* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. @ 2017-07-18 8:26 Alex Vong 2017-07-18 15:49 ` Leo Famulari 0 siblings, 1 reply; 13+ messages in thread From: Alex Vong @ 2017-07-18 8:26 UTC (permalink / raw) To: 27749 [-- Attachment #1.1: Type: text/plain, Size: 361 bytes --] Tags: security Hello, THis patch upgrades heimdal to its latest version, fixing CVE-2017-11103. Here are a few remarks: 1. Upstream switches to github for hosting 2. A lots of libraries are bundled 3. Many db tests fail 4. It does not build reproducibly I decide to submit this despite many db tests fail because I think we should fix CVE-2017-11103 asap. [-- Attachment #1.2: 0001-gnu-heimdal-Update-to-7.4.0-fixes-CVE-2017-11103.patch --] [-- Type: text/x-diff, Size: 5988 bytes --] From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001 From: Alex Vong <alexvong1995@gmail.com> Date: Tue, 18 Jul 2017 06:36:48 +0800 Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0. [source]: Update source uri. [arguments]: Adjust #:configure-flags and build phases accordingly. [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo. --- gnu/packages/kerberos.scm | 69 ++++++++++++++++++++++++++++++++++++----------- 1 file changed, 54 insertions(+), 15 deletions(-) diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index 58f619770..5682a0add 100644 --- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org> ;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -23,6 +24,7 @@ (define-module (gnu packages kerberos) #:use-module (gnu packages) + #:use-module (gnu packages autotools) #:use-module (gnu packages bison) #:use-module (gnu packages perl) #:use-module (gnu packages gnupg) @@ -32,6 +34,7 @@ #:use-module (gnu packages compression) #:use-module (gnu packages databases) #:use-module (gnu packages readline) + #:use-module (gnu packages texinfo) #:use-module (gnu packages tls) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) @@ -136,24 +139,30 @@ secure manner through client-server mutual authentication via tickets.") (define-public heimdal (package (name "heimdal") - (version "1.5.3") + (version "7.4.0") (source (origin (method url-fetch) - (uri (string-append "http://www.h5l.org/dist/src/heimdal-" - version ".tar.gz")) + (uri (string-append "https://github.com/" name "/" name + "/releases/download/" name "-" version + "/" name "-" version ".tar.gz")) (sha256 (base32 - "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma")) + "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x")) (modules '((guix build utils))) - (snippet + (snippet ;FIXME: remove bundled libraries '(substitute* "configure" (("User=.*$") "User=Guix\n") (("Date=.*$") "Date=2017\n"))))) (build-system gnu-build-system) (arguments - '(#:configure-flags (list - ;; Work around a linker error. - "CFLAGS=-pthread" + '(#:modules ((guix build gnu-build-system) + (guix build utils) + (srfi srfi-26)) + + #:configure-flags (list + (string-append "CPPFLAGS=-D_PATH_BSHELL=" + (assoc-ref %build-inputs "bash") + "/bin/sh") ;; Avoid 7 MiB of .a files. "--disable-static" @@ -167,17 +176,47 @@ secure manner through client-server mutual authentication via tickets.") (assoc-ref %build-inputs "readline") "/include")) #:phases (modify-phases %standard-phases + (add-after 'unpack 'pre-build + (lambda _ + (for-each (lambda (file) ;fix sh paths + (substitute* file + (("/bin/sh") + (which "sh")))) + '("appl/afsutil/pagsh.c" "tools/Makefile.am")) + (substitute* "lib/roken/getxxyyy.c" ;set user during test + (("user = getenv\\(\"USER\"\\);") + (format #f + "#ifndef TEST_GETXXYYY +#error \"TEST_GETXXYYY is not defined\" +#endif +user = \"~a\"; +" + (passwd:name (getpwuid (getuid)))))) + #t)) + + (add-after 'pre-build 'autogen + (lambda _ + (zero? (system* "sh" "autogen.sh")))) + (add-before 'check 'skip-tests (lambda _ - ;; The test simply runs 'ftp --version && ftp --help' - ;; but that fails in the chroot because 'ftp' tries to - ;; do a service lookup before printing the help/version. - (substitute* "appl/ftp/ftp/Makefile.in" - (("^CHECK_LOCAL =.*") - "CHECK_LOCAL = no-check-local\n")) + ;; skip db tests for now + ;; FIXME: figure out why they fail + (call-with-output-file "tests/db/have-db.in" + (cut format <> "#!