GNU bug report logs - #27749
gnu: heimdal: Update to 7.4.0.

Previous Next

Package: guix-patches;

Reported by: Alex Vong <alexvong1995 <at> gmail.com>

Date: Tue, 18 Jul 2017 08:28:01 UTC

Severity: normal

Tags: patch, security

Done: iyzsong <at> member.fsf.org (宋文武)

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27749 in the body.
You can then email your comments to 27749 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#27749; Package guix-patches. (Tue, 18 Jul 2017 08:28:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alex Vong <alexvong1995 <at> gmail.com>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Tue, 18 Jul 2017 08:28:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Alex Vong <alexvong1995 <at> gmail.com>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
Date: Tue, 18 Jul 2017 16:26:23 +0800
[Message part 1 (text/plain, inline)]
Tags: security

Hello,

THis patch upgrades heimdal to its latest version, fixing
CVE-2017-11103. Here are a few remarks:

1. Upstream switches to github for hosting
2. A lots of libraries are bundled
3. Many db tests fail
4. It does not build reproducibly

I decide to submit this despite many db tests fail because I think we
should fix CVE-2017-11103 asap.

[0001-gnu-heimdal-Update-to-7.4.0-fixes-CVE-2017-11103.patch (text/x-diff, inline)]
From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995 <at> gmail.com>
Date: Tue, 18 Jul 2017 06:36:48 +0800
Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

* gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
[source]: Update source uri.
[arguments]: Adjust #:configure-flags and build phases accordingly.
[inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
---
 gnu/packages/kerberos.scm | 69 ++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 54 insertions(+), 15 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..5682a0add 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2016 Efraim Flashner <efraim <at> flashner.co.il>
 ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita <at> karetnikov.org>
 ;;; Copyright © 2012, 2017 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2017 Alex Vong <alexvong1995 <at> gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -23,6 +24,7 @@
 
 (define-module (gnu packages kerberos)
   #:use-module (gnu packages)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages gnupg)
@@ -32,6 +34,7 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages readline)
+  #:use-module (gnu packages texinfo)
   #:use-module (gnu packages tls)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
@@ -136,24 +139,30 @@ secure manner through client-server mutual authentication via tickets.")
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "1.5.3")
+    (version "7.4.0")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://www.h5l.org/dist/src/heimdal-"
-                                  version ".tar.gz"))
+              (uri (string-append "https://github.com/" name "/" name
+                                  "/releases/download/" name "-" version
+                                  "/" name "-" version ".tar.gz"))
               (sha256
                (base32
-                "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+                "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x"))
               (modules '((guix build utils)))
-              (snippet
+              (snippet ;FIXME: remove bundled libraries
                '(substitute* "configure"
                   (("User=.*$") "User=Guix\n")
                   (("Date=.*$") "Date=2017\n")))))
     (build-system gnu-build-system)
     (arguments
-     '(#:configure-flags (list
-                          ;; Work around a linker error.
-                          "CFLAGS=-pthread"
+     '(#:modules ((guix build gnu-build-system)
+                  (guix build utils)
+                  (srfi srfi-26))
+
+       #:configure-flags (list
+                          (string-append "CPPFLAGS=-D_PATH_BSHELL="
+                                         (assoc-ref %build-inputs "bash")
+                                         "/bin/sh")
 
                           ;; Avoid 7 MiB of .a files.
                           "--disable-static"
@@ -167,17 +176,47 @@ secure manner through client-server mutual authentication via tickets.")
                            (assoc-ref %build-inputs "readline") "/include"))
 
