GNU bug report logs -
#34632
[PATCH 0/2] Change from GSS to MIT-KRB5.
Previous Next
Reported by: Marius Bakke <mbakke <at> fastmail.com>
Date: Sat, 23 Feb 2019 16:22:01 UTC
Severity: normal
Tags: patch
Done: Marius Bakke <mbakke <at> fastmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 34632 in the body.
You can then email your comments to 34632 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#34632; Package
guix-patches.
(Sat, 23 Feb 2019 16:22:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Marius Bakke <mbakke <at> fastmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 23 Feb 2019 16:22:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
The GNU Generic Security Service and friends have been unmaintained for
many years now: <https://www.gnu.org/software/gss/>.
Since these libraries are security-critical, it would be good to switch
to maintained implementations. WDYT?
Marius Bakke (2):
gnu: gsasl: Use the MIT Kerberos implementation instead of GSS.
gnu: curl: Build against MIT Kerberos instead of GSS.
gnu/packages/curl.scm | 10 ++++++----
gnu/packages/gsasl.scm | 4 +++-
2 files changed, 9 insertions(+), 5 deletions(-)
--
2.20.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#34632; Package
guix-patches.
(Sat, 23 Feb 2019 16:24:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 34632 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/gsasl.scm (gsasl)[inputs]: Change from GSS to MIT-KRB5.
[arguments]: New field.
---
gnu/packages/gsasl.scm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/gsasl.scm b/gnu/packages/gsasl.scm
index 127b476ef3..9296f3d80f 100644
--- a/gnu/packages/gsasl.scm
+++ b/gnu/packages/gsasl.scm
@@ -95,9 +95,11 @@ the underlying security implementation.")
(("test-lock\\$\\(EXEEXT\\) ") ""))
#t))))
(build-system gnu-build-system)
+ (arguments
+ `(#:configure-flags '("--with-gssapi-impl=mit")))
(inputs `(("libidn" ,libidn)
("libntlm" ,libntlm)
- ("gss" ,gss)
+ ("mit-krb5" ,mit-krb5)
("zlib" ,zlib)))
(propagated-inputs
;; Propagate GnuTLS because libgnutls.la reads `-lnettle', and Nettle is a
--
2.20.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#34632; Package
guix-patches.
(Sat, 23 Feb 2019 16:24:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 34632 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/curl.scm (curl)[inputs]: Change from GSS to MIT-KRB5.
[arguments]: Adjust accordingly.
---
gnu/packages/curl.scm | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index b1b2b999a2..88abc6aabd 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -37,8 +37,8 @@
#:use-module (gnu packages compression)
#:use-module (gnu packages golang)
#:use-module (gnu packages groff)
- #:use-module (gnu packages gsasl)
#:use-module (gnu packages guile)
+ #:use-module (gnu packages kerberos)
#:use-module (gnu packages libidn)
#:use-module (gnu packages openldap)
#:use-module (gnu packages perl)
@@ -63,10 +63,10 @@
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
(inputs `(("gnutls" ,gnutls)
- ("gss" ,gss)
("libidn" ,libidn)
("libssh2" ,libssh2)
("openldap" ,openldap)
+ ("mit-krb5" ,mit-krb5)
("nghttp2" ,nghttp2 "lib")
("zlib" ,zlib)))
(native-inputs
@@ -85,8 +85,10 @@
(separator #f) ;single entry
(files '("etc/ssl/certs/ca-certificates.crt")))))
(arguments
- `(#:configure-flags '("--with-gnutls" "--with-gssapi"
- "--disable-static")
+ `(#:configure-flags (list "--with-gnutls"
+ (string-append "--with-gssapi="
+ (assoc-ref %build-inputs "mit-krb5"))
+ "--disable-static")
;; Add a phase to patch '/bin/sh' occurances in tests/runtests.pl
#:phases
(modify-phases %standard-phases
--
2.20.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#34632; Package
guix-patches.
(Tue, 26 Feb 2019 04:59:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 34632 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Feb 23, 2019 at 05:20:42PM +0100, Marius Bakke wrote:
> The GNU Generic Security Service and friends have been unmaintained for
> many years now: <https://www.gnu.org/software/gss/>.
>
> Since these libraries are security-critical, it would be good to switch
> to maintained implementations. WDYT?
I think it's the right choice.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#34632; Package
guix-patches.
(Fri, 15 Mar 2019 22:15:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 34632 <at> debbugs.gnu.org (full text, mbox):
Hello,
Leo Famulari <leo <at> famulari.name> skribis:
> On Sat, Feb 23, 2019 at 05:20:42PM +0100, Marius Bakke wrote:
>> The GNU Generic Security Service and friends have been unmaintained for
>> many years now: <https://www.gnu.org/software/gss/>.
>>
>> Since these libraries are security-critical, it would be good to switch
>> to maintained implementations. WDYT?
>
> I think it's the right choice.
Yeah, it’s a bit sad IMO, but so be it.
