[bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0.

[bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0.

[Felix Lechner via Guix-patches via]

Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
upstream release announcement calls it "a severe vulnerability, possibly a
10.0 on the Common Vulnerability Scoring System (CVSS) v3."

The upstream developers further "believe it should be possible to get an RCE
[remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
[2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0

* gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.
---
 gnu/packages/kerberos.scm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 9454a5983e..ae4efcbc23 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
   #:use-module (gnu packages perl)
+  #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages libidn)
@@ -166,7 +167,7 @@ (define-public shishi
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "7.7.0")
+    (version "7.8.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -174,14 +175,14 @@ (define-public heimdal
                     "heimdal-" version "/" "heimdal-" version ".tar.gz"))
               (sha256
                (base32
-                "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
+                "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
               (modules '((guix build utils)))
               (snippet
                '(begin
                   (substitute* "configure"
                     (("User=.*$") "User=Guix\n")
                     (("Host=.*$") "Host=GNU")
-                    (("Date=.*$") "Date=2019\n"))))))
+                    (("Date=.*$") "Date=2022\n"))))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
@@ -249,7 +250,8 @@ (define-public heimdal
     (native-inputs (list e2fsprogs ;for 'compile_et'
                          texinfo
                          unzip ;for tests
-                         perl))
+                         perl
+                         python))
     (inputs (list readline
                   bash-minimal
                   bdb
-- 
2.39.2

[bug#62760] [PATCH 2/3] gnu: heimdal: Patch for CVE-2022-45142.

[Felix Lechner via Guix-patches via]

Several recent Heimdal releases are affected by the serious vulnerability
CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]

At the time of writing, the upstream developers had not yet cut any releases
post-7.8.0, which is why the patch is being applied here.

The patch was extracted from Helmut Grohne's public vulnerability
disclosure. [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1

* gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142.
---
 gnu/packages/kerberos.scm                     |  2 +
 .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index ae4efcbc23..0faf879e35 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -176,6 +176,8 @@ (define-public heimdal
               (sha256
                (base32
                 "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
+              (patches (search-patches
+                        "heimdal-CVE-2022-45142.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
diff --git a/gnu/packages/patches/heimdal-CVE-2022-45142.patch b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
new file mode 100644
index 0000000000..a7258a937c
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
@@ -0,0 +1,49 @@
+From: Helmut Grohne <helmut@...divi.de>
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne <helmut@...divi.de>
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+NB (Felix Lechner): The message above and the patch below were taken from the
+disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
++++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++    cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+     if (cmp) {
+ 	*minor_status = 0;
+ 	return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+     if (cmp) {
+ 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+ 	*minor_status = 0;
+--
+2.38.1
-- 
2.39.2

[bug#62760] [PATCH 3/3] gnu: heimdal: Enable OpenLDAP support; converge inputs toward Debian packaging.

[Felix Lechner via Guix-patches via]

This commit took several cues for the inputs from the Debian packaging for
Heimdal. [1]

First, it was not clear why the alternative implementation mit-krb5 should be
supplied as an input to Heimdal. It was dropped.

The other inputs were added to address detection attempts in ./configure that
failed. They were evident from the build log.

Also enables support for the OpenLDAP backend for the principals database.

[1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2

* gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable
OpenLDAP; converge inputs toward Debian packaging.
---
 gnu/packages/kerberos.scm | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 0faf879e35..c9c86f9541 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -30,10 +30,12 @@
 
 (define-module (gnu packages kerberos)
   #:use-module (gnu packages)
+  #:use-module (gnu packages admin)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
+  #:use-module (gnu packages flex)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
@@ -41,6 +43,7 @@ (define-module (gnu packages kerberos)
   #:use-module (gnu packages libidn)
   #:use-module (gnu packages hurd)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages openldap)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages readline)
@@ -249,16 +252,22 @@ (define-public heimdal
                           (format #t "#!~a~%exit 1~%" (which "sh")))))))
        ;; Tests fail when run in parallel.
        #:parallel-tests? #f))
-    (native-inputs (list e2fsprogs ;for 'compile_et'
+    (native-inputs (list bison
+                         e2fsprogs ;for 'compile_et'
+                         flex
+                         libcap-ng
                          texinfo
                          unzip ;for tests
+                         openldap
                          perl
+                         pkg-config
                          python))
     (inputs (list readline
                   bash-minimal
                   bdb
                   e2fsprogs ;for libcom_err
-                  mit-krb5
+                  libcap-ng
+                  openldap
                   sqlite))
     (home-page "http://www.h5l.org/")
     (synopsis "Kerberos 5 network authentication")
-- 
2.39.2

[bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0.

