
sqlite and libedit bundled dependecies removed. I don't know if there
are any other bundled dependencies so I am asking this on the heimdal
mailing list.

Also, since I am not a user of heimdal, we need someone to check if the
new version does work properly (as some test failures occur).
Attachment: 0001-gnu-heimdal-Update-to-7.4.0.patch
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlnrGPoACgkQxYq4eRf1
Ea4eKRAAlhzW4SoYKsplNxPmnDurV3xetKX54sZAeourh6yET3nftVkCQAci6WTu
m3erDk3uFEY++uYlymgiV/SI9qZr7zupVCgN1QMZuBE8JcbsmDVyf03CPqM0I3BE
25neMjEniNR06K5XBzv3WFR6j2O7UaZTQ3ELA779N5+X+oYT/ujjNOzRUsHHdMn1
0Js/083JrVdfs51yKyAc44OPJzADzqntAj7e2+tFtCarJ9qLs6W4iyqqCs3W1qlp
hYIcpM5e+AFjWpsZkzTnN5DU3mLtgMZO+BIxLcWSkDXi0Tgq5Crw018sc36y2+xj
9R3DYeh7LJfybxGP9dgo++a1ZzKu2Xt5NGk31SLE77U+tqdvc7S3ZkXLG9t+77mx
7mHxMAnQRzbcC3a3m4mnlq47h2CwXsF119s4AdVy2AwQ8gZYnpTewU5EJmlS0CTc
B+bmncJdGlKlvIgGOnAb/0wkLwoYjvbUzMg6WOs9LG4hxmdMm9gMNbUeCTfJva0F
cpfM4UkaZF3mN4dzen7xvoW1lkAE/ByDGiMUh3TJY0JLb2wOyEdLgzgUJNFBjxMX
2pNVE7KKiYAWLbYJQg7FpzIAUe5Hmc2IfrIfcUxFk7lHEtftTJ8p6PCTeuAUqPpY
BNR1z8icEQ798XOVYK6ef/k8kkJEUAo9s0+7I5amFJ8iN5J9H+A=
=EbAc
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 26 Nov 2017 23:59
(name . Alex Vong)(address . alexvong1995@gmail.com)
20171126225942.GB10571@jasmine.lan
On Sat, Oct 21, 2017 at 05:52:58PM +0800, Alex Vong wrote:
Toggle quote (22 lines)
> Hello,
>
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
>
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
>

> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
>
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip
> and sqlite.

What's the status of this patch? Did anyone test it?
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlobR14ACgkQJkb6MLrK
fwiDXhAAswS0UCYh/cEhwFoHQDmIgu7S+dnI/h9m9f5seFopqchMyBMUiCTOyEKI
xaDgw2wEVcVKtSX/zYzWKeb4iBXnsdk2rl9Sk5txRbXr6dCtW0WyCnJgCBDgZG1x
eHfh7oLK0V00l1FbL0Kw4KHIeiraYugiYYBUTa6LYKF2x/XKCOZDbrc8qXS0M2vR
wX4uxNscuYuf7x9qX5wvuskOtkM+jcs0ggNR6C32OoDD2BlbRmezGjvqnwpot5Z1
PekqFs/EGvFVl9AiQZrexISKvOuAOX7Z/NQ2f9caNsWiZKNlUXQNtEAngJU5C4Od
oX89B614YqI32yLEYG3n5WHuhVyHMZBUY3z6CvtsiNzg1frEqx7757xq/8YGwkPb
Aa90gAzQ4aOul2HED3MgMKR+y6MWGKFFx3wNImJfUC4JKhoMt/q3d3K8o4oTIP+i
esRcjlftfYUqc1aO3K2dbZK6R8wyuxFsZVxlUBPpAUaaRgYBV4e4IjGA/Ja2PhGH
swHhbaBVZhWsFGVLflvbOpI5sES9BFlX57fEQp15UUh1IUAlyzZi5n0cLE9tncsC
1ONwg1CfaACdRvrUR0CU65g8zqzjZr/pNsKCr1eXUjtWd2WfnALnucenA58DamaK
mFlgF4cDkkOnLoCL7rgEQZP+tKCycaeABU2TC/Jxz9o8mzaJ0os=
=1A3/
-----END PGP SIGNATURE-----


C
C
Christopher Baines wrote on 19 Mar 2018 09:21
control message for bug #27749
(address . control@debbugs.gnu.org)
87in9s5vd2.fsf@cbaines.net
tags 27749 patch
?
?
??? wrote on 10 Jun 2018 10:04
Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
(name . Alex Vong)(address . alexvong1995@gmail.com)
87fu1vgj9i.fsf@member.fsf.org
Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (16 lines)
> Hello,
>
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
>
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
>
> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
>

Hello, I adjust this patch to version '7.5.0', and pushed, thank you!

Closing now :-)
Closed
A
A
Alex Vong wrote on 25 Jun 2018 05:16
(name . ???)(address . iyzsong@member.fsf.org)
CADrxHD_kcNYV2tK_7+bd80W37uHpSjMfXK47ZPrNevGnZpn=Og@mail.gmail.com
Thanks for taking care of it!


On 10 June 2018 at 16:04, ??? <iyzsong@member.fsf.org> wrote:

Toggle quote (22 lines)
> Alex Vong <alexvong1995@gmail.com> writes:
>
> > Hello,
> >
> > This is the new patch. It is basically the first patch but with the
> > sqlite and libedit bundled dependecies removed. I don't know if there
> > are any other bundled dependencies so I am asking this on the heimdal
> > mailing list.
> >
> > Also, since I am not a user of heimdal, we need someone to check if the
> > new version does work properly (as some test failures occur).
> >
> > From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> > From: Alex Vong <alexvong1995@gmail.com>
> > Date: Tue, 18 Jul 2017 06:36:48 +0800
> > Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
> >
>
> Hello, I adjust this patch to version '7.5.0', and pushed, thank you!
>
> Closing now :-)
>
Attachment: file
Closed
?