GNU bug report logs

#27749 gnu: heimdal: Update to 7.4.0.

Package	Source(s)		Maintainer(s)
guix-patches		PTS Buildd Popcon

Reported by Alex Vong <alexvong1995@gmail.com>
Date 2017-07-18T08:28:01
Severity normal
Tags patch security
Done iyzsong@member.fsf.org (宋文武)
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to guix-patches@gnu.org:
bug#27749; Package guix-patches. (Tue, 18 Jul 2017 08:28:01 GMT) (full text, mbox, link).

Acknowledgement sent to Alex Vong <alexvong1995@gmail.com>:
New bug report received and forwarded. Copy sent to guix-patches@gnu.org. (Tue, 18 Jul 2017 08:28:01 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Tags: security

Hello,

THis patch upgrades heimdal to its latest version, fixing
CVE-2017-11103. Here are a few remarks:

1. Upstream switches to github for hosting
2. A lots of libraries are bundled
3. Many db tests fail
4. It does not build reproducibly

I decide to submit this despite many db tests fail because I think we
should fix CVE-2017-11103 asap.

[0001-gnu-heimdal-Update-to-7.4.0-fixes-CVE-2017-11103.patch (text/x-diff, inline)]

From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Tue, 18 Jul 2017 06:36:48 +0800
Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

* gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
[source]: Update source uri.
[arguments]: Adjust #:configure-flags and build phases accordingly.
[inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
---
 gnu/packages/kerberos.scm | 69 ++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 54 insertions(+), 15 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..5682a0add 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -23,6 +24,7 @@
 
 (define-module (gnu packages kerberos)
   #:use-module (gnu packages)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages gnupg)
@@ -32,6 +34,7 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages readline)
+  #:use-module (gnu packages texinfo)
   #:use-module (gnu packages tls)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
@@ -136,24 +139,30 @@ secure manner through client-server mutual authentication via tickets.")
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "1.5.3")
+    (version "7.4.0")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://www.h5l.org/dist/src/heimdal-"
-                                  version ".tar.gz"))
+              (uri (string-append "https://github.com/" name "/" name
+                                  "/releases/download/" name "-" version
+                                  "/" name "-" version ".tar.gz"))
               (sha256
                (base32
-                "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+                "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x"))
               (modules '((guix build utils)))
-              (snippet
+              (snippet ;FIXME: remove bundled libraries
                '(substitute* "configure"
                   (("User=.*$") "User=Guix\n")
                   (("Date=.*$") "Date=2017\n")))))
     (build-system gnu-build-system)
     (arguments
-     '(#:configure-flags (list
-                          ;; Work around a linker error.
-                          "CFLAGS=-pthread"
+     '(#:modules ((guix build gnu-build-system)
+                  (guix build utils)
+                  (srfi srfi-26))
+
+       #:configure-flags (list
+                          (string-append "CPPFLAGS=-D_PATH_BSHELL="
+                                         (assoc-ref %build-inputs "bash")
+                                         "/bin/sh")
 
                           ;; Avoid 7 MiB of .a files.
                           "--disable-static"
@@ -167,17 +176,47 @@ secure manner through client-server mutual authentication via tickets.")
                            (assoc-ref %build-inputs "readline") "/include"))
 