[Leo Famulari]

On Mon, Apr 10, 2023 at 12:52:24PM -0700, Felix Lechner via Guix-patches via wrote:
> Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
> upstream release announcement calls it "a severe vulnerability, possibly a
> 10.0 on the Common Vulnerability Scoring System (CVSS) v3."
> 
> The upstream developers further "believe it should be possible to get an RCE
> [remote code execution] on a KDC, which means that credentials can be
> compromised that can be used to impersonate anyone in a realm or forest of
> realms." "While no zero-day exploit is known, such an exploit will likely be
> available soon after public disclosure." [2]
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
> [2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
> 
> * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.

Thanks for this!

> @@ -249,7 +250,8 @@ (define-public heimdal
>      (native-inputs (list e2fsprogs ;for 'compile_et'
>                           texinfo
>                           unzip ;for tests
> -                         perl))
> +                         perl
> +                         python))

Is this part intentional? It wasn't mentioned in the commit message.

[bug#62760] [PATCH 2/3] gnu: heimdal: Patch for CVE-2022-45142.

[Leo Famulari]

On Mon, Apr 10, 2023 at 12:52:25PM -0700, Felix Lechner via Guix-patches via wrote:
> * gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142.
> ---
>  gnu/packages/kerberos.scm                     |  2 +
>  .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++

It's necessary to register the new patch file in 'gnu/local.mk'.
Otherwise it won't be included in certain generated distributions of the
Guix source code. Examples are in the git log. Can you send a revised
patch?

[bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0.

[Felix Lechner via Guix-patches via]

Hi Leo,

On Mon, Apr 10, 2023 at 4:05 PM Leo Famulari <leo@famulari.name> wrote:
>
> > +                         python))
>
> Is this part intentional?

Yes, the sources for 7.8.0 failed to build without Python. I believe
it was due to that commit

    https://github.com/heimdal/heimdal/commit/6415a2032ec4b2ecc5917dae85b8f9e6f9e221d2

which fixed that issue:

    https://github.com/heimdal/heimdal/issues/696

Kind regards,
Felix Lechner

[bug#62760] [PATCH v2 1/3] gnu: heimdal: Update to 7.8.0.

[Felix Lechner via Guix-patches via]

Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
upstream release announcement calls it "a severe vulnerability, possibly a
10.0 on the Common Vulnerability Scoring System (CVSS) v3."

The upstream developers further "believe it should be possible to get an RCE
[remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
[2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0

* gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.
---
 gnu/packages/kerberos.scm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 9454a5983e..ae4efcbc23 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
   #:use-module (gnu packages perl)
+  #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages libidn)
@@ -166,7 +167,7 @@ (define-public shishi
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "7.7.0")
+    (version "7.8.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -174,14 +175,14 @@ (define-public heimdal
                     "heimdal-" version "/" "heimdal-" version ".tar.gz"))
               (sha256
                (base32
-                "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
+                "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
               (modules '((guix build utils)))
               (snippet
                '(begin
                   (substitute* "configure"
                     (("User=.*$") "User=Guix\n")
                     (("Host=.*$") "Host=GNU")
-                    (("Date=.*$") "Date=2019\n"))))))
+                    (("Date=.*$") "Date=2022\n"))))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
@@ -249,7 +250,8 @@ (define-public heimdal
     (native-inputs (list e2fsprogs ;for 'compile_et'
                          texinfo
                          unzip ;for tests
-                         perl))
+                         perl
+                         python))
     (inputs (list readline
                   bash-minimal
                   bdb

base-commit: b08cdfc6d363e9ca63118303b4628542c54a612d
-- 
2.39.2

[bug#62760] [PATCH v2 2/3] gnu: heimdal: Patch for CVE-2022-45142.