~a~%exit 1~%" (which "sh"))) #t))))) + (native-inputs `(("e2fsprogs" ,e2fsprogs))) ;for 'compile_et' - (inputs `(("readline" ,readline) + (inputs `(("autoconf" ,autoconf) ;for autogen + ("automake" ,automake) + ("libtool" ,libtool) + ("perl" ,perl) + ("perl-json" ,perl-json) + + ("texinfo" ,texinfo) ;for doc + ("unzip" ,unzip) ;for test + + ("readline" ,readline) ("bdb" ,bdb) ("e2fsprogs" ,e2fsprogs))) ;for libcom_err (home-page "http://www.h5l.org/") -- 2.13.3 [-- Attachment #1.3: Type: text/plain, Size: 14 bytes --] Cheers, Alex [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply related [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. 2017-07-18 8:26 [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103] Alex Vong @ 2017-07-18 15:49 ` Leo Famulari 2017-07-18 15:51 ` Leo Famulari ` (2 more replies) 0 siblings, 3 replies; 13+ messages in thread From: Leo Famulari @ 2017-07-18 15:49 UTC (permalink / raw) To: Alex Vong; +Cc: 27749 [-- Attachment #1: Type: text/plain, Size: 2208 bytes --] On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote: > THis patch upgrades heimdal to its latest version, fixing > CVE-2017-11103. Here are a few remarks: Thanks! We also need to look at our samba package, which bundles heimdal (we should fix that). > 1. Upstream switches to github for hosting Okay. > 2. A lots of libraries are bundled Which directory are they in? We should take a look at them and weigh the risk of adding new vulnerabilities through the use of (possibly old and unmaintained) bundled libraries. If things look complicated, maybe it's possible to apply a patch to this older Heimdal while we figure everything out. Maybe we can find a patch for CVE-2017-11103 from Red Hat or another long-term-support distro. I noticed an unrelated patch for Heimdal 1.6 here: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a > 3. Many db tests fail Do you think they are a problem in practice? Ludovic, you added Heimdal, what do you think about this big version bump? > 4. It does not build reproducibly Not great but also not a blocker. > From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001 > From: Alex Vong <alexvong1995@gmail.com> > Date: Tue, 18 Jul 2017 06:36:48 +0800 > Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. > > * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0. > [source]: Update source uri. > [arguments]: Adjust #:configure-flags and build phases accordingly. > [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo. > #:phases (modify-phases %standard-phases > + (add-after 'unpack 'pre-build > + (lambda _ > + (for-each (lambda (file) ;fix sh paths > + (substitute* file > + (("/bin/sh") > + (which "sh")))) > + '("appl/afsutil/pagsh.c" "tools/Makefile.am")) Do we re-bootstrap because we edit Makefile.am? Is it possible to edit the generated Makefile directly? [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. 2017-07-18 15:49 ` Leo Famulari @ 2017-07-18 15:51 ` Leo Famulari 2017-07-18 15:53 ` Leo Famulari 2017-07-19 9:22 ` Alex Vong 2 siblings, 0 replies; 13+ messages in thread From: Leo Famulari @ 2017-07-18 15:51 UTC (permalink / raw) To: Alex Vong; +Cc: 27749 [-- Attachment #1: Type: text/plain, Size: 509 bytes --] On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote: > On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote: > > THis patch upgrades heimdal to its latest version, fixing > > CVE-2017-11103. Here are a few remarks: > > Thanks! We also need to look at our samba package, which bundles heimdal > (we should fix that). This vulnerability in samba's bundled heimdal was fixed in 81dfbffc5480699f79ea23a82bf8a4a557176670. Perhaps we can find inspiration for a patch there, if necessary. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. 2017-07-18 15:49 ` Leo Famulari 2017-07-18 15:51 ` Leo Famulari @ 2017-07-18 15:53 ` Leo Famulari 2017-07-19 9:22 ` Alex Vong 2 siblings, 0 replies; 13+ messages in thread From: Leo Famulari @ 2017-07-18 15:53 UTC (permalink / raw) To: Alex Vong; +Cc: 27749 [-- Attachment #1: Type: text/plain, Size: 539 bytes --] On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote: > Maybe we can find a patch for CVE-2017-11103 from Red Hat or another > long-term-support distro. I noticed an unrelated patch for Heimdal > 1.6 here: > https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a I'm not sure what version of heimdal FreeBSD packages, but they are offering a patch for this, linked from their advisory: https://www.freebsd.org/security/advisories/FreeBSD-SA-17:05.heimdal.asc [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. 