From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id GJ35FL19NWTrjwAASxT56A (envelope-from ) for ; Tue, 11 Apr 2023 17:33:17 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id YA4AFL19NWTBnwAAG6o9tA (envelope-from ) for ; Tue, 11 Apr 2023 17:33:17 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DC4A6380F2 for ; Tue, 11 Apr 2023 17:33:16 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pmFzV-0002J3-2L; Tue, 11 Apr 2023 11:33:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pmFzS-0002Ie-JD for guix-patches@gnu.org; Tue, 11 Apr 2023 11:33:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pmFzR-0000BL-Uf for guix-patches@gnu.org; Tue, 11 Apr 2023 11:33:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pmFzR-0000Uf-Qs for guix-patches@gnu.org; Tue, 11 Apr 2023 11:33:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#62760] [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 11 Apr 2023 15:33:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 62760 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Felix Lechner Cc: 62760@debbugs.gnu.org, Leo Famulari Received: via spool by 62760-submit@debbugs.gnu.org id=B62760.16812271741883 (code B ref 62760); Tue, 11 Apr 2023 15:33:01 +0000 Received: (at 62760) by debbugs.gnu.org; 11 Apr 2023 15:32:54 +0000 Received: from localhost ([127.0.0.1]:37999 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pmFzJ-0000UI-K1 for submit@debbugs.gnu.org; Tue, 11 Apr 2023 11:32:53 -0400 Received: from mail-qv1-f46.google.com ([209.85.219.46]:35790) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pmFzG-0000U2-JY for 62760@debbugs.gnu.org; Tue, 11 Apr 2023 11:32:52 -0400 Received: by mail-qv1-f46.google.com with SMTP id e9so5709293qvv.2 for <62760@debbugs.gnu.org>; Tue, 11 Apr 2023 08:32:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681227165; x=1683819165; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=BMHJm4rLkWvfhtETPmdCNi5ICR6SdT3cDZeK64dVl4Y=; b=NSlZDHYmi38NoxxWrojZ9aVsV5QxNhKuBXl80nxb/lG3oTcy0JKE4V1aHmPEvPCQdf tz79vgSoFiOfrv3xekRpxziAtGKbV0TJoGKRNoAcuaNpN34vPlWTzuL2znFxpWbrlUN/ yQm/FYudlyir+84MuJoWCIQN/jLrdl69uVkP8QVNL/SCVU1DCO7RX9QT7XKdnxiYqrz5 XCQDDvXH4OEvOfnkX49eqJl0G7U2LRVBKAIREy7M5QC2j7cr6LUv0GDmb+Lpp4u+WiwF /FdxuhRd9iDyGSWmmGFlP3Huebflw5l/e+HBxJ+GnOj7HTkxXnRJtvcINc5J9MgJpNh3 0LUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681227165; x=1683819165; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=BMHJm4rLkWvfhtETPmdCNi5ICR6SdT3cDZeK64dVl4Y=; b=5BjN2ZFJami/agA8faQEqnq3ivvgEt9PXvPBucyeMbSGxoeoFvx4H0JgPgQRLEXmXC 6CzP42b4PjY5cbXC4Ssto/DBvco18mqK5f+dmUeYH4oDxNx10C9t3jB9RUWBK6PpuiKl MTMtagudaSeoWX/sFg7y2Ic3aDE7y3pZ9WMWwVxnHWWZHAifHBI9mfdpeB7MUQckT5j1 Csflhe3j4WaJUD7WpqyRDRjHfKsGraXoki1ho7KFD5yZNo/oBj/YPwoHG1qL7LdyyP2l GVls/U6vRbKC1GAcA7b0Zv8Wx3EpL7o5docHNisV3Z9h9I9mGl6zRaZ6MCMbT5+XMWC3 W6pA== X-Gm-Message-State: AAQBX9cC+McdtpDM1xCqCl8Hw7OYaXjcCp5Otlk8iX8BeocLUQvSV8Ik grw5GPz+mefXqQmaSeisP5A3JLAQ3v8= X-Google-Smtp-Source: AKy350Y0Z/V4U77uqSWARyD82pDvP8YOBRJ73THYjq4PhIul+I0EYwisNXhn4+yqz8kjOjAo6YLnpA== X-Received: by 2002:ad4:5c8f:0:b0:56e:a96b:a3a1 with SMTP id o15-20020ad45c8f000000b0056ea96ba3a1mr5798030qvh.7.1681227164818; Tue, 11 Apr 2023 08:32:44 -0700 (PDT) Received: from hurd (dsl-152-224.b2b2c.ca. [66.158.152.224]) by smtp.gmail.com with ESMTPSA id y136-20020a37648e000000b0074aafac45c1sm578742qkb.47.2023.04.11.08.32.