        #:phases (modify-phases %standard-phases
+                  (add-after 'unpack 'pre-build
+                    (lambda _
+                      (for-each (lambda (file) ;fix sh paths
+                                  (substitute* file
+                                    (("/bin/sh")
+                                     (which "sh"))))
+                                '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
+                      (substitute* "lib/roken/getxxyyy.c" ;set user during test
+                        (("user = getenv\\(\"USER\"\\);")
+                         (format #f
+                                 "#ifndef TEST_GETXXYYY
+#error \"TEST_GETXXYYY is not defined\"
+#endif
+user = \"~a\";
+"
+                                 (passwd:name (getpwuid (getuid))))))
+                      #t))
+
+                  (add-after 'pre-build 'autogen
+                    (lambda _
+                      (zero? (system* "sh" "autogen.sh"))))
+
                   (add-before 'check 'skip-tests
                     (lambda _
-                      ;; The test simply runs 'ftp --version && ftp --help'
-                      ;; but that fails in the chroot because 'ftp' tries to
-                      ;; do a service lookup before printing the help/version.
-                      (substitute* "appl/ftp/ftp/Makefile.in"
-                        (("^CHECK_LOCAL =.*")
-                         "CHECK_LOCAL = no-check-local\n"))
+                      ;; skip db tests for now
+                      ;; FIXME: figure out why they fail
+                      (call-with-output-file "tests/db/have-db.in"
+                        (cut format <> "#!~a~%exit 1~%" (which "sh")))
                       #t)))))
+
     (native-inputs `(("e2fsprogs" ,e2fsprogs)))   ;for 'compile_et'
-    (inputs `(("readline" ,readline)
+    (inputs `(("autoconf" ,autoconf)              ;for autogen
+              ("automake" ,automake)
+              ("libtool" ,libtool)
+              ("perl" ,perl)
+              ("perl-json" ,perl-json)
+
+              ("texinfo" ,texinfo)                ;for doc
+              ("unzip" ,unzip)                    ;for test
+
+              ("readline" ,readline)
               ("bdb" ,bdb)
               ("e2fsprogs" ,e2fsprogs)))          ;for libcom_err
     (home-page "http://www.h5l.org/")
-- 
2.13.3

[Message part 3 (text/plain, inline)]
Cheers,
Alex
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#27749; Package guix-patches. (Tue, 18 Jul 2017 15:50:01 GMT) Full text and rfc822 format available.

Message #8 received at 27749 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Alex Vong <alexvong1995 <at> gmail.com>
Cc: 27749 <at> debbugs.gnu.org
Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
 CVE-2017-11103].
Date: Tue, 18 Jul 2017 11:49:06 -0400
[Message part 1 (text/plain, inline)]
On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
> THis patch upgrades heimdal to its latest version, fixing
> CVE-2017-11103. Here are a few remarks:

Thanks! We also need to look at our samba package, which bundles heimdal
(we should fix that).

> 1. Upstream switches to github for hosting

Okay.

> 2. A lots of libraries are bundled

Which directory are they in? We should take a look at them and weigh the
risk of adding new vulnerabilities through the use of (possibly old and
unmaintained) bundled libraries.

If things look complicated, maybe it's possible to apply a patch to this
older Heimdal while we figure everything out.

Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
long-term-support distro. I noticed an unrelated patch for Heimdal
1.6 here:
https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a

> 3. Many db tests fail

Do you think they are a problem in practice? Ludovic, you added Heimdal,
what do you think about this big version bump?

> 4. It does not build reproducibly

Not great but also not a blocker.

> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995 <at> gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
> 
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.

>         #:phases (modify-phases %standard-phases
> +                  (add-after 'unpack 'pre-build
> +                    (lambda _
> +                      (for-each (lambda (file) ;fix sh paths
> +                                  (substitute* file
> +                                    (("/bin/sh")
> +                                     (which "sh"))))
> +                                '("appl/afsutil/pagsh.c" "tools/Makefile.am"))

Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
the generated Makefile directly?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#27749; Package guix-patches. (Tue, 18 Jul 2017 15:52:01 GMT) Full text and rfc822 format available.

Message #11 received at 27749 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Alex Vong <alexvong1995 <at> gmail.com>
Cc: 27749 <at> debbugs.gnu.org
Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
 CVE-2017-11103].
Date: Tue, 18 Jul 2017 11:51:19 -0400
[Message part 1 (text/plain, inline)]
On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
> On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
> > THis patch upgrades heimdal to its latest version, fixing
> > CVE-2017-11103. Here are a few remarks:
> 
> Thanks! We also need to look at our samba package, which bundles heimdal
> (we should fix that).