2017-07-18 15:49 ` Leo Famulari 2017-07-18 15:51 ` Leo Famulari 2017-07-18 15:53 ` Leo Famulari @ 2017-07-19 9:22 ` Alex Vong 2017-07-19 11:04 ` Alex Vong 2 siblings, 1 reply; 13+ messages in thread From: Alex Vong @ 2017-07-19 9:22 UTC (permalink / raw) To: Leo Famulari; +Cc: 27749 [-- Attachment #1.1: Type: text/plain, Size: 2508 bytes --] Leo Famulari <leo@famulari.name> writes: [...] >> 2. A lots of libraries are bundled > > Which directory are they in? We should take a look at them and weigh the > risk of adding new vulnerabilities through the use of (possibly old and > unmaintained) bundled libraries. > They live in lib/. Also the configure script provides options to use system library instead of bundled ones. > If things look complicated, maybe it's possible to apply a patch to this > older Heimdal while we figure everything out. > > Maybe we can find a patch for CVE-2017-11103 from Red Hat or another > long-term-support distro. I noticed an unrelated patch for Heimdal > 1.6 here: > https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a > Agree, we should patch the old version first and deal with the bundled libraries and test failures later. >> 3. Many db tests fail > > Do you think they are a problem in practice? Ludovic, you added Heimdal, > what do you think about this big version bump? > I don't know. I am hoping some test failures will disappear after we remove bundled libraries. >> 4. It does not build reproducibly > > Not great but also not a blocker. > >> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001 >> From: Alex Vong <alexvong1995@gmail.com> >> Date: Tue, 18 Jul 2017 06:36:48 +0800 >> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. >> >> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0. >> [source]: Update source uri. >> [arguments]: Adjust #:configure-flags and build phases accordingly. >> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo. > >> #:phases (modify-phases %standard-phases >> + (add-after 'unpack 'pre-build >> + (lambda _ >> + (for-each (lambda (file) ;fix sh paths >> + (substitute* file >> + (("/bin/sh") >> + (which "sh")))) >> + '("appl/afsutil/pagsh.c" "tools/Makefile.am")) > > Do we re-bootstrap because we edit Makefile.am? Is it possible to edit > the generated Makefile directly? I will try but personally I prefer patching the source and re-generate the generated files. Patching the generated files feel like a hack to me. What do you think? Thanks for the suggestions! Here is the patch: [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1.2: 0001-gnu-heimdal-Fix-CVE-2017-11103.patch --] [-- Type: text/x-diff, Size: 3800 bytes --] From fedc82524dcc8d0e8052a4837d7864fe84ca6f8e Mon Sep 17 00:00:00 2001 From: Alex Vong <alexvong1995@gmail.com> Date: Wed, 19 Jul 2017 17:01:47 +0800 Subject: [PATCH] gnu: heimdal: Fix CVE-2017-11103. * gnu/packages/patches/heimdal-CVE-2017-11103.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/kerberos.scm (heimdal)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/kerberos.scm | 1 + gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 +++++++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch diff --git a/gnu/local.mk b/gnu/local.mk index 92ad112cf..d2ae454c0 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -691,6 +691,7 @@ dist_patch_DATA = \ %D%/packages/patches/hdf-eos5-remove-gctp.patch \ %D%/packages/patches/hdf-eos5-fix-szip.patch \ %D%/packages/patches/hdf-eos5-fortrantests.patch \ + %D%/packages/patches/heimdal-CVE-2017-11103.patch \ %D%/packages/patches/higan-remove-march-native-flag.patch \ %D%/packages/patches/hubbub-sort-entities.patch \ %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \ diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index 58f619770..3b0050fc1 100644 --- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -144,6 +144,7 @@ secure manner through client-server mutual authentication via tickets.") (sha256 (base32 "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma")) + (patches (search-patches "heimdal-CVE-2017-11103.patch")) (modules '((guix build utils))) (snippet '(substitute* "configure" diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch new file mode 100644 index 000000000..d76f0df36 --- /dev/null +++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-11103: + +https://orpheus-lyre.info/ +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103 +https://security-tracker.debian.org/tracker/CVE-2017-11103 + +Patch lifted from upstream source repository: + +https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea + +From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001 +From: Jeffrey Altman <jaltman@secure-endpoints.com> +Date: Wed, 12 Apr 2017 