[Felix Lechner via Guix-patches via]

Several recent Heimdal releases are affected by the serious vulnerability
CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]

At the time of writing, the upstream developers had not yet cut any releases
post-7.8.0, which is why the patch is being applied here.

The patch was extracted from Helmut Grohne's public vulnerability
disclosure. [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1

* gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/kerberos.scm                     |  2 +
 .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b7e19b6bc2..f4cd3f448a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1327,6 +1327,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
   %D%/packages/patches/hdf-eos5-fix-szip.patch			\
   %D%/packages/patches/hdf-eos5-fortrantests.patch		\
+  %D%/packages/patches/heimdal-CVE-2022-45142.patch		\
   %D%/packages/patches/helm-fix-gcc-9-build.patch		\
   %D%/packages/patches/http-parser-CVE-2020-8287.patch		\
   %D%/packages/patches/htslib-for-stringtie.patch		\
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index ae4efcbc23..0faf879e35 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -176,6 +176,8 @@ (define-public heimdal
               (sha256
                (base32
                 "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
+              (patches (search-patches
+                        "heimdal-CVE-2022-45142.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
diff --git a/gnu/packages/patches/heimdal-CVE-2022-45142.patch b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
new file mode 100644
index 0000000000..a7258a937c
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
@@ -0,0 +1,49 @@
+From: Helmut Grohne <helmut@...divi.de>
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne <helmut@...divi.de>
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+NB (Felix Lechner): The message above and the patch below were taken from the
+disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
++++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++    cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+     if (cmp) {
+ 	*minor_status = 0;
+ 	return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+     if (cmp) {
+ 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+ 	*minor_status = 0;
+--
+2.38.1
-- 
2.39.2

[bug#62760] [PATCH v2 3/3] gnu: heimdal: Enable OpenLDAP support; converge inputs toward Debian packaging.

[Felix Lechner via Guix-patches via]

This commit took several cues for the inputs from the Debian packaging for
Heimdal. [1]

First, it was not clear why the alternative implementation mit-krb5 should be
supplied as an input to Heimdal. It was dropped.

The other inputs were added to address detection attempts in ./configure that
failed. They were evident from the build log.

Also enables support for the OpenLDAP backend for the principals database.

[1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2

* gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable
OpenLDAP; converge inputs toward Debian packaging.
---
 gnu/packages/kerberos.scm | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 0faf879e35..c9c86f9541 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -30,10 +30,12 @@
 
 (define-module (gnu packages kerberos)
   #:use-module (gnu packages)
+  #:use-module (gnu packages admin)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
+  #:use-module (gnu packages flex)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
@@ -41,6 +43,7 @@ (define-module (gnu packages kerberos)
   #:use-module (gnu packages libidn)
   #:use-module (gnu packages hurd)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages openldap)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages readline)
@@ -249,16 +252,22 @@ (define-public heimdal
                           (format #t "#!~a~%exit 1~%" (which "sh")))))))
        ;; Tests fail when run in parallel.
        #:parallel-tests? #f))
-    (native-inputs (list e2fsprogs ;for 'compile_et'
+    (native-inputs (list bison
+                         e2fsprogs ;for 'compile_et'
+                         flex
+                         libcap-ng
                          texinfo
                          unzip ;for tests
+                         openldap
                          perl
+                         pkg-config
                          python))
     (inputs (list readline
                   bash-minimal
                   bdb
                   e2fsprogs ;for libcom_err
-                  mit-krb5
+                  libcap-ng
+                  openldap
                   sqlite))
     (home-page "http://www.h5l.org/")
     (synopsis "Kerberos 5 network authentication")
-- 
2.39.2

[bug#62760] [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos

[Maxim Cournoyer]

Hello,

Felix Lechner <felix.lechner@lease-up.com> writes:

> Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
> upstream release announcement calls it "a severe vulnerability, possibly a
> 10.0 on the Common Vulnerability Scoring System (CVSS) v3."
>
> The upstream developers further "believe it should be possible to get an RCE
> [remote code execution] on a KDC, which means that credentials can be
> compromised that can be used to impersonate anyone in a realm or forest of
> realms." "While no zero-day exploit is known, such an exploit will likely be
> available soon after public disclosure." [2]
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
> [2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
>
> * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.