Note that “guix refresh -l gss” says 4K packages depend on it,
not sure why.
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#34632; Package
guix-patches.
(Sat, 16 Mar 2019 03:44:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 34632 <at> debbugs.gnu.org (full text, mbox):
Hello!
On Sat, Feb 23, 2019 at 05:20:42PM +0100, Marius Bakke wrote:
> The GNU Generic Security Service and friends have been unmaintained for
> many years now: <https://www.gnu.org/software/gss/>.
>
> Since these libraries are security-critical, it would be good to switch
> to maintained implementations. WDYT?
Unmaintained on what ground? The website doesn't list fresh news,
but the latest release was made in 2014 [1], and the maintainer has made
changes to the Debian package last time in 2017 [2]. I wouldn't say it's
unmaintained until the maintainer says so or CVEs pile up unfixed (which
there aren't).
So, my position would be to not do anything, as there doesn't seem to be
an issue.
Maxim
[1] ftp://ftp.gnu.org/gnu/gss/
[2] https://sources.debian.org/src/gss/1.0.3-3/debian/changelog/
Information forwarded
to
guix-patches <at> gnu.org:
bug#34632; Package
guix-patches.
(Sun, 17 Mar 2019 18:28:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 34632 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
> Unmaintained on what ground? The website doesn't list fresh news,
> but the latest release was made in 2014 [1], and the maintainer has made
> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
> unmaintained until the maintainer says so or CVEs pile up unfixed (which
> there aren't).
Considering the rate of vulnerability discovery in MIT Kerberos [0] I
think that, if GSS was being examined to the same degree, we would learn
of many serious bugs. Any significant C codebase of this age will have
such bugs. But unfortunately GSS hasn't received as much scrutiny.
[0]
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#34632; Package
guix-patches.
(Tue, 14 May 2019 03:18:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 34632 <at> debbugs.gnu.org (full text, mbox):
Hello,
Leo Famulari <leo <at> famulari.name> writes:
> On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
>> Unmaintained on what ground? The website doesn't list fresh news,
>> but the latest release was made in 2014 [1], and the maintainer has made
>> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
>> unmaintained until the maintainer says so or CVEs pile up unfixed (which
>> there aren't).
>
> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
> think that, if GSS was being examined to the same degree, we would learn
> of many serious bugs. Any significant C codebase of this age will have
> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>
> [0]
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
Just FYI,
I had ping'd the GSS mailing list with this message:
http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
there haven't been a reply (yet).
So it looks like it was a wise decision to make the switch! Sorry for
doubting, eh!
Maxim
Reply sent
to
Marius Bakke <mbakke <at> fastmail.com>:
You have taken responsibility.
(Tue, 14 May 2019 18:16:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Marius Bakke <mbakke <at> fastmail.com>:
bug acknowledged by developer.
(Tue, 14 May 2019 18:16:03 GMT)
Full text and
rfc822 format available.
Message #31 received at 34632-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Maxim,
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
> Hello,
>
> Leo Famulari <leo <at> famulari.name> writes:
>
>> On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
>>> Unmaintained on what ground? The website doesn't list fresh news,
>>> but the latest release was made in 2014 [1], and the maintainer has made
>>> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
>>> unmaintained until the maintainer says so or CVEs pile up unfixed (which
>>> there aren't).
>>
>> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
>> think that, if GSS was being examined to the same degree, we would learn
>> of many serious bugs. Any significant C codebase of this age will have
>> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>>
>> [0]
>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
>
> Just FYI,
>
> I had ping'd the GSS mailing list with this message:
> http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
> there haven't been a reply (yet).
>
> So it looks like it was a wise decision to make the switch! Sorry for
> doubting, eh!
Thank you very much for checking with upstream :-)
I was on the fence about this switch myself, and submitted this patch
hoping for feedback along these lines.
It would be great to get Shishi and GSS into Googles OSS-Fuzz and
similar so that we can be more confident in the implementation.
For now I've pushed these patches in 996186b..828d376.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#34632; Package
guix-patches.
(Wed, 15 May 2019 23:07:02 GMT)
Full text and
rfc822 format available.
Message #34 received at 34632-done <at> debbugs.gnu.org (full text, mbox):
Hello Marius,
Marius Bakke <mbakke <at> fastmail.com> writes:
[...]
>>> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
>>> think that, if GSS was being examined to the same degree, we would learn
>>> of many serious bugs. Any significant C codebase of this age will have
>>> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>>>
>>> [0]
>>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
>>
>> Just FYI,
>>
>> I had ping'd the GSS mailing list with this message:
>> http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
>> there haven't been a reply (yet).
>>
>> So it looks like it was a wise decision to make the switch! Sorry for
>> doubting, eh!
>
> Thank you very much for checking with upstream :-)
>
> I was on the fence about this switch myself, and submitted this patch
> hoping for feedback along these lines.
>
> It would be great to get Shishi and GSS into Googles OSS-Fuzz and
> similar so that we can be more confident in the implementation.