15:40:42 -0400 +Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + +In _krb5_extract_ticket() the KDC-REP service name must be obtained from +encrypted version stored in 'enc_part' instead of the unencrypted version +stored in 'ticket'. Use of the unecrypted version provides an +opportunity for successful server impersonation and other attacks. + +Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. + +Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c +--- + lib/krb5/ticket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c +index d95d96d1b..b8d81c6ad 100644 +--- a/lib/krb5/ticket.c ++++ b/lib/krb5/ticket.c +@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context, + /* check server referral and save principal */ + ret = _krb5_principalname2krb5_principal (context, + &tmp_principal, +- rep->kdc_rep.ticket.sname, +- rep->kdc_rep.ticket.realm); ++ rep->enc_part.sname, ++ rep->enc_part.srealm); + if (ret) + goto out; + if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ +-- +2.13.3 + -- 2.13.3 [-- Attachment #1.3: Type: text/plain, Size: 14 bytes --] Cheers, Alex [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply related [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. 2017-07-19 9:22 ` Alex Vong @ 2017-07-19 11:04 ` Alex Vong 2017-07-20 19:51 ` Leo Famulari 0 siblings, 1 reply; 13+ messages in thread From: Alex Vong @ 2017-07-19 11:04 UTC (permalink / raw) To: Leo Famulari; +Cc: 27749 [-- Attachment #1.1: Type: text/plain, Size: 379 bytes --] I find out that our version of heimdal is also affected by CVE-2017-6594. So I amend the previous patch to fix it as well. Changes to 'NEWS' and files in 'tests/' does not apply, so I remove them. Also, I change hunk#4 of 'kdc/krb5tgs.c' so that it applies. It used to be: foo foo* +bar +bar* baz baz* Now it is: foo foo* +bar +bar* <empty-line> Here is the updated patch: [-- Attachment #1.2: 0001-gnu-heimdal-Fix-CVE-2017-6594-11103.patch --] [-- Type: scm, Size: 7339 bytes --] From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001 From: Alex Vong <alexvong1995@gmail.com> Date: Wed, 19 Jul 2017 17:01:47 +0800 Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}. * gnu/packages/patches/heimdal-CVE-2017-6594.patch, gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/kerberos.scm (heimdal)[source]: Use them. --- gnu/local.mk | 2 + gnu/packages/kerberos.scm | 2 + gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 ++++++++++++ gnu/packages/patches/heimdal-CVE-2017-6594.patch | 85 +++++++++++++++++++++++ 4 files changed, 134 insertions(+) create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch create mode 100644 gnu/packages/patches/heimdal-CVE-2017-6594.patch diff --git a/gnu/local.mk b/gnu/local.mk index 92ad112cf..5f4bc47a0 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -691,6 +691,8 @@ dist_patch_DATA = \ %D%/packages/patches/hdf-eos5-remove-gctp.patch \ %D%/packages/patches/hdf-eos5-fix-szip.patch \ %D%/packages/patches/hdf-eos5-fortrantests.patch \ + %D%/packages/patches/heimdal-CVE-2017-6594.patch \ + %D%/packages/patches/heimdal-CVE-2017-11103.patch \ %D%/packages/patches/higan-remove-march-native-flag.patch \ %D%/packages/patches/hubbub-sort-entities.patch \ %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \ diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index 58f619770..59fd944c6 100644 --- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -144,6 +144,8 @@ secure manner through client-server mutual authentication via tickets.") (sha256 (base32 "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma")) + (patches (search-patches "heimdal-CVE-2017-6594.patch" + "heimdal-CVE-2017-11103.patch")) (modules '((guix build utils))) (snippet '(substitute* "configure" diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch new file mode 100644 index 000000000..d76f0df36 --- /dev/null +++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-11103: + +https://orpheus-lyre.info/ +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103 +https://security-tracker.debian.org/tracker/CVE-2017-11103 + +Patch lifted from upstream source repository: + +https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea + +From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001 +From: Jeffrey Altman <jaltman@secure-endpoints.com> +Date: Wed, 12 Apr 2017 15:40:42 -0400 +Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + +In _krb5_extract_ticket() the KDC-REP service name must be obtained from +encrypted version stored in 'enc_part' instead