This vulnerability in samba's bundled heimdal was fixed in
81dfbffc5480699f79ea23a82bf8a4a557176670. Perhaps we can find inspiration
for a patch there, if necessary.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#27749; Package guix-patches. (Tue, 18 Jul 2017 15:54:02 GMT) Full text and rfc822 format available.

Message #14 received at 27749 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Alex Vong <alexvong1995 <at> gmail.com>
Cc: 27749 <at> debbugs.gnu.org
Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
 CVE-2017-11103].
Date: Tue, 18 Jul 2017 11:53:35 -0400
[Message part 1 (text/plain, inline)]
On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a

I'm not sure what version of heimdal FreeBSD packages, but they are
offering a patch for this, linked from their advisory:

https://www.freebsd.org/security/advisories/FreeBSD-SA-17:05.heimdal.asc
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#27749; Package guix-patches. (Wed, 19 Jul 2017 09:24:02 GMT) Full text and rfc822 format available.

Message #17 received at 27749 <at> debbugs.gnu.org (full text, mbox):

From: Alex Vong <alexvong1995 <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27749 <at> debbugs.gnu.org
Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
 CVE-2017-11103].
Date: Wed, 19 Jul 2017 17:22:53 +0800
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

[...]
>> 2. A lots of libraries are bundled
>
> Which directory are they in? We should take a look at them and weigh the
> risk of adding new vulnerabilities through the use of (possibly old and
> unmaintained) bundled libraries.
>
They live in lib/. Also the configure script provides options to use
system library instead of bundled ones.

> If things look complicated, maybe it's possible to apply a patch to this
> older Heimdal while we figure everything out.
>
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a
>
Agree, we should patch the old version first and deal with the bundled
libraries and test failures later.

>> 3. Many db tests fail
>
> Do you think they are a problem in practice? Ludovic, you added Heimdal,
> what do you think about this big version bump?
>
I don't know. I am hoping some test failures will disappear after we
remove bundled libraries.

>> 4. It does not build reproducibly
>
> Not great but also not a blocker.
>
>> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995 <at> gmail.com>
>> Date: Tue, 18 Jul 2017 06:36:48 +0800
>> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>> 
>> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
>> [source]: Update source uri.
>> [arguments]: Adjust #:configure-flags and build phases accordingly.
>> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
>
>>         #:phases (modify-phases %standard-phases
>> +                  (add-after 'unpack 'pre-build
>> +                    (lambda _
>> +                      (for-each (lambda (file) ;fix sh paths
>> +                                  (substitute* file
>> +                                    (("/bin/sh")
>> +                                     (which "sh"))))
>> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
>
> Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
> the generated Makefile directly?

I will try but personally I prefer patching the source and re-generate
the generated files. Patching the generated files feel like a hack to
me. What do you think?

Thanks for the suggestions!

Here is the patch:
[0001-gnu-heimdal-Fix-CVE-2017-11103.patch (text/x-diff, inline)]
From fedc82524dcc8d0e8052a4837d7864fe84ca6f8e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995 <at> gmail.com>
Date: Wed, 19 Jul 2017 17:01:47 +0800
Subject: [PATCH] gnu: heimdal: Fix CVE-2017-11103.

