GNU bug report logs

#27749 gnu: heimdal: Update to 7.4.0.

PackageSource(s)Maintainer(s)
guix-patches PTS Buildd Popcon
Full log

Message #17 received at 27749@debbugs.gnu.org (full text, mbox, reply):

Received: (at 27749) by debbugs.gnu.org; 19 Jul 2017 09:23:35 +0000
From debbugs-submit-bounces@debbugs.gnu.org Wed Jul 19 05:23:35 2017
Received: from localhost ([127.0.0.1]:47157 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dXlCb-00019z-3E
	for submit@debbugs.gnu.org; Wed, 19 Jul 2017 05:23:35 -0400
Received: from mail-pf0-f175.google.com ([209.85.192.175]:35754)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alexvong1995@gmail.com>) id 1dXlCW-00019i-Sv
 for 27749@debbugs.gnu.org; Wed, 19 Jul 2017 05:23:28 -0400
Received: by mail-pf0-f175.google.com with SMTP id e199so24602385pfh.2
 for <27749@debbugs.gnu.org>; Wed, 19 Jul 2017 02:23:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version;
 bh=FhGrxjm2eAkr7IF/5iyup0OxUJMZ+dX2xYjFBwyVYFE=;
 b=KD5v/Un6M5MlXPbFSoXKeGYJo+OE8wkQgYDLobNl240pxGVRsdklkhUpgds98Fs7vl
 q+1dTPAP6v4EIH0RlDEoW2ZVRf57eS9yhkaltNSrev+6osvkoTUXt621PbzIqOB4aUAp
 EpQcJ6Zyi82sTY8PkNvEwUC6cdSh2S+gDkZYiOqqe6qnVuKNCM3hJxI46tn2+pwe+Vz7
 cAY49XeGWnGudQBJml+uaXN+neOOr65+SfBUb+gmL2zNN4DOUEtG9t/cxYUKr9LaTz6S
 wVv4B6xu4j/2IepvGRX1FB6eXCtTvV7C/IErgWYHxpXRe/MD7NQ5B/OidHV9UGD7LNZb
 Vehw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version;
 bh=FhGrxjm2eAkr7IF/5iyup0OxUJMZ+dX2xYjFBwyVYFE=;
 b=hFXfWZlW0/t1f4FlBEeNDJ9WI6UoE8+OP/tCwtPv/bOWjpK9T0HUhJPxS+AirctaQN
 +dUcgIn3dAvMWYf/nVRI12SXPBSAcmNm4RidciYy2vrnXcMksHDJabTpma4yKWIADh7A
 Wl0naiIJFnbXgcmpCLdJAzBg1nLZkkxkjhtxqMCBwFe1ACxmYVBXmmj0Lyq3BJFlRivS
 N1+y9aILlq8wMK/qKm8rrqbQKBDw3xxJ6+HyjT+DtU+gs54qB3aJ9U+Srdru4eSRTq8f
 NAi/ZF1/qvaAK+l57PKRXlHAu61gw+f1Ox9jZAutDjJpW23rLwzmouOrgkdzudrY2Wb2
 lC5w==
X-Gm-Message-State: AIVw1129R+YDiaoBi6SpVbjFxMcWhDf+5pSIfpWlkIn8+dC9mBQZ0JMM
 82OHIxrOqBXw1w==
X-Received: by 10.101.70.70 with SMTP id k6mr2006701pgr.39.1500456199025;
 Wed, 19 Jul 2017 02:23:19 -0700 (PDT)
Received: from debian (n058152179198.netvigator.com. [58.152.179.198])
 by smtp.gmail.com with ESMTPSA id j20sm2899342pfk.73.2017.07.19.02.23.11
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Wed, 19 Jul 2017 02:23:12 -0700 (PDT)
From: Alex Vong <alexvong1995@gmail.com>
To: Leo Famulari <leo@famulari.name>
Subject: Re: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
 CVE-2017-11103].
References: <87wp76kv68.fsf@gmail.com> <20170718154906.GB16798@jasmine.lan>
Date: Wed, 19 Jul 2017 17:22:53 +0800
In-Reply-To: <20170718154906.GB16798@jasmine.lan> (Leo Famulari's message of
 "Tue, 18 Jul 2017 11:49:06 -0400")
Message-ID: <87bmogzspe.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: 27749
Cc: 27749@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 1.0 (+)