of the unencrypted version +stored in 'ticket'. Use of the unecrypted version provides an +opportunity for successful server impersonation and other attacks. + +Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. + +Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c +--- + lib/krb5/ticket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c +index d95d96d1b..b8d81c6ad 100644 +--- a/lib/krb5/ticket.c ++++ b/lib/krb5/ticket.c +@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context, + /* check server referral and save principal */ + ret = _krb5_principalname2krb5_principal (context, + &tmp_principal, +- rep->kdc_rep.ticket.sname, +- rep->kdc_rep.ticket.realm); ++ rep->enc_part.sname, ++ rep->enc_part.srealm); + if (ret) + goto out; + if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ +-- +2.13.3 + diff --git a/gnu/packages/patches/heimdal-CVE-2017-6594.patch b/gnu/packages/patches/heimdal-CVE-2017-6594.patch new file mode 100644 index 000000000..714af6030 --- /dev/null +++ b/gnu/packages/patches/heimdal-CVE-2017-6594.patch @@ -0,0 +1,85 @@ +Fix CVE-2017-6594: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594 +https://security-tracker.debian.org/tracker/CVE-2017-6594 + +Patch lifted from upstream source repository: + +https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837 + +To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and +files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified. + +From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni <viktor@twosigma.com> +Date: Wed, 10 Aug 2016 23:31:14 +0000 +Subject: [PATCH] Fix transit path validation CVE-2017-6594 + +Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm +to not be added to the transit path of issued tickets. This may, in +some cases, enable bypass of capath policy in Heimdal versions 1.5 +through 7.2. + +Note, this may break sites that rely on the bug. With the bug some +incomplete [capaths] worked, that should not have. These may now break +authentication in some cross-realm configurations. +--- + NEWS | 14 ++++++++++++++ + kdc/krb5tgs.c | 12 ++++++++++-- + tests/kdc/check-kdc.in | 17 +++++++++++++++++ + tests/kdc/krb5.conf.in | 4 ++++ + 4 files changed, 45 insertions(+), 2 deletions(-) + +diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c +index 6048b9c55..98503812f 100644 +--- a/kdc/krb5tgs.c ++++ b/kdc/krb5tgs.c +@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context, + "Decoding transited encoding"); + return ret; + } ++ ++ /* ++ * If the realm of the presented tgt is neither the client nor the server ++ * realm, it is a transit realm and must be added to transited set. ++ */ + if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { +- /* not us, so add the previous realm to transited set */ + if (num_realms + 1 > UINT_MAX/sizeof(*realms)) { + ret = ERANGE; + goto free_realms; +@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context, + const char *server_name, + hdb_entry_ex *client, + krb5_principal client_principal, ++ const char *tgt_realm, + hdb_entry_ex *krbtgt, + krb5_enctype krbtgt_etype, + krb5_principals spp, +@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context, + &tgt->transited, &et, + krb5_principal_get_realm(context, client_principal), + krb5_principal_get_realm(context, server->entry.principal), +- krb5_principal_get_realm(context, krbtgt->entry.principal)); ++ tgt_realm); + if(ret) + goto out; + +@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context, + krb5_keyblock sessionkey; + krb5_kvno kvno; + krb5_data rspac; ++ const char *tgt_realm = /* Realm of TGT issuer */ ++ krb5_principal_get_realm(context, krbtgt->entry.principal); + +@@ -2324,6 +2331,7 @@ server_lookup: + spn, + client, + cp, ++ tgt_realm, + krbtgt_out, + tkey_sign->key.keytype, + spp, +-- +2.13.3 + -- 2.13.3 [-- Attachment #1.3: Type: text/plain, Size: 14 bytes --] Cheers, Alex [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply related [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. 