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Apr 2023 08:32:44 -0700 (PDT) From: Maxim Cournoyer References: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com> Date: Tue, 11 Apr 2023 11:32:43 -0400 In-Reply-To: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com> (Felix Lechner's message of "Mon, 10 Apr 2023 21:23:11 -0700") Message-ID: <87wn2imo2s.fsf_-_@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1681227197; a=rsa-sha256; cv=none; b=CvpaVgBditIgGsHryyz89K8fB46XgmxLcFrdtPv+Y0xTUlikvA5ZcQ20IXrfYVoal5QoS/ 0UKrM+tfchBraZ6zt+AivxMvThyIUVYL28w6yVWdcbvTOczcXu7QgmKpMk282Aibpqqn16 w94LQaX3fipL7aXUyyTdCUCoKagslgDvBWw4ZHw10wa3nILIlDJCd9f4Si04Wd5mJt83Sl 4l5pgdbdC8xvax5C6AWY+IG3Br5XWNlDAh1Klqb081xt8mEXLtLrzfPGZLgXBP9SXii7/I n/qenuLafhvQtVJJkU2QZ/HS0ktrTX0G5T0eTFY8bJ8mQ8dpyNucf4bO+Z/C8A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=NSlZDHYm; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1681227197; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=BMHJm4rLkWvfhtETPmdCNi5ICR6SdT3cDZeK64dVl4Y=; b=ooQ+70dEDsRd9r4KTIzMFvH8cJH1P/3wCV+j+z5sAC7CrpWEXU7XRY3SGWvnP876btLfA4 GtIuxtG9+HKButpgq7TF87GHHHiH0k+uLVOcoJ6Kdr2x0uL8t9/U39twE4qT0khBUftlCQ S28LXaZ0zkHM/KGEfFtATvLz/kVZ+EnZoq0qr9ZbWIGrv0F/qtzt9bcwb8XFtURW6bU0Gn +uEE4DN/pOmjO0mYDmjgkjt0r3M4rnZgP81WidG9+eKASpsTP3q/4BKhShQbzS5PH7OiyB shvZuTLtWPMk3tgU4n+S9QZf5SPGwyyeh6GNNNFetIFcHb2I6t7nOUlfgtKfwQ== X-Migadu-Spam-Score: 5.78 X-Migadu-Scanner: scn1.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=NSlZDHYm; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Spam-Score: 5.78 X-Migadu-Queue-Id: DC4A6380F2 X-TUID: OXbzXz6ZWtNK Hello, Felix Lechner writes: > Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The > upstream release announcement calls it "a severe vulnerability, possibly a > 10.0 on the Common Vulnerability Scoring System (CVSS) v3." > > The upstream developers further "believe it should be possible to get an RCE > [remote code execution] on a KDC, which means that credentials can be > compromised that can be used to impersonate anyone in a realm or forest of > realms." "While no zero-day exploit is known, such an exploit will likely be > available soon after public disclosure." [2] > > [1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640 > [2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0 > > * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0. I've fixed the commit message to use the GNU ChangeLog style; see: info '(standards) Style of Change Logs'. > --- > gnu/packages/kerberos.scm | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm > index 9454a5983e..ae4efcbc23 100644 > --- a/gnu/packages/kerberos.scm > +++ b/gnu/packages/kerberos.scm > @@ -35,6 +35,7 @@ (define-module (gnu packages kerberos) > #:use-module (gnu packages bison) > #:use-module (gnu packages dbm) > #:use-module (gnu packages perl) > + #:use-module (gnu packages python) > #:use-module (gnu packages gettext) > #:use-module (gnu packages gnupg) > #:use-module (gnu packages libidn) > @@ -166,7 +167,7 @@ (define-public shishi > (define-public heimdal > (package > (name "heimdal") > - (version "7.7.0") > + (version "7.8.0") > (source (origin > (method url-fetch) > (uri (string-append > @@ -174,14 +175,14 @@ (define-public heimdal > "heimdal-" version "/" "heimdal-" version ".tar.gz")) > (sha256 > (base32 > - "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh")) > + "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx")) > (modules '((guix build utils))) > (snippet > '(begin > (substitute* "configure" > (("User=.*$") "User=Guix\n") > (("Host=.*$") "Host=GNU") > - (("Date=.*$") "Date=2019\n")))))) > + (("Date=.*$") "Date=2022\n")))))) > (build-system gnu-build-system) > (arguments > `(#:configure-flags > @@ -249,7 +250,8 @@ (define-public heimdal > (native-inputs (list e2fsprogs ;for 'compile_et' > texinfo > unzip ;for tests > - perl)) > + perl > + python)) Thanks! I've dropped perl, which appears unnecessary to build/run the test suite. -- Thanks, Maxim