From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34551)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dXUlC-0000sG-0K
	for guix-patches@gnu.org; Tue, 18 Jul 2017 11:50:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dXUl8-0003lf-3n
	for guix-patches@gnu.org; Tue, 18 Jul 2017 11:50:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:44142)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dXUl7-0003lW-Q9
	for guix-patches@gnu.org; Tue, 18 Jul 2017 11:50:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dXUl7-0007b9-Jk
	for guix-patches@gnu.org; Tue, 18 Jul 2017 11:50:01 -0400
Subject: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
	CVE-2017-11103].
Resent-Message-ID: <handler.27749.B27749.150039295029147@debbugs.gnu.org>
Date: Tue, 18 Jul 2017 11:49:06 -0400
From: Leo Famulari <leo@famulari.name>
Message-ID: <20170718154906.GB16798@jasmine.lan>
References: <87wp76kv68.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="8GpibOaaTibBMecb"
Content-Disposition: inline
In-Reply-To: <87wp76kv68.fsf@gmail.com>
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Alex Vong <alexvong1995@gmail.com>
Cc: 27749@debbugs.gnu.org


--8GpibOaaTibBMecb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
> THis patch upgrades heimdal to its latest version, fixing
> CVE-2017-11103. Here are a few remarks:

Thanks! We also need to look at our samba package, which bundles heimdal
(we should fix that).

> 1. Upstream switches to github for hosting

Okay.

> 2. A lots of libraries are bundled

Which directory are they in? We should take a look at them and weigh the
risk of adding new vulnerabilities through the use of (possibly old and
unmaintained) bundled libraries.

If things look complicated, maybe it's possible to apply a patch to this
older Heimdal while we figure everything out.

Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
long-term-support distro. I noticed an unrelated patch for Heimdal
1.6 here:
https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=3Ddebian=
/jessie&id=3D6d27073da8b45b5c67ca4ad74696489e49c4df1a

> 3. Many db tests fail

Do you think they are a problem in practice? Ludovic, you added Heimdal,
what do you think about this big version bump?

> 4. It does not build reproducibly

Not great but also not a blocker.

> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>=20
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.

>         #:phases (modify-phases %standard-phases
> +                  (add-after 'unpack 'pre-build
> +                    (lambda _
> +                      (for-each (lambda (file) ;fix sh paths
> +                                  (substitute* file
> +                                    (("/bin/sh")
> +                                     (which "sh"))))
> +                                '("appl/afsutil/pagsh.c" "tools/Makefile=
=2Eam"))

Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
the generated Makefile directly?

--8GpibOaaTibBMecb
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlluLe4ACgkQJkb6MLrK
fwgD7hAAv3heJSRc60o2L4Wxwyk7MXpKb/qufSPeBnO3NWPlb8U1QEJNxlfsA/HO
olwwZ4rQ2YnD/MZrZu1b+suIvAe10mgHNXRmetrvxLHfEmtgq5xJave/6jvdf9w3
XwGyIolYzkR+WcsGtO1JWnVMi+q1L7gQBff592b1YeiJEjXgHQt20e8BG5eUvR2S
BKkuVmsHgeaRiDii/eL50Ji3Cmr3gxb10k+tL1sDfIa2C/7/aZG4VDWwVRv4WmNL
F6jC2KMOcMwIjPl+UTKY85yBIoTLZcQD+Gz1NgdJQyXMpOMAA7rI6H6SUwFolSqR
FMPdxaqjLgpEBR5R6kU5CHDde4gXpnVIdkNG7AXwnI/76fLXFG6Wkl+Q4JGhwOyh
Mm+Ox9ZRcAj4BXCdCYRLp/LHzGUlmOXkEzaGAGm7nYLzx8o/rMsLmh23R+axWmx/
9c/CZODZJ2EOdTpR74mjKLd9W41zXeKlwxzfXh9DV/ujwfT7cjBZ0aO5yhalG2Zi
+ZsHQw+VmHESQeexcN4MALTklTl3TY9SWJ6WndrT35pS+OhOoacahe1Lm/0VCT7+
AChM0XTxeSW/T+4NMoH2dv9GEBtextXqjbQCyNyvfpkNG/Y4mkw+M4SJX7isVF9/
CX0lwqzVY1dmpqjDl/0XcEiLnAAsQEnNBfyX66ti/ft9iLC21rw=
=tyqk
-----END PGP SIGNATURE-----

--8GpibOaaTibBMecb--