        #:phases (modify-phases %standard-phases
+                  (add-after 'unpack 'pre-build
+                    (lambda _
+                      (for-each (lambda (file) ;fix sh paths
+                                  (substitute* file
+                                    (("/bin/sh")
+                                     (which "sh"))))
+                                '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
+                      (substitute* "lib/roken/getxxyyy.c" ;set user during test
+                        (("user = getenv\\(\"USER\"\\);")
+                         (format #f
+                                 "#ifndef TEST_GETXXYYY
+#error \"TEST_GETXXYYY is not defined\"
+#endif
+user = \"~a\";
+"
+                                 (passwd:name (getpwuid (getuid))))))
+                      #t))
+
+                  (add-after 'pre-build 'autogen
+                    (lambda _
+                      (zero? (system* "sh" "autogen.sh"))))
+
                   (add-before 'check 'skip-tests
                     (lambda _
-                      ;; The test simply runs 'ftp --version && ftp --help'
-                      ;; but that fails in the chroot because 'ftp' tries to
-                      ;; do a service lookup before printing the help/version.
-                      (substitute* "appl/ftp/ftp/Makefile.in"
-                        (("^CHECK_LOCAL =.*")
-                         "CHECK_LOCAL = no-check-local\n"))
+                      ;; skip db tests for now
+                      ;; FIXME: figure out why they fail
+                      (call-with-output-file "tests/db/have-db.in"
+                        (cut format <> "#!~a~%exit 1~%" (which "sh")))
                       #t)))))
+
     (native-inputs `(("e2fsprogs" ,e2fsprogs)))   ;for 'compile_et'
-    (inputs `(("readline" ,readline)
+    (inputs `(("autoconf" ,autoconf)              ;for autogen
+              ("automake" ,automake)
+              ("libtool" ,libtool)
+              ("perl" ,perl)
+              ("perl-json" ,perl-json)
+
+              ("texinfo" ,texinfo)                ;for doc
+              ("unzip" ,unzip)                    ;for test
+
+              ("readline" ,readline)
               ("bdb" ,bdb)
               ("e2fsprogs" ,e2fsprogs)))          ;for libcom_err
     (home-page "http://www.h5l.org/")
-- 
2.13.3

[Message part 3 (text/plain, inline)]

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#27749; Package guix-patches. (Tue, 18 Jul 2017 15:50:01 GMT) (full text, mbox, link).

Message #8 received at 27749@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
> THis patch upgrades heimdal to its latest version, fixing
> CVE-2017-11103. Here are a few remarks:

Thanks! We also need to look at our samba package, which bundles heimdal
(we should fix that).

> 1. Upstream switches to github for hosting

Okay.

> 2. A lots of libraries are bundled

Which directory are they in? We should take a look at them and weigh the
risk of adding new vulnerabilities through the use of (possibly old and
unmaintained) bundled libraries.

If things look complicated, maybe it's possible to apply a patch to this
older Heimdal while we figure everything out.

Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
long-term-support distro. I noticed an unrelated patch for Heimdal
1.6 here:
https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a

> 3. Many db tests fail

Do you think they are a problem in practice? Ludovic, you added Heimdal,
what do you think about this big version bump?

> 4. It does not build reproducibly

Not great but also not a blocker.

> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
> 
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.

>         #:phases (modify-phases %standard-phases
> +                  (add-after 'unpack 'pre-build
> +                    (lambda _
> +                      (for-each (lambda (file) ;fix sh paths
> +                                  (substitute* file
> +                                    (("/bin/sh")
> +                                     (which "sh"))))
> +                                '("appl/afsutil/pagsh.c" "tools/Makefile.am"))

Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
the generated Makefile directly?

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#27749; Package guix-patches. (Tue, 18 Jul 2017 15:52:01 GMT) (full text, mbox, link).

Message #11 received at 27749@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
> On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
> > THis patch upgrades heimdal to its latest version, fixing
> > CVE-2017-11103. Here are a few remarks:
> 
> Thanks! We also need to look at our samba package, which bundles heimdal
> (we should fix that).

This vulnerability in samba's bundled heimdal was fixed in
81dfbffc5480699f79ea23a82bf8a4a557176670. Perhaps we can find inspiration
for a patch there, if necessary.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#27749; Package guix-patches. (Tue, 18 Jul 2017 15:54:02 GMT) (full text, mbox, link).

