#27749 - gnu: heimdal: Update to 7.4.0.

Package	Source(s)		Maintainer(s)
guix-patches		PTS Buildd Popcon

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 18 Jul 2017 08:27:15 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 18 04:27:15 2017
Received: from localhost ([127.0.0.1]:45295 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dXNqU-0008Bz-Tv
	for submit@debbugs.gnu.org; Tue, 18 Jul 2017 04:27:15 -0400
Received: from eggs.gnu.org ([208.118.235.92]:46898)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alexvong1995@gmail.com>) id 1dXNqS-0008BU-EY
 for submit@debbugs.gnu.org; Tue, 18 Jul 2017 04:27:05 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1dXNqL-0006QT-B3
 for submit@debbugs.gnu.org; Tue, 18 Jul 2017 04:26:58 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00,
 FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,T_DKIM_INVALID autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:55313)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <alexvong1995@gmail.com>)
 id 1dXNqL-0006QN-7n
 for submit@debbugs.gnu.org; Tue, 18 Jul 2017 04:26:57 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37858)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1dXNqJ-0004Oh-FI
 for guix-patches@gnu.org; Tue, 18 Jul 2017 04:26:57 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1dXNqF-0006Lw-QI
 for guix-patches@gnu.org; Tue, 18 Jul 2017 04:26:55 -0400
Received: from mail-pg0-x230.google.com ([2607:f8b0:400e:c05::230]:36517)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <alexvong1995@gmail.com>)
 id 1dXNqF-0006LT-Fp
 for guix-patches@gnu.org; Tue, 18 Jul 2017 04:26:51 -0400
Received: by mail-pg0-x230.google.com with SMTP id u5so8656089pgq.3
 for <guix-patches@gnu.org>; Tue, 18 Jul 2017 01:26:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:user-agent:mime-version;
 bh=maABtCBdxiHT6JeP+DJxwedkHWRluKKXRSkwHLObXog=;
 b=giIMEmBnYKunVwc+u+aH9UA7eettJuY2tbwrz+s1n9ysTvFgaTHeRZQtnAQfh2cTf1
 JxfHzBWltczWL7FFWPbG8FXe7lCZ3qqbNunJZ2h8WMKcUgL67Z6sn5Rd844XefmhFN5G
 Nm9MjpJvG7BdS4QTR+eplPfo+ILpAsAQXYp2g5cEvE++5dpJd+ewqX98VqI7ZbCeI+6f
 J50jHdTVykKEj2KWxL2NuUM0cXiav86Dv5eDolVHTpbGzmXVN/nV/yU1dLV7tYhhXCP1
 wl0ssqfaroH/GGiDXQih0JLgFi9TdjEtIh6yQvi8xcIkywx2bgI9VhPPR2TNJ0OLroie
 GolA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:user-agent
 :mime-version;
 bh=maABtCBdxiHT6JeP+DJxwedkHWRluKKXRSkwHLObXog=;
 b=N1tdCDQIrJo++AXQ+kuRuOhf027vHB7sFDslNsEzyCrtOW0gPj/JN11hSLxXd99lcE
 LmLf8vtQ179Q6iXQGFZA8Z5bGBlu/NzQ3BiPOF2Zq+m4eACVpgzVTGh7iUuERvsI+1Vv
 NWZEVyf8J0bPB1wBUcxTtIYVxROO6eyMGK9p0TjHt10SSzmWJ1TbfCUDOb72uhwuygnt
 s0epBlicuKWINLeWeo7WonyqzW8MH+n0REne/iMh8/SbB2yZ5ApAOBnEVEKC6J39Ng6E
 93j9529iYxBw7W9Z992Vd6Bnfdoi4/ZJsCJ51lq/CLvykDqaxSlSgiX72WZM88nG9vMP
 AG0A==
X-Gm-Message-State: AIVw111Dq2MOVx0W/ZX1162KClC+jWylOERZKwdwjRpnCXOrx0bdIRCs
 agPYb3p/z/ZgLVem
X-Received: by 10.101.76.71 with SMTP id l7mr417221pgr.161.1500366409111;
 Tue, 18 Jul 2017 01:26:49 -0700 (PDT)
Received: from debian (1-64-207-119.static.netvigator.com. [1.64.207.119])
 by smtp.gmail.com with ESMTPSA id w125sm3291488pfb.117.2017.07.18.01.26.45
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 18 Jul 2017 01:26:47 -0700 (PDT)
From: Alex Vong <alexvong1995@gmail.com>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
Date: Tue, 18 Jul 2017 16:26:23 +0800
Message-ID: <87wp76kv68.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -3.0 (---)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 2.0 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Tags: security Hello, THis patch upgrades heimdal to its latest
    version, fixing CVE-2017-11103. Here are a few remarks: [...] 
 
