[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[Alex Vong]

[-- Attachment #1.1: Type: text/plain, Size: 361 bytes --]

Tags: security

Hello,

THis patch upgrades heimdal to its latest version, fixing
CVE-2017-11103. Here are a few remarks:

1. Upstream switches to github for hosting
2. A lots of libraries are bundled
3. Many db tests fail
4. It does not build reproducibly

I decide to submit this despite many db tests fail because I think we
should fix CVE-2017-11103 asap.


[-- Attachment #1.2: 0001-gnu-heimdal-Update-to-7.4.0-fixes-CVE-2017-11103.patch --]
[-- Type: text/x-diff, Size: 5988 bytes --]

From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Tue, 18 Jul 2017 06:36:48 +0800
Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

* gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
[source]: Update source uri.
[arguments]: Adjust #:configure-flags and build phases accordingly.
[inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
---
 gnu/packages/kerberos.scm | 69 ++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 54 insertions(+), 15 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..5682a0add 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -23,6 +24,7 @@
 
 (define-module (gnu packages kerberos)
   #:use-module (gnu packages)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages gnupg)
@@ -32,6 +34,7 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages readline)
+  #:use-module (gnu packages texinfo)
   #:use-module (gnu packages tls)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
@@ -136,24 +139,30 @@ secure manner through client-server mutual authentication via tickets.")
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "1.5.3")
+    (version "7.4.0")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://www.h5l.org/dist/src/heimdal-"
-                                  version ".tar.gz"))
+              (uri (string-append "https://github.com/" name "/" name
+                                  "/releases/download/" name "-" version
+                                  "/" name "-" version ".tar.gz"))
               (sha256
                (base32
-                "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+                "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x"))
               (modules '((guix build utils)))
-              (snippet
+              (snippet ;FIXME: remove bundled libraries
                '(substitute* "configure"
                   (("User=.*$") "User=Guix\n")
                   (("Date=.*$") "Date=2017\n")))))
     (build-system gnu-build-system)
     (arguments
-     '(#:configure-flags (list
-                          ;; Work around a linker error.
-                          "CFLAGS=-pthread"
+     '(#:modules ((guix build gnu-build-system)
+                  (guix build utils)
+                  (srfi srfi-26))
+
+       #:configure-flags (list
+                          (string-append "CPPFLAGS=-D_PATH_BSHELL="
+                                         (assoc-ref %build-inputs "bash")
+                                         "/bin/sh")
 
                           ;; Avoid 7 MiB of .a files.
                           "--disable-static"
@@ -167,17 +176,47 @@ secure manner through client-server mutual authentication via tickets.")
                            (assoc-ref %build-inputs "readline") "/include"))
 
        #:phases (modify-phases %standard-phases
+                  (add-after 'unpack 'pre-build
+                    (lambda _
+                      (for-each (lambda (file) ;fix sh paths
+                                  (substitute* file
+                                    (("/bin/sh")
+                                     (which "sh"))))
+                                '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
+                      (substitute* "lib/roken/getxxyyy.c" ;set user during test
+                        (("user = getenv\\(\"USER\"\\);")
+                         (format #f
+                                 "#ifndef TEST_GETXXYYY
+#error \"TEST_GETXXYYY is not defined\"
+#endif
+user = \"~a\";
+"
+                                 (passwd:name (getpwuid (getuid))))))
+                      #t))
+
+                  (add-after 'pre-build 'autogen
+                    (lambda _
+                      (zero? (system* "sh" "autogen.sh"))))
+
                   (add-before 'check 'skip-tests
                     (lambda _
-                      ;; The test simply runs 'ftp --version && ftp --help'
-                      ;; but that fails in the chroot because 'ftp' tries to
-                      ;; do a service lookup before printing the help/version.
-                      (substitute* "appl/ftp/ftp/Makefile.in"
-                        (("^CHECK_LOCAL =.*")
-                         "CHECK_LOCAL = no-check-local\n"))
+                      ;; skip db tests for now
+                      ;; FIXME: figure out why they fail
+                      (call-with-output-file "tests/db/have-db.in"
+                        (cut format <> "#!~a~%exit 1~%" (which "sh")))
                       #t)))))
+
     (native-inputs `(("e2fsprogs" ,e2fsprogs)))   ;for 'compile_et'
-    (inputs `(("readline" ,readline)
+    (inputs `(("autoconf" ,autoconf)              ;for autogen
+              ("automake" ,automake)
+              ("libtool" ,libtool)
+              ("perl" ,perl)
+              ("perl-json" ,perl-json)
+
+              ("texinfo" ,texinfo)                ;for doc
+              ("unzip" ,unzip)                    ;for test
+
+              ("readline" ,readline)
               ("bdb" ,bdb)
               ("e2fsprogs" ,e2fsprogs)))          ;for libcom_err
     (home-page "http://www.h5l.org/")
-- 
2.13.3


[-- Attachment #1.3: Type: text/plain, Size: 14 bytes --]


Cheers,
Alex

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 2208 bytes --]

On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
> THis patch upgrades heimdal to its latest version, fixing
> CVE-2017-11103. Here are a few remarks:

Thanks! We also need to look at our samba package, which bundles heimdal
(we should fix that).

> 1. Upstream switches to github for hosting

Okay.