* gnu/packages/patches/heimdal-CVE-2017-11103.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kerberos.scm (heimdal)[source]: Use it.
---
 gnu/local.mk                                      |  1 +
 gnu/packages/kerberos.scm                         |  1 +
 gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 +++++++++++++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 92ad112cf..d2ae454c0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
   %D%/packages/patches/hdf-eos5-fix-szip.patch			\
   %D%/packages/patches/hdf-eos5-fortrantests.patch		\
+  %D%/packages/patches/heimdal-CVE-2017-11103.patch		\
   %D%/packages/patches/higan-remove-march-native-flag.patch	\
   %D%/packages/patches/hubbub-sort-entities.patch		\
   %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch        \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..3b0050fc1 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,7 @@ secure manner through client-server mutual authentication via tickets.")
               (sha256
                (base32
                 "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+              (patches (search-patches "heimdal-CVE-2017-11103.patch"))
               (modules '((guix build utils)))
               (snippet
                '(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 000000000..d76f0df36
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman <at> secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'.  Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+     /* check server referral and save principal */
+     ret = _krb5_principalname2krb5_principal (context,
+ 					      &tmp_principal,
+-					      rep->kdc_rep.ticket.sname,
+-					      rep->kdc_rep.ticket.realm);
++					      rep->enc_part.sname,
++					      rep->enc_part.srealm);
+     if (ret)
+ 	goto out;
+     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+-- 
+2.13.3
+
-- 
2.13.3

[Message part 3 (text/plain, inline)]
Cheers,
Alex
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#27749; Package guix-patches. (Wed, 19 Jul 2017 11:06:02 GMT) Full text and rfc822 format available.

Message #20 received at 27749 <at> debbugs.gnu.org (full text, mbox):

From: Alex Vong <alexvong1995 <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27749 <at> debbugs.gnu.org
Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
 CVE-2017-11103].
Date: Wed, 19 Jul 2017 19:04:53 +0800
[Message part 1 (text/plain, inline)]
I find out that our version of heimdal is also affected by
CVE-2017-6594. So I amend the previous patch to fix it as well.

Changes to 'NEWS' and files in 'tests/' does not apply, so I remove
them. Also, I change hunk#4 of 'kdc/krb5tgs.c' so that it applies.

It used to be:

foo
foo*
+bar
+bar*
baz
baz*

Now it is:

foo
foo*
+bar
+bar*
<empty-line>

Here is the updated patch:
[0001-gnu-heimdal-Fix-CVE-2017-6594-11103.patch (scm, attachment)]
[Message part 3 (text/plain, inline)]
Cheers,
Alex
[signature.asc (application/pgp-signature, inline)]

Changed bug title to '[PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.' from '[PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].' Request was from Alex Vong <alexvong1995 <at> gmail.com> to control <at> debbugs.gnu.org. (Thu, 20 Jul 2017 12:49:02 GMT) Full text and rfc822 format available.

Information forwarded to guix-patches <at> gnu.org:
bug#27749; Package guix-patches. (Thu, 20 Jul 2017 19:52:02 GMT) Full text and rfc822 format available.

Message #25 received at 27749 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Alex Vong <alexvong1995 <at> gmail.com>
Cc: 27749 <at> debbugs.gnu.org
Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
 CVE-2017-11103].
Date: Thu, 20 Jul 2017 15:51:34 -0400
[Message part 1 (text/plain, inline)]
On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
> Here is the updated patch:
> 
> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995 <at> gmail.com>
> Date: Wed, 19 Jul 2017 17:01:47 +0800
> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
> 
> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.

Thanks! I recreated the commit since the patch no longer applied to
'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.

I'm leaving this bug open for now so we can discuss the update.

By the way everyone, the vulnerability disclosure / promotion web page,
<https://orpheus-lyre.info>, has a nice primer on the bug (warning, the
page plays music automatically). Thanks for including that, Alex.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#27749; Package guix-patches. (Wed, 18 Oct 2017 21:33:01 GMT) Full text and rfc822 format available.

Message #28 received at 27749 <at> debbugs.gnu.org (full text, mbox):

From: Ricardo Wurmus <rekado <at> elephly.net>
To: Alex Vong <alexvong1995 <at> gmail.com>
Cc: 27749 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
 CVE-2017-11103].
Date: Wed, 18 Oct 2017 23:31:38 +0200
Hi Alex,

> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>> Here is the updated patch:
>>
>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995 <at> gmail.com>
>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>
>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>
> Thanks! I recreated the commit since the patch no longer applied to
> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>
> I'm leaving this bug open for now so we can discuss the update.

As mentioned before, the new release bundles a bunch of third party
libraries.  It is not clear to me if *all* things under “lib” are
external libraries or if some of them are part of the source code of
heimdal.