 Content analysis details:   (2.0 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.1 URIBL_SBL_A            Contains URL's A record listed in the SBL blocklist
                             [URIs: makefile.am]
  0.6 URIBL_SBL              Contains an URL's NS IP listed in the SBL blocklist
                             [URIs: makefile.am]
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
                             digit (alexvong1995[at]gmail.com)
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
                             (alexvong1995[at]gmail.com)
  0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid

[Message part 1 (text/plain, inline)]

Tags: security

Hello,

THis patch upgrades heimdal to its latest version, fixing
CVE-2017-11103. Here are a few remarks:

1. Upstream switches to github for hosting
2. A lots of libraries are bundled
3. Many db tests fail
4. It does not build reproducibly

I decide to submit this despite many db tests fail because I think we
should fix CVE-2017-11103 asap.

[0001-gnu-heimdal-Update-to-7.4.0-fixes-CVE-2017-11103.patch (text/x-diff, inline)]

From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Tue, 18 Jul 2017 06:36:48 +0800
Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

* gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
[source]: Update source uri.
[arguments]: Adjust #:configure-flags and build phases accordingly.
[inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
---
 gnu/packages/kerberos.scm | 69 ++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 54 insertions(+), 15 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..5682a0add 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -23,6 +24,7 @@
 
 (define-module (gnu packages kerberos)
   #:use-module (gnu packages)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages gnupg)
@@ -32,6 +34,7 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages readline)
+  #:use-module (gnu packages texinfo)
   #:use-module (gnu packages tls)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
@@ -136,24 +139,30 @@ secure manner through client-server mutual authentication via tickets.")
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "1.5.3")
+    (version "7.4.0")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://www.h5l.org/dist/src/heimdal-"
-                                  version ".tar.gz"))
+              (uri (string-append "https://github.com/" name "/" name
+                                  "/releases/download/" name "-" version
+                                  "/" name "-" version ".tar.gz"))
               (sha256
                (base32
-                "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+                "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x"))
               (modules '((guix build utils)))
-              (snippet
+              (snippet ;FIXME: remove bundled libraries
                '(substitute* "configure"
                   (("User=.*$") "User=Guix\n")
                   (("Date=.*$") "Date=2017\n")))))
     (build-system gnu-build-system)
     (arguments
-     '(#:configure-flags (list
-                          ;; Work around a linker error.
-                          "CFLAGS=-pthread"
+     '(#:modules ((guix build gnu-build-system)
+                  (guix build utils)
+                  (srfi srfi-26))
+
+       #:configure-flags (list
+                          (string-append "CPPFLAGS=-D_PATH_BSHELL="
+                                         (assoc-ref %build-inputs "bash")
+                                         "/bin/sh")
 
                           ;; Avoid 7 MiB of .a files.
                           "--disable-static"
@@ -167,17 +176,47 @@ secure manner through client-server mutual authentication via tickets.")
                            (assoc-ref %build-inputs "readline") "/include"))
 
        #:phases (modify-phases %standard-phases
+                  (add-after 'unpack 'pre-build
+                    (lambda _
+                      (for-each (lambda (file) ;fix sh paths
+                                  (substitute* file
+                                    (("/bin/sh")
+                                     (which "sh"))))
+                                '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
+                      (substitute* "lib/roken/getxxyyy.c" ;set user during test
+                        (("user = getenv\\(\"USER\"\\);")
+                         (format #f
+                                 "#ifndef TEST_GETXXYYY
+#error \"TEST_GETXXYYY is not defined\"
+#endif
+user = \"~a\";
+"
+                                 (passwd:name (getpwuid (getuid))))))
+                      #t))
+
+                  (add-after 'pre-build 'autogen
+                    (lambda _
+                      (zero? (system* "sh" "autogen.sh"))))
+
                   (add-before 'check 'skip-tests
                     (lambda _
-                      ;; The test simply runs 'ftp --version && ftp --help'
-                      ;; but that fails in the chroot because 'ftp' tries to
-                      ;; do a service lookup before printing the help/version.
-                      (substitute* "appl/ftp/ftp/Makefile.in"
-                        (("^CHECK_LOCAL =.*")
-                         "CHECK_LOCAL = no-check-local\n"))
+                      ;; skip db tests for now
+                      ;; FIXME: figure out why they fail
+                      (call-with-output-file "tests/db/have-db.in"
+                        (cut format <> "#!~a~%exit 1~%" (which "sh")))
                       #t)))))
+
     (native-inputs `(("e2fsprogs" ,e2fsprogs)))   ;for 'compile_et'
-    (inputs `(("readline" ,readline)
+    (inputs `(("autoconf" ,autoconf)              ;for autogen
+              ("automake" ,automake)
+              ("libtool" ,libtool)
+              ("perl" ,perl)
+              ("perl-json" ,perl-json)
+
+              ("texinfo" ,texinfo)                ;for doc
+              ("unzip" ,unzip)                    ;for test
+
+              ("readline" ,readline)
               ("bdb" ,bdb)
               ("e2fsprogs" ,e2fsprogs)))          ;for libcom_err
     (home-page "http://www.h5l.org/")
-- 
2.13.3

[Message part 3 (text/plain, inline)]

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 16:53:59 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#27749 gnu: heimdal: Update to 7.4.0.