Message #14 received at 27749@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a

I'm not sure what version of heimdal FreeBSD packages, but they are
offering a patch for this, linked from their advisory:

https://www.freebsd.org/security/advisories/FreeBSD-SA-17:05.heimdal.asc

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#27749; Package guix-patches. (Wed, 19 Jul 2017 09:24:02 GMT) (full text, mbox, link).

Message #17 received at 27749@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Leo Famulari <leo@famulari.name> writes:

[...]
>> 2. A lots of libraries are bundled
>
> Which directory are they in? We should take a look at them and weigh the
> risk of adding new vulnerabilities through the use of (possibly old and
> unmaintained) bundled libraries.
>
They live in lib/. Also the configure script provides options to use
system library instead of bundled ones.

> If things look complicated, maybe it's possible to apply a patch to this
> older Heimdal while we figure everything out.
>
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a
>
Agree, we should patch the old version first and deal with the bundled
libraries and test failures later.

>> 3. Many db tests fail
>
> Do you think they are a problem in practice? Ludovic, you added Heimdal,
> what do you think about this big version bump?
>
I don't know. I am hoping some test failures will disappear after we
remove bundled libraries.

>> 4. It does not build reproducibly
>
> Not great but also not a blocker.
>
>> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Tue, 18 Jul 2017 06:36:48 +0800
>> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>> 
>> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
>> [source]: Update source uri.
>> [arguments]: Adjust #:configure-flags and build phases accordingly.
>> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
>
>>         #:phases (modify-phases %standard-phases
>> +                  (add-after 'unpack 'pre-build
>> +                    (lambda _
>> +                      (for-each (lambda (file) ;fix sh paths
>> +                                  (substitute* file
>> +                                    (("/bin/sh")
>> +                                     (which "sh"))))
>> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
>
> Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
> the generated Makefile directly?

I will try but personally I prefer patching the source and re-generate
the generated files. Patching the generated files feel like a hack to
me. What do you think?

Thanks for the suggestions!

Here is the patch:

[0001-gnu-heimdal-Fix-CVE-2017-11103.patch (text/x-diff, inline)]

From fedc82524dcc8d0e8052a4837d7864fe84ca6f8e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 19 Jul 2017 17:01:47 +0800
Subject: [PATCH] gnu: heimdal: Fix CVE-2017-11103.

* gnu/packages/patches/heimdal-CVE-2017-11103.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kerberos.scm (heimdal)[source]: Use it.
---
 gnu/local.mk                                      |  1 +
 gnu/packages/kerberos.scm                         |  1 +
 gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 +++++++++++++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 92ad112cf..d2ae454c0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
   %D%/packages/patches/hdf-eos5-fix-szip.patch			\
   %D%/packages/patches/hdf-eos5-fortrantests.patch		\
+  %D%/packages/patches/heimdal-CVE-2017-11103.patch		\
   %D%/packages/patches/higan-remove-march-native-flag.patch	\
   %D%/packages/patches/hubbub-sort-entities.patch		\
   %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch        \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..3b0050fc1 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,7 @@ secure manner through client-server mutual authentication via tickets.")
               (sha256
                (base32
                 "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+              (patches (search-patches "heimdal-CVE-2017-11103.patch"))
               (modules '((guix build utils)))
               (snippet
                '(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 000000000..d76f0df36
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'.  Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+     /* check server referral and save principal */
+     ret = _krb5_principalname2krb5_principal (context,
+ 					      &tmp_principal,
+-					      rep->kdc_rep.ticket.sname,
+-					      rep->kdc_rep.ticket.realm);
++					      rep->enc_part.sname,
++					      rep->enc_part.srealm);
+     if (ret)
+ 	goto out;
+     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+-- 
+2.13.3
+
-- 
2.13.3

[Message part 3 (text/plain, inline)]

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#27749; Package guix-patches. (Wed, 19 Jul 2017 11:06:02 GMT) (full text, mbox, link).

Message #20 received at 27749@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

I find out that our version of heimdal is also affected by
CVE-2017-6594. So I amend the previous patch to fix it as well.