Can we learn from the Debian package for heimdal here?

I think we really ought to update from the very old version we are using
currently.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net





Changed bug title to 'gnu: heimdal: Update to 7.4.0.' from '[PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.' Request was from Ricardo Wurmus <rekado <at> elephly.net> to control <at> debbugs.gnu.org. (Thu, 19 Oct 2017 06:33:02 GMT) Full text and rfc822 format available.

Information forwarded to guix-patches <at> gnu.org:
bug#27749; Package guix-patches. (Thu, 19 Oct 2017 14:58:02 GMT) Full text and rfc822 format available.

Message #33 received at 27749 <at> debbugs.gnu.org (full text, mbox):

From: Alex Vong <alexvong1995 <at> gmail.com>
To: Ricardo Wurmus <rekado <at> elephly.net>
Cc: 27749 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
 CVE-2017-11103].
Date: Thu, 19 Oct 2017 22:57:12 +0800
[Message part 1 (text/plain, inline)]
Ricardo Wurmus <rekado <at> elephly.net> writes:

> Hi Alex,
>
>> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>>> Here is the updated patch:
>>>
>>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>>> From: Alex Vong <alexvong1995 <at> gmail.com>
>>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>>
>>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>>> * gnu/local.mk (dist_patch_DATA): Add them.
>>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>>
>> Thanks! I recreated the commit since the patch no longer applied to
>> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>>
>> I'm leaving this bug open for now so we can discuss the update.
>
> As mentioned before, the new release bundles a bunch of third party
> libraries.  It is not clear to me if *all* things under “lib” are
> external libraries or if some of them are part of the source code of
> heimdal.
>
No, I don't think so. At least the heimdal/ subdirectory[0] should
contain non-third-party code.

> Can we learn from the Debian package for heimdal here?
>
Good suggestion, I think the Build-Depends field in [1] will help. For
exmaples, we should not use the bundled sqlite.

> I think we really ought to update from the very old version we are using
> currently.
>
Agree, our version is even older than the one in Debian old stable.

> --
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
> https://elephly.net

[0]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/lib.
[1]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/debian/control
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#27749; Package guix-patches. (Sat, 21 Oct 2017 09:54:01 GMT) Full text and rfc822 format available.

Message #36 received at 27749 <at> debbugs.gnu.org (full text, mbox):

From: Alex Vong <alexvong1995 <at> gmail.com>
To: Ricardo Wurmus <rekado <at> elephly.net>
Cc: 27749 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
 CVE-2017-11103].
Date: Sat, 21 Oct 2017 17:52:58 +0800
[Message part 1 (text/plain, inline)]
Hello,

This is the new patch. It is basically the first patch but with the
sqlite and libedit bundled dependecies removed. I don't know if there
are any other bundled dependencies so I am asking this on the heimdal
mailing list.

Also, since I am not a user of heimdal, we need someone to check if the
new version does work properly (as some test failures occur).

[0001-gnu-heimdal-Update-to-7.4.0.patch (text/x-diff, inline)]
From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995 <at> gmail.com>
Date: Tue, 18 Jul 2017 06:36:48 +0800
Subject: [PATCH] gnu: heimdal: Update to 7.4.0.

* gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
[source]: Update source uri.
[arguments]: Adjust #:configure-flags and build phases accordingly.
[inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip
and sqlite.
---
 gnu/packages/kerberos.scm | 86 +++++++++++++++++++++++++++++++++++------------
 1 file changed, 64 insertions(+), 22 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 801b4e44a..fde310e65 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita <at> karetnikov.org>
 ;;; Copyright © 2012, 2017 Ludovic Courtès <ludo <at> gnu.org>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado <at> elephly.net>
+;;; Copyright © 2017 Alex Vong <alexvong1995 <at> gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -145,16 +146,15 @@ secure manner through client-server mutual authentication via tickets.")
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "1.5.3")
+    (version "7.4.0")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://www.h5l.org/dist/src/heimdal-"
-                                  version ".tar.gz"))
+              (uri (string-append "https://github.com/" name "/" name
+                                  "/releases/download/" name "-" version
+                                  "/" name "-" version ".tar.gz"))
               (sha256
                (base32
-                "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
-              (patches (search-patches "heimdal-CVE-2017-6594.patch"
-                                       "heimdal-CVE-2017-11103.patch"))
+                "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x"))
               (modules '((guix build utils)))
               (snippet
                '(substitute* "configure"
@@ -162,33 +162,75 @@ secure manner through client-server mutual authentication via tickets.")
                   (("Date=.*$") "Date=2017\n")))))
     (build-system gnu-build-system)
     (arguments
-     '(#:configure-flags (list
-                          ;; Work around a linker error.
-                          "CFLAGS=-pthread"
+     '(#:modules ((guix build gnu-build-system)
+                  (guix build utils)
+                  (srfi srfi-26))
+
+       #:configure-flags (list
+                          (string-append "CPPFLAGS=-D_PATH_BSHELL="
+                                         (assoc-ref %build-inputs "bash")
+                                         "/bin/sh")
 
                           ;; Avoid 7 MiB of .a files.
                           "--disable-static"
 
                           ;; Do not build libedit.
-                          (string-append
-                           "--with-readline-lib="
-                           (assoc-ref %build-inputs "readline") "/lib")
-                          (string-append
-                           "--with-readline-include="
-                           (assoc-ref %build-inputs "readline") "/include"))
+                          (string-append "--with-readline="
+                                         (assoc-ref %build-inputs "readline"))
+
+                          ;; Do not build sqlite.
+                          (string-append "--with-sqlite3="
+                                         (assoc-ref %build-inputs "sqlite")))
 
        #:phases (modify-phases %standard-phases
+                  (add-after 'unpack 'pre-build
+                    (lambda _
+                      (for-each (lambda (file) ;fix sh paths
+                                  (substitute* file
+                                    (("/bin/sh")
+                                     (which "sh"))))
+                                '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
+                      (substitute* "lib/roken/getxxyyy.c" ;set user during test
+                        (("user = getenv\\(\"USER\"\\);")
+                         (format #f
+                                 "#ifndef TEST_GETXXYYY
+#error \"TEST_GETXXYYY is not defined\"
+#endif
+user = \"~a\";
+"
+                                 (passwd:name (getpwuid (getuid))))))
+                      #t))
+
+                  (add-after 'pre-build 'autogen
+                    (lambda _
+                      (zero? (system* "sh" "autogen.sh"))))
+
+                  ;; FIXME: figure out the complete list of bundled libraries
+                  (add-after 'configure 'remove-bundled-libraries
+                    (lambda _
+                      (for-each delete-file-recursively
+                                '("lib/libedit" "lib/sqlite"))))
+
                   (add-before 'check 'skip-tests
                     (lambda _
-                      ;; The test simply runs 'ftp --version && ftp --help'
-                      ;; but that fails in the chroot because 'ftp' tries to
-                      ;; do a service lookup before printing the help/version.
-                      (substitute* "appl/ftp/ftp/Makefile.in"
-                        (("^CHECK_LOCAL =.*")
-                         "CHECK_LOCAL = no-check-local\n"))
+                      ;; skip db tests for now
+                      ;; FIXME: figure out why they fail
+                      (call-with-output-file "tests/db/have-db.in"
+                        (cut format <> "#!~a~%exit 1~%" (which "sh")))
                       #t)))))
+
     (native-inputs `(("e2fsprogs" ,e2fsprogs)))   ;for 'compile_et'
-    (inputs `(("readline" ,readline)
+    (inputs `(("autoconf" ,autoconf)              ;for autogen
+              ("automake" ,automake)
+              ("libtool" ,libtool)
+              ("perl" ,perl)
+              ("perl-json" ,perl-json)
+
+              ("texinfo" ,texinfo)                ;for doc
+              ("unzip" ,unzip)                    ;for test
+
+              ("readline" ,readline)
+              ("sqlite" ,sqlite)
               ("bdb" ,bdb)
               ("e2fsprogs" ,e2fsprogs)))          ;for libcom_err
     (home-page "http://www.h5l.org/")
-- 
2.14.2

[Message part 3 (text/plain, inline)]
Cheers,
Alex
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#27749; Package guix-patches. (Sun, 26 Nov 2017 23:00:01 GMT) Full text and rfc822 format available.