2017-07-19 11:04 ` Alex Vong @ 2017-07-20 19:51 ` Leo Famulari 2017-10-18 21:31 ` Ricardo Wurmus 0 siblings, 1 reply; 13+ messages in thread From: Leo Famulari @ 2017-07-20 19:51 UTC (permalink / raw) To: Alex Vong; +Cc: 27749 [-- Attachment #1: Type: text/plain, Size: 970 bytes --] On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote: > Here is the updated patch: > > From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001 > From: Alex Vong <alexvong1995@gmail.com> > Date: Wed, 19 Jul 2017 17:01:47 +0800 > Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}. > > * gnu/packages/patches/heimdal-CVE-2017-6594.patch, > gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files. > * gnu/local.mk (dist_patch_DATA): Add them. > * gnu/packages/kerberos.scm (heimdal)[source]: Use them. Thanks! I recreated the commit since the patch no longer applied to 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531. I'm leaving this bug open for now so we can discuss the update. By the way everyone, the vulnerability disclosure / promotion web page, <https://orpheus-lyre.info>, has a nice primer on the bug (warning, the page plays music automatically). Thanks for including that, Alex. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. 2017-07-20 19:51 ` Leo Famulari @ 2017-10-18 21:31 ` Ricardo Wurmus 2017-10-19 14:57 ` Alex Vong 0 siblings, 1 reply; 13+ messages in thread From: Ricardo Wurmus @ 2017-10-18 21:31 UTC (permalink / raw) To: Alex Vong; +Cc: 27749 Hi Alex, > On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote: >> Here is the updated patch: >> >> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001 >> From: Alex Vong <alexvong1995@gmail.com> >> Date: Wed, 19 Jul 2017 17:01:47 +0800 >> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}. >> >> * gnu/packages/patches/heimdal-CVE-2017-6594.patch, >> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files. >> * gnu/local.mk (dist_patch_DATA): Add them. >> * gnu/packages/kerberos.scm (heimdal)[source]: Use them. > > Thanks! I recreated the commit since the patch no longer applied to > 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531. > > I'm leaving this bug open for now so we can discuss the update. As mentioned before, the new release bundles a bunch of third party libraries. It is not clear to me if *all* things under “lib” are external libraries or if some of them are part of the source code of heimdal. Can we learn from the Debian package for heimdal here? I think we really ought to update from the very old version we are using currently. -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net ^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. 2017-10-18 21:31 ` Ricardo Wurmus @ 2017-10-19 14:57 ` Alex Vong 2017-10-21 9:52 ` Alex Vong 0 siblings, 1 reply; 13+ messages in thread From: Alex Vong @ 2017-10-19 14:57 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: 27749 [-- Attachment #1: Type: text/plain, Size: 1796 bytes --] Ricardo Wurmus <rekado@elephly.net> writes: > Hi Alex, > >> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote: >>> Here is the updated patch: >>> >>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001 >>> From: Alex Vong <alexvong1995@gmail.com> >>> Date: Wed, 19 Jul 2017 17:01:47 +0800 >>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}. >>> >>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch, >>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files. >>> * gnu/local.mk (dist_patch_DATA): Add them. >>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them. >> >> Thanks! I recreated the commit since the patch no longer applied to >> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531. >> >> I'm leaving this bug open for now so we can discuss the update. > > As mentioned before, the new release bundles a bunch of third party > libraries. It is not clear to me if *all* things under “lib” are > external libraries or if some of them are part of the source code of > heimdal. > No, I don't think so. At least the heimdal/ subdirectory[0] should contain non-third-party code. > Can we learn from the Debian package for heimdal here? > Good suggestion, I think the Build-Depends field in [1] will help. For exmaples, we should not use the bundled sqlite. > I think we really ought to update from the very old version we are using > currently. > Agree, our version is even older than the one in Debian old stable. > -- > Ricardo > > GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC > https://elephly.net [0]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/lib. [1]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/debian/control [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. 