I've fixed the commit message to use the GNU ChangeLog style;
see: info '(standards) Style of Change Logs'.

> ---
>  gnu/packages/kerberos.scm | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index 9454a5983e..ae4efcbc23 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
>    #:use-module (gnu packages bison)
>    #:use-module (gnu packages dbm)
>    #:use-module (gnu packages perl)
> +  #:use-module (gnu packages python)
>    #:use-module (gnu packages gettext)
>    #:use-module (gnu packages gnupg)
>    #:use-module (gnu packages libidn)
> @@ -166,7 +167,7 @@ (define-public shishi
>  (define-public heimdal
>    (package
>      (name "heimdal")
> -    (version "7.7.0")
> +    (version "7.8.0")
>      (source (origin
>                (method url-fetch)
>                (uri (string-append
> @@ -174,14 +175,14 @@ (define-public heimdal
>                      "heimdal-" version "/" "heimdal-" version ".tar.gz"))
>                (sha256
>                 (base32
> -                "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
> +                "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
>                (modules '((guix build utils)))
>                (snippet
>                 '(begin
>                    (substitute* "configure"
>                      (("User=.*$") "User=Guix\n")
>                      (("Host=.*$") "Host=GNU")
> -                    (("Date=.*$") "Date=2019\n"))))))
> +                    (("Date=.*$") "Date=2022\n"))))))
>      (build-system gnu-build-system)
>      (arguments
>       `(#:configure-flags
> @@ -249,7 +250,8 @@ (define-public heimdal
>      (native-inputs (list e2fsprogs ;for 'compile_et'
>                           texinfo
>                           unzip ;for tests
> -                         perl))
> +                         perl
> +                         python))

Thanks!  I've dropped perl, which appears unnecessary to build/run the
test suite.

-- 
Thanks,
Maxim

[bug#62760] [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos

[Maxim Cournoyer]

Hi,

Felix Lechner <felix.lechner@lease-up.com> writes:

> Several recent Heimdal releases are affected by the serious vulnerability
> CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]
>
> At the time of writing, the upstream developers had not yet cut any releases
> post-7.8.0, which is why the patch is being applied here.
>
> The patch was extracted from Helmut Grohne's public vulnerability
> disclosure. [2]
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
> [2] https://www.openwall.com/lists/oss-security/2023/02/08/1
>
> * gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for
> CVE-2022-45142.

I've fixed the change log commit message like so:

--8<---------------cut here---------------start------------->8---
* gnu/packages/patches/heimdal-CVE-2022-45142.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/kerberos.scm (heimdal)[source]: Apply it.
--8<---------------cut here---------------end--------------->8---
    
> ---
>  gnu/local.mk                                  |  1 +
>  gnu/packages/kerberos.scm                     |  2 +
>  .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
>  3 files changed, 52 insertions(+)
>  create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index b7e19b6bc2..f4cd3f448a 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1327,6 +1327,7 @@ dist_patch_DATA =						\
>    %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
>    %D%/packages/patches/hdf-eos5-fix-szip.patch			\
>    %D%/packages/patches/hdf-eos5-fortrantests.patch		\
> +  %D%/packages/patches/heimdal-CVE-2022-45142.patch		\
>    %D%/packages/patches/helm-fix-gcc-9-build.patch		\
>    %D%/packages/patches/http-parser-CVE-2020-8287.patch		\
>    %D%/packages/patches/htslib-for-stringtie.patch		\
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index ae4efcbc23..0faf879e35 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -176,6 +176,8 @@ (define-public heimdal
>                (sha256
>                 (base32
>                  "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
> +              (patches (search-patches
> +                        "heimdal-CVE-2022-45142.patch"))

Nitpick; I've used the more conventional indentation for patches:

--8<---------------cut here---------------start------------->8---
              (patches
               (search-patches "heimdal-CVE-2022-45142.patch"))
--8<---------------cut here---------------end--------------->8---

Thank you!
-- 
Maxim

bug#62760: [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos

[Maxim Cournoyer]

Hello,

Felix Lechner <felix.lechner@lease-up.com> writes:

> This commit took several cues for the inputs from the Debian packaging for
> Heimdal. [1]
>
> First, it was not clear why the alternative implementation mit-krb5 should be
> supplied as an input to Heimdal. It was dropped.