Message #39 received at 27749 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Alex Vong <alexvong1995 <at> gmail.com>
Cc: Ricardo Wurmus <rekado <at> elephly.net>, 27749 <at> debbugs.gnu.org
Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
 CVE-2017-11103].
Date: Sun, 26 Nov 2017 17:59:42 -0500
[Message part 1 (text/plain, inline)]
On Sat, Oct 21, 2017 at 05:52:58PM +0800, Alex Vong wrote:
> Hello,
> 
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
> 
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
> 

> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995 <at> gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
> 
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip
> and sqlite.

What's the status of this patch? Did anyone test it?
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Christopher Baines <mail <at> cbaines.net> to control <at> debbugs.gnu.org. (Mon, 19 Mar 2018 08:22:01 GMT) Full text and rfc822 format available.

Reply sent to iyzsong <at> member.fsf.org (宋文武):
You have taken responsibility. (Sun, 10 Jun 2018 08:05:02 GMT) Full text and rfc822 format available.

Notification sent to Alex Vong <alexvong1995 <at> gmail.com>:
bug acknowledged by developer. (Sun, 10 Jun 2018 08:05:02 GMT) Full text and rfc822 format available.

Message #46 received at 27749-done <at> debbugs.gnu.org (full text, mbox):

From: iyzsong <at> member.fsf.org (宋文武)
To: Alex Vong <alexvong1995 <at> gmail.com>
Cc: Ricardo Wurmus <rekado <at> elephly.net>, 27749-done <at> debbugs.gnu.org,
 Leo Famulari <leo <at> famulari.name>
Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
 CVE-2017-11103].
Date: Sun, 10 Jun 2018 16:04:09 +0800
Alex Vong <alexvong1995 <at> gmail.com> writes:

> Hello,
>
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
>
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
>
> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995 <at> gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
>

Hello, I adjust this patch to version '7.5.0', and pushed, thank you!

Closing now :-)




Information forwarded to guix-patches <at> gnu.org:
bug#27749; Package guix-patches. (Mon, 25 Jun 2018 03:17:02 GMT) Full text and rfc822 format available.

Message #49 received at 27749-done <at> debbugs.gnu.org (full text, mbox):

From: Alex Vong <alexvong1995 <at> gmail.com>
To: 宋文武 <iyzsong <at> member.fsf.org>
Cc: Ricardo Wurmus <rekado <at> elephly.net>, 27749-done <at> debbugs.gnu.org,
 Leo Famulari <leo <at> famulari.name>
Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
 CVE-2017-11103].
Date: Mon, 25 Jun 2018 11:16:24 +0800
[Message part 1 (text/plain, inline)]
Thanks for taking care of it!


On 10 June 2018 at 16:04, 宋文武 <iyzsong <at> member.fsf.org> wrote:

> Alex Vong <alexvong1995 <at> gmail.com> writes:
>
> > Hello,
> >
> > This is the new patch. It is basically the first patch but with the
> > sqlite and libedit bundled dependecies removed. I don't know if there
> > are any other bundled dependencies so I am asking this on the heimdal
> > mailing list.
> >
> > Also, since I am not a user of heimdal, we need someone to check if the
> > new version does work properly (as some test failures occur).
> >
> > From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> > From: Alex Vong <alexvong1995 <at> gmail.com>
> > Date: Tue, 18 Jul 2017 06:36:48 +0800
> > Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
> >
>
> Hello, I adjust this patch to version '7.5.0', and pushed, thank you!
>
> Closing now :-)
>
[Message part 2 (text/html, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 23 Jul 2018 11:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 5 years and 249 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.