Changes to 'NEWS' and files in 'tests/' does not apply, so I remove
them. Also, I change hunk#4 of 'kdc/krb5tgs.c' so that it applies.

It used to be:

foo
foo*
+bar
+bar*
baz
baz*

Now it is:

foo
foo*
+bar
+bar*
<empty-line>

Here is the updated patch:

[0001-gnu-heimdal-Fix-CVE-2017-6594-11103.patch (scm, attachment)]

[Message part 3 (text/plain, inline)]

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

Changed bug title to '[PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.' from '[PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].' Request was from Alex Vong <alexvong1995@gmail.com> to control@debbugs.gnu.org. (Thu, 20 Jul 2017 12:49:02 GMT) (full text, mbox, link).

Information forwarded to guix-patches@gnu.org:
bug#27749; Package guix-patches. (Thu, 20 Jul 2017 19:52:02 GMT) (full text, mbox, link).

Message #25 received at 27749@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
> Here is the updated patch:
> 
> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Wed, 19 Jul 2017 17:01:47 +0800
> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
> 
> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.

Thanks! I recreated the commit since the patch no longer applied to
'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.

I'm leaving this bug open for now so we can discuss the update.

By the way everyone, the vulnerability disclosure / promotion web page,
<https://orpheus-lyre.info>, has a nice primer on the bug (warning, the
page plays music automatically). Thanks for including that, Alex.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#27749; Package guix-patches. (Wed, 18 Oct 2017 21:33:01 GMT) (full text, mbox, link).

Message #28 received at 27749@debbugs.gnu.org (full text, mbox, reply):

Hi Alex,

> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>> Here is the updated patch:
>>
>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>
>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>
> Thanks! I recreated the commit since the patch no longer applied to
> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>
> I'm leaving this bug open for now so we can discuss the update.

As mentioned before, the new release bundles a bunch of third party
libraries.  It is not clear to me if *all* things under “lib” are
external libraries or if some of them are part of the source code of
heimdal.

Can we learn from the Debian package for heimdal here?

I think we really ought to update from the very old version we are using
currently.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

Changed bug title to 'gnu: heimdal: Update to 7.4.0.' from '[PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.' Request was from Ricardo Wurmus <rekado@elephly.net> to control@debbugs.gnu.org. (Thu, 19 Oct 2017 06:33:02 GMT) (full text, mbox, link).

Information forwarded to guix-patches@gnu.org:
bug#27749; Package guix-patches. (Thu, 19 Oct 2017 14:58:02 GMT) (full text, mbox, link).

Message #33 received at 27749@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Ricardo Wurmus <rekado@elephly.net> writes:

> Hi Alex,
>
>> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>>> Here is the updated patch:
>>>
>>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>>> From: Alex Vong <alexvong1995@gmail.com>
>>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>>
>>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>>> * gnu/local.mk (dist_patch_DATA): Add them.
>>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>>
>> Thanks! I recreated the commit since the patch no longer applied to
>> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>>
>> I'm leaving this bug open for now so we can discuss the update.
>
> As mentioned before, the new release bundles a bunch of third party
> libraries.  It is not clear to me if *all* things under “lib” are
> external libraries or if some of them are part of the source code of
> heimdal.
>
No, I don't think so. At least the heimdal/ subdirectory[0] should
contain non-third-party code.

> Can we learn from the Debian package for heimdal here?
>
Good suggestion, I think the Build-Depends field in [1] will help. For
exmaples, we should not use the bundled sqlite.

> I think we really ought to update from the very old version we are using
> currently.
>
Agree, our version is even older than the one in Debian old stable.

> --
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
> https://elephly.net

[0]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/lib.
[1]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/debian/control

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#27749; Package guix-patches. (Sat, 21 Oct 2017 09:54:01 GMT) (full text, mbox, link).