2017-10-19 14:57 ` Alex Vong @ 2017-10-21 9:52 ` Alex Vong 2017-11-26 22:59 ` Leo Famulari 2018-06-10 8:04 ` bug#27749: " 宋文武 0 siblings, 2 replies; 13+ messages in thread From: Alex Vong @ 2017-10-21 9:52 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: 27749 [-- Attachment #1.1: Type: text/plain, Size: 366 bytes --] Hello, This is the new patch. It is basically the first patch but with the sqlite and libedit bundled dependecies removed. I don't know if there are any other bundled dependencies so I am asking this on the heimdal mailing list. Also, since I am not a user of heimdal, we need someone to check if the new version does work properly (as some test failures occur). [-- Attachment #1.2: 0001-gnu-heimdal-Update-to-7.4.0.patch --] [-- Type: text/x-diff, Size: 6463 bytes --] From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001 From: Alex Vong <alexvong1995@gmail.com> Date: Tue, 18 Jul 2017 06:36:48 +0800 Subject: [PATCH] gnu: heimdal: Update to 7.4.0. * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0. [source]: Update source uri. [arguments]: Adjust #:configure-flags and build phases accordingly. [inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip and sqlite. --- gnu/packages/kerberos.scm | 86 +++++++++++++++++++++++++++++++++++------------ 1 file changed, 64 insertions(+), 22 deletions(-) diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index 801b4e44a..fde310e65 100644 --- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org> ;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net> +;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -145,16 +146,15 @@ secure manner through client-server mutual authentication via tickets.") (define-public heimdal (package (name "heimdal") - (version "1.5.3") + (version "7.4.0") (source (origin (method url-fetch) - (uri (string-append "http://www.h5l.org/dist/src/heimdal-" - version ".tar.gz")) + (uri (string-append "https://github.com/" name "/" name + "/releases/download/" name "-" version + "/" name "-" version ".tar.gz")) (sha256 (base32 - "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma")) - (patches (search-patches "heimdal-CVE-2017-6594.patch" - "heimdal-CVE-2017-11103.patch")) + "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x")) (modules '((guix build utils))) (snippet '(substitute* "configure" @@ -162,33 +162,75 @@ secure manner through client-server mutual authentication via tickets.") (("Date=.*$") "Date=2017\n"))))) (build-system gnu-build-system) (arguments - '(#:configure-flags (list - ;; Work around a linker error. - "CFLAGS=-pthread" + '(#:modules ((guix build gnu-build-system) + (guix build utils) + (srfi srfi-26)) + + #:configure-flags (list + (string-append "CPPFLAGS=-D_PATH_BSHELL=" + (assoc-ref %build-inputs "bash") + "/bin/sh") ;; Avoid 7 MiB of .a files. "--disable-static" ;; Do not build libedit. - (string-append - "--with-readline-lib=" - (assoc-ref %build-inputs "readline") "/lib") - (string-append - "--with-readline-include=" - (assoc-ref %build-inputs "readline") "/include")) + (string-append "--with-readline=" + (assoc-ref %build-inputs "readline")) + + ;; Do not build sqlite. + (string-append "--with-sqlite3=" + (assoc-ref %build-inputs "sqlite"))) #:phases (modify-phases %standard-phases + (add-after 'unpack 'pre-build + (lambda _ + (for-each (lambda (file) ;fix sh paths + (substitute* file + (("/bin/sh") + (which "sh")))) + '("appl/afsutil/pagsh.c" "tools/Makefile.am")) + (substitute* "lib/roken/getxxyyy.c" ;set user during test + (("user = getenv\\(\"USER\"\\);") + (format #f + "#ifndef TEST_GETXXYYY +#error \"TEST_GETXXYYY is not defined\" +#endif +user = \"~a\"; +" + (passwd:name (getpwuid (getuid)))))) + #t)) + + (add-after 'pre-build 'autogen + (lambda _ + (zero? (system* "sh" "autogen.sh")))) + + ;; FIXME: figure out the complete list of bundled libraries + (add-after 'configure 'remove-bundled-libraries + (lambda _ + (for-each delete-file-recursively + '("lib/libedit" "lib/sqlite")))) + (add-before 'check 'skip-tests (lambda _ - ;; The test simply runs 'ftp --version && ftp --help' - ;; but that fails in the chroot because 'ftp' tries to - ;; do a service lookup before printing the help/version. - (substitute* "appl/ftp/ftp/Makefile.in" - (("^CHECK_LOCAL =.*") - "CHECK_LOCAL = no-check-local\n")) + ;; skip db tests for now + ;; FIXME: figure out why they fail + (call-with-output-file "tests/db/have-db.in" + (cut format <> "#!~a~%exit 1~%" (which "sh"))) #t))))) + (native-inputs `(("e2fsprogs" ,e2fsprogs))) ;for 'compile_et' - (inputs `(("readline" ,readline) + (inputs `(("autoconf" ,autoconf) ;for autogen + ("automake" ,automake) + ("libtool" ,libtool) + ("perl" ,perl) + ("perl-json" ,perl-json) + + ("texinfo" ,texinfo) ;for doc + ("unzip" ,unzip) ;for test + + ("readline" ,readline) + ("sqlite" ,sqlite) ("bdb" ,bdb) ("e2fsprogs" ,e2fsprogs))) ;for libcom_err (home-page "http://www.h5l.org/") -- 2.14.2 [-- Attachment #1.3: Type: text/plain, Size: 14 bytes --] Cheers, Alex [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply related [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. 