Would it be possible to add a fuzz phase to our GNU build system? If
it's not too expensive to run, it could be a security enhancer for the
Guix System! AFL (which is one of the two fuzzers used by Google's
OSS-fuzz service, and which we already have in Guix).
Food for thoughts!
> For now I've pushed these patches in 996186b..828d376.
Thank you,
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 13 Jun 2019 11:24:04 GMT)
Full text and
rfc822 format available.
bug unarchived.
Request was from
Simon Josefsson <simon <at> josefsson.org>
to
control <at> debbugs.gnu.org.
(Sat, 06 Aug 2022 14:05:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#34632; Package
guix-patches.
(Sat, 06 Aug 2022 16:08:02 GMT)
Full text and
rfc822 format available.
Message #41 received at 34632 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
> Hello,
>
> I'd like to inquire about the development status of GSS? Has it left the
> beta status? Are bugs still being fixed? Is there any known or presumed
> security issues when using GSS rather than its more mainstream
> implementation in MIT Kerberos?
>
> I'm asking because the GNU Guix project is considering a switch from GNU
> GSS to MIT krb5 for security reasons [0], given that no new releases have
> been made since 2014.
>
> Thank you,
>
> Maxim Cournoyer
>
> [0] http://issues.guix.info/issue/34632
Hi Maxim,
Sorry for the slow response, which may in part be an answer to your
question. However I have just released GNU GSS version 1.0.4 to refresh
the project, and have setup CI/CD checking of it to pave the road for
future improvements. To my knowledge there are only two major missing
features:
1) Missing gss_wrap() AES functionality. This prevents SASL GSS-API
to complete on modern machines. Shishi supports AES and GSSLib
supports it for GSS_Init_sec_context etc but not GSS_wrap.
2) Shishi doesn't use the same ccache/keytab files as MIT Kerberos and
Heimdal.
I hope to complete 1) in the future. For 2), fixing it would be a GNU
Shishi feature that should be simple to resolve -- it ships with tools
ccache2shishi and keytab2shishi to convert the files, but that should be
done automatically internally by the library instead.
Indeed getting these enrolled in the OSS Fuzz project would be a great
contribution. My primary goal is to do a new release of GNU Shishi and
improve the CI/CD integration checks to have good confidence in future
changes.
Regarding what 'gsasl' and 'curl' should be linked against in GNU Guix,
I believe it would be much nicer if you would use the 'Libgssglue'
package instead! Then the user can change GSS-API library at run-time.
Read about this work here:
https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/
/Simon
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#34632; Package
guix-patches.
(Wed, 10 Aug 2022 00:49:01 GMT)
Full text and
rfc822 format available.
Message #44 received at 34632 <at> debbugs.gnu.org (full text, mbox):
Hi Simon,
Simon Josefsson <simon <at> josefsson.org> writes:
> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
>
>> Hello,
>>
>> I'd like to inquire about the development status of GSS? Has it left the
>> beta status? Are bugs still being fixed? Is there any known or presumed
>> security issues when using GSS rather than its more mainstream
>> implementation in MIT Kerberos?
>>
>> I'm asking because the GNU Guix project is considering a switch from GNU
>> GSS to MIT krb5 for security reasons [0], given that no new releases have
>> been made since 2014.
>>
>> Thank you,
>>
>> Maxim Cournoyer
>>
>> [0] http://issues.guix.info/issue/34632
>
> Hi Maxim,
>
> Sorry for the slow response, which may in part be an answer to your
> question. However I have just released GNU GSS version 1.0.4 to refresh
> the project, and have setup CI/CD checking of it to pave the road for
> future improvements. To my knowledge there are only two major missing
> features:
>
> 1) Missing gss_wrap() AES functionality. This prevents SASL GSS-API
> to complete on modern machines. Shishi supports AES and GSSLib
> supports it for GSS_Init_sec_context etc but not GSS_wrap.
>
> 2) Shishi doesn't use the same ccache/keytab files as MIT Kerberos and
> Heimdal.
>
> I hope to complete 1) in the future. For 2), fixing it would be a GNU
> Shishi feature that should be simple to resolve -- it ships with tools
> ccache2shishi and keytab2shishi to convert the files, but that should be
> done automatically internally by the library instead.
>
> Indeed getting these enrolled in the OSS Fuzz project would be a great
> contribution. My primary goal is to do a new release of GNU Shishi and
> improve the CI/CD integration checks to have good confidence in future
> changes.
>
> Regarding what 'gsasl' and 'curl' should be linked against in GNU Guix,
> I believe it would be much nicer if you would use the 'Libgssglue'
> package instead! Then the user can change GSS-API library at run-time.
> Read about this work here:
>
> https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/
Thank you for this update! I'm happy to read you are picking up
maintenance of GSS. The libgssglue is interesting... I'll have to read
about it to know how it's intended to be used.
Thanks, and long live GNU GSS!
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 07 Sep 2022 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 232 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.