[Message part 1 (text/plain, inline)]
Leo Famulari <leo@famulari.name> writes:

[...]
>> 2. A lots of libraries are bundled
>
> Which directory are they in? We should take a look at them and weigh the
> risk of adding new vulnerabilities through the use of (possibly old and
> unmaintained) bundled libraries.
>
They live in lib/. Also the configure script provides options to use
system library instead of bundled ones.

> If things look complicated, maybe it's possible to apply a patch to this
> older Heimdal while we figure everything out.
>
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a
>
Agree, we should patch the old version first and deal with the bundled
libraries and test failures later.

>> 3. Many db tests fail
>
> Do you think they are a problem in practice? Ludovic, you added Heimdal,
> what do you think about this big version bump?
>
I don't know. I am hoping some test failures will disappear after we
remove bundled libraries.

>> 4. It does not build reproducibly
>
> Not great but also not a blocker.
>
>> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Tue, 18 Jul 2017 06:36:48 +0800
>> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>> 
>> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
>> [source]: Update source uri.
>> [arguments]: Adjust #:configure-flags and build phases accordingly.
>> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
>
>>         #:phases (modify-phases %standard-phases
>> +                  (add-after 'unpack 'pre-build
>> +                    (lambda _
>> +                      (for-each (lambda (file) ;fix sh paths
>> +                                  (substitute* file
>> +                                    (("/bin/sh")
>> +                                     (which "sh"))))
>> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
>
> Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
> the generated Makefile directly?

I will try but personally I prefer patching the source and re-generate
the generated files. Patching the generated files feel like a hack to
me. What do you think?

Thanks for the suggestions!

Here is the patch:

[0001-gnu-heimdal-Fix-CVE-2017-11103.patch (text/x-diff, inline)]
From fedc82524dcc8d0e8052a4837d7864fe84ca6f8e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 19 Jul 2017 17:01:47 +0800
Subject: [PATCH] gnu: heimdal: Fix CVE-2017-11103.

* gnu/packages/patches/heimdal-CVE-2017-11103.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kerberos.scm (heimdal)[source]: Use it.
---
 gnu/local.mk                                      |  1 +
 gnu/packages/kerberos.scm                         |  1 +
 gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 +++++++++++++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 92ad112cf..d2ae454c0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
   %D%/packages/patches/hdf-eos5-fix-szip.patch			\
   %D%/packages/patches/hdf-eos5-fortrantests.patch		\
+  %D%/packages/patches/heimdal-CVE-2017-11103.patch		\
   %D%/packages/patches/higan-remove-march-native-flag.patch	\
   %D%/packages/patches/hubbub-sort-entities.patch		\
   %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch        \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..3b0050fc1 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,7 @@ secure manner through client-server mutual authentication via tickets.")
               (sha256
                (base32
                 "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+              (patches (search-patches "heimdal-CVE-2017-11103.patch"))
               (modules '((guix build utils)))
               (snippet
                '(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 000000000..d76f0df36
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'.  Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+     /* check server referral and save principal */
+     ret = _krb5_principalname2krb5_principal (context,
+ 					      &tmp_principal,
+-					      rep->kdc_rep.ticket.sname,
+-					      rep->kdc_rep.ticket.realm);
++					      rep->enc_part.sname,
++					      rep->enc_part.srealm);
+     if (ret)
+ 	goto out;
+     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+-- 
+2.13.3
+
-- 
2.13.3


[Message part 3 (text/plain, inline)]
Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 17:00:56 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.