2017-10-21 9:52 ` Alex Vong @ 2017-11-26 22:59 ` Leo Famulari 2018-06-10 8:04 ` bug#27749: " 宋文武 1 sibling, 0 replies; 13+ messages in thread From: Leo Famulari @ 2017-11-26 22:59 UTC (permalink / raw) To: Alex Vong; +Cc: Ricardo Wurmus, 27749 [-- Attachment #1: Type: text/plain, Size: 983 bytes --] On Sat, Oct 21, 2017 at 05:52:58PM +0800, Alex Vong wrote: > Hello, > > This is the new patch. It is basically the first patch but with the > sqlite and libedit bundled dependecies removed. I don't know if there > are any other bundled dependencies so I am asking this on the heimdal > mailing list. > > Also, since I am not a user of heimdal, we need someone to check if the > new version does work properly (as some test failures occur). > > From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001 > From: Alex Vong <alexvong1995@gmail.com> > Date: Tue, 18 Jul 2017 06:36:48 +0800 > Subject: [PATCH] gnu: heimdal: Update to 7.4.0. > > * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0. > [source]: Update source uri. > [arguments]: Adjust #:configure-flags and build phases accordingly. > [inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip > and sqlite. What's the status of this patch? Did anyone test it? [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#27749: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. 2017-10-21 9:52 ` Alex Vong 2017-11-26 22:59 ` Leo Famulari @ 2018-06-10 8:04 ` 宋文武 2018-06-25 3:16 ` [bug#27749] " Alex Vong 1 sibling, 1 reply; 13+ messages in thread From: 宋文武 @ 2018-06-10 8:04 UTC (permalink / raw) To: Alex Vong; +Cc: Ricardo Wurmus, 27749-done Alex Vong <alexvong1995@gmail.com> writes: > Hello, > > This is the new patch. It is basically the first patch but with the > sqlite and libedit bundled dependecies removed. I don't know if there > are any other bundled dependencies so I am asking this on the heimdal > mailing list. > > Also, since I am not a user of heimdal, we need someone to check if the > new version does work properly (as some test failures occur). > > From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001 > From: Alex Vong <alexvong1995@gmail.com> > Date: Tue, 18 Jul 2017 06:36:48 +0800 > Subject: [PATCH] gnu: heimdal: Update to 7.4.0. > Hello, I adjust this patch to version '7.5.0', and pushed, thank you! Closing now :-) ^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. 2018-06-10 8:04 ` bug#27749: " 宋文武 @ 2018-06-25 3:16 ` Alex Vong 0 siblings, 0 replies; 13+ messages in thread From: Alex Vong @ 2018-06-25 3:16 UTC (permalink / raw) To: 宋文武; +Cc: Ricardo Wurmus, 27749-done [-- Attachment #1: Type: text/plain, Size: 892 bytes --] Thanks for taking care of it! On 10 June 2018 at 16:04, 宋文武 <iyzsong@member.fsf.org> wrote: > Alex Vong <alexvong1995@gmail.com> writes: > > > Hello, > > > > This is the new patch. It is basically the first patch but with the > > sqlite and libedit bundled dependecies removed. I don't know if there > > are any other bundled dependencies so I am asking this on the heimdal > > mailing list. > > > > Also, since I am not a user of heimdal, we need someone to check if the > > new version does work properly (as some test failures occur). > > > > From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001 > > From: Alex Vong <alexvong1995@gmail.com> > > Date: Tue, 18 Jul 2017 06:36:48 +0800 > > Subject: [PATCH] gnu: heimdal: Update to 7.4.0. > > > > Hello, I adjust this patch to version '7.5.0', and pushed, thank you! > > Closing now :-) > [-- Attachment #2: Type: text/html, Size: 1443 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2018-06-25 3:17 UTC | newest] Thread overview: 13+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-07-18 8:26 [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103] Alex Vong 2017-07-18 15:49 ` Leo Famulari 2017-07-18 15:51 ` Leo Famulari 2017-07-18 15:53 ` Leo Famulari 2017-07-19 9:22 ` Alex Vong 2017-07-19 11:04 ` Alex Vong 2017-07-20 19:51 ` Leo Famulari 2017-10-18 21:31 ` Ricardo Wurmus 2017-10-19 14:57 ` Alex Vong 2017-10-21 9:52 ` Alex Vong 2017-11-26 22:59 ` Leo Famulari 2018-06-10 8:04 ` bug#27749: " 宋文武 2018-06-25 3:16 ` [bug#27749] " Alex Vong
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).