Message #36 received at 27749@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hello,

This is the new patch. It is basically the first patch but with the
sqlite and libedit bundled dependecies removed. I don't know if there
are any other bundled dependencies so I am asking this on the heimdal
mailing list.

Also, since I am not a user of heimdal, we need someone to check if the
new version does work properly (as some test failures occur).

[0001-gnu-heimdal-Update-to-7.4.0.patch (text/x-diff, inline)]

From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Tue, 18 Jul 2017 06:36:48 +0800
Subject: [PATCH] gnu: heimdal: Update to 7.4.0.

* gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
[source]: Update source uri.
[arguments]: Adjust #:configure-flags and build phases accordingly.
[inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip
and sqlite.
---
 gnu/packages/kerberos.scm | 86 +++++++++++++++++++++++++++++++++++------------
 1 file changed, 64 insertions(+), 22 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 801b4e44a..fde310e65 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -145,16 +146,15 @@ secure manner through client-server mutual authentication via tickets.")
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "1.5.3")
+    (version "7.4.0")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://www.h5l.org/dist/src/heimdal-"
-                                  version ".tar.gz"))
+              (uri (string-append "https://github.com/" name "/" name
+                                  "/releases/download/" name "-" version
+                                  "/" name "-" version ".tar.gz"))
               (sha256
                (base32
-                "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
-              (patches (search-patches "heimdal-CVE-2017-6594.patch"
-                                       "heimdal-CVE-2017-11103.patch"))
+                "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x"))
               (modules '((guix build utils)))
               (snippet
                '(substitute* "configure"
@@ -162,33 +162,75 @@ secure manner through client-server mutual authentication via tickets.")
                   (("Date=.*$") "Date=2017\n")))))
     (build-system gnu-build-system)
     (arguments
-     '(#:configure-flags (list
-                          ;; Work around a linker error.
-                          "CFLAGS=-pthread"
+     '(#:modules ((guix build gnu-build-system)
+                  (guix build utils)
+                  (srfi srfi-26))
+
+       #:configure-flags (list
+                          (string-append "CPPFLAGS=-D_PATH_BSHELL="
+                                         (assoc-ref %build-inputs "bash")
+                                         "/bin/sh")
 
                           ;; Avoid 7 MiB of .a files.
                           "--disable-static"
 
                           ;; Do not build libedit.
-                          (string-append
-                           "--with-readline-lib="
-                           (assoc-ref %build-inputs "readline") "/lib")
-                          (string-append
-                           "--with-readline-include="
-                           (assoc-ref %build-inputs "readline") "/include"))
+                          (string-append "--with-readline="
+                                         (assoc-ref %build-inputs "readline"))
+
+                          ;; Do not build sqlite.
+                          (string-append "--with-sqlite3="
+                                         (assoc-ref %build-inputs "sqlite")))
 
        #:phases (modify-phases %standard-phases
+                  (add-after 'unpack 'pre-build
+                    (lambda _
+                      (for-each (lambda (file) ;fix sh paths
+                                  (substitute* file
+                                    (("/bin/sh")
+                                     (which "sh"))))
+                                '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
+                      (substitute* "lib/roken/getxxyyy.c" ;set user during test
+                        (("user = getenv\\(\"USER\"\\);")
+                         (format #f
+                                 "#ifndef TEST_GETXXYYY
+#error \"TEST_GETXXYYY is not defined\"
+#endif
+user = \"~a\";
+"
+                                 (passwd:name (getpwuid (getuid))))))
+                      #t))
+
+                  (add-after 'pre-build 'autogen
+                    (lambda _
+                      (zero? (system* "sh" "autogen.sh"))))
+
+                  ;; FIXME: figure out the complete list of bundled libraries
+                  (add-after 'configure 'remove-bundled-libraries
+                    (lambda _
+                      (for-each delete-file-recursively
+                                '("lib/libedit" "lib/sqlite"))))
+
                   (add-before 'check 'skip-tests
                     (lambda _
-                      ;; The test simply runs 'ftp --version && ftp --help'
-                      ;; but that fails in the chroot because 'ftp' tries to
-                      ;; do a service lookup before printing the help/version.
-                      (substitute* "appl/ftp/ftp/Makefile.in"
-                        (("^CHECK_LOCAL =.*")
-                         "CHECK_LOCAL = no-check-local\n"))
+                      ;; skip db tests for now
+                      ;; FIXME: figure out why they fail
+                      (call-with-output-file "tests/db/have-db.in"
+                        (cut format <> "#!~a~%exit 1~%" (which "sh")))
                       #t)))))
+
     (native-inputs `(("e2fsprogs" ,e2fsprogs)))   ;for 'compile_et'
-    (inputs `(("readline" ,readline)
+    (inputs `(("autoconf" ,autoconf)              ;for autogen
+              ("automake" ,automake)
+              ("libtool" ,libtool)
+              ("perl" ,perl)
+              ("perl-json" ,perl-json)
+
+              ("texinfo" ,texinfo)                ;for doc
+              ("unzip" ,unzip)                    ;for test
+
+              ("readline" ,readline)
+              ("sqlite" ,sqlite)
               ("bdb" ,bdb)
               ("e2fsprogs" ,e2fsprogs)))          ;for libcom_err
     (home-page "http://www.h5l.org/")
-- 
2.14.2

[Message part 3 (text/plain, inline)]

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#27749; Package guix-patches. (Sun, 26 Nov 2017 23:00:01 GMT) (full text, mbox, link).

Message #39 received at 27749@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sat, Oct 21, 2017 at 05:52:58PM +0800, Alex Vong wrote:
> Hello,
> 
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
> 
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
> 

> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
> 
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip
> and sqlite.

What's the status of this patch? Did anyone test it?

[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Christopher Baines <mail@cbaines.net> to control@debbugs.gnu.org. (Mon, 19 Mar 2018 08:22:01 GMT) (full text, mbox, link).

Reply sent to iyzsong@member.fsf.org (宋文武):
You have taken responsibility. (Sun, 10 Jun 2018 08:05:02 GMT) (full text, mbox, link).

Notification sent to Alex Vong <alexvong1995@gmail.com>:
bug acknowledged by developer. (Sun, 10 Jun 2018 08:05:02 GMT) (full text, mbox, link).

Message #46 received at 27749-done@debbugs.gnu.org (full text, mbox, reply):

Alex Vong <alexvong1995@gmail.com> writes:

> Hello,
>
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
>
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
>
> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
>

Hello, I adjust this patch to version '7.5.0', and pushed, thank you!

Closing now :-)

Information forwarded to guix-patches@gnu.org:
bug#27749; Package guix-patches. (Mon, 25 Jun 2018 03:17:02 GMT) (full text, mbox, link).

Message #49 received at 27749-done@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Thanks for taking care of it!


On 10 June 2018 at 16:04, 宋文武 <iyzsong@member.fsf.org> wrote:

> Alex Vong <alexvong1995@gmail.com> writes:
>
> > Hello,
> >
> > This is the new patch. It is basically the first patch but with the
> > sqlite and libedit bundled dependecies removed. I don't know if there
> > are any other bundled dependencies so I am asking this on the heimdal
> > mailing list.
> >
> > Also, since I am not a user of heimdal, we need someone to check if the
> > new version does work properly (as some test failures occur).
> >
> > From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> > From: Alex Vong <alexvong1995@gmail.com>
> > Date: Tue, 18 Jul 2017 06:36:48 +0800
> > Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
> >
>
> Hello, I adjust this patch to version '7.5.0', and pushed, thank you!
>
> Closing now :-)
>

[Message part 2 (text/html, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Mon, 23 Jul 2018 11:24:04 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 12:07:36 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.