I'm not sure why I needed to add it in the past; I think the build was
broken then without it.

> The other inputs were added to address detection attempts in ./configure that
> failed. They were evident from the build log.
>
> Also enables support for the OpenLDAP backend for the principals database.

> [1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2

> * gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable
> OpenLDAP; converge inputs toward Debian packaging.

I've fixed the change log to read as:

--8<---------------cut here---------------start------------->8---
gnu: heimdal: Enable OpenLDAP support.

* gnu/packages/kerberos.scm (heimdal)[native-inputs]:
Add flex, libcap-ng,  openldap and pkg-config.
[inputs]: Remove mit-krb5.  Add libcap-ng and openldap.
--8<---------------cut here---------------end--------------->8---

But then noticed that libcap-ng and openldap needed not be added to
native-inputs, so I removed those.  These are run time libraries.

> ---
>  gnu/packages/kerberos.scm | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index 0faf879e35..c9c86f9541 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -30,10 +30,12 @@
>  
>  (define-module (gnu packages kerberos)
>    #:use-module (gnu packages)
> +  #:use-module (gnu packages admin)
>    #:use-module (gnu packages autotools)
>    #:use-module (gnu packages bash)
>    #:use-module (gnu packages bison)
>    #:use-module (gnu packages dbm)
> +  #:use-module (gnu packages flex)
>    #:use-module (gnu packages perl)
>    #:use-module (gnu packages python)
>    #:use-module (gnu packages gettext)
> @@ -41,6 +43,7 @@ (define-module (gnu packages kerberos)
>    #:use-module (gnu packages libidn)
>    #:use-module (gnu packages hurd)
>    #:use-module (gnu packages linux)
> +  #:use-module (gnu packages openldap)
>    #:use-module (gnu packages pkg-config)
>    #:use-module (gnu packages compression)
>    #:use-module (gnu packages readline)
> @@ -249,16 +252,22 @@ (define-public heimdal
>                            (format #t "#!~a~%exit 1~%" (which "sh")))))))
>         ;; Tests fail when run in parallel.
>         #:parallel-tests? #f))
> -    (native-inputs (list e2fsprogs ;for 'compile_et'
> +    (native-inputs (list bison
> +                         e2fsprogs ;for 'compile_et'
> +                         flex
> +                         libcap-ng
>                           texinfo
>                           unzip ;for tests
> +                         openldap
>                           perl
> +                         pkg-config
>                           python))
>      (inputs (list readline
>                    bash-minimal
>                    bdb
>                    e2fsprogs ;for libcom_err
> -                  mit-krb5
> +                  libcap-ng
> +                  openldap
>                    sqlite))
>      (home-page "http://www.h5l.org/")
>      (synopsis "Kerberos 5 network authentication")

Modified like:

--8<---------------cut here---------------start------------->8---
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index a97c2ac87b..9e2f6acd56 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -253,18 +253,16 @@ (define-public heimdal
        ;; Tests fail when run in parallel.
        #:parallel-tests? #f))
     (native-inputs (list bison
-                         e2fsprogs ;for 'compile_et'
+                         e2fsprogs      ;for 'compile_et'
                          flex
-                         libcap-ng
                          texinfo
-                         unzip ;for tests
-                         openldap
+                         unzip          ;for tests
                          pkg-config
                          python))
     (inputs (list readline
                   bash-minimal
                   bdb
-                  e2fsprogs ;for libcom_err
+                  e2fsprogs             ;for libcom_err
                   libcap-ng
                   openldap
                   sqlite))
--8<---------------cut here---------------end--------------->8---

And installed!

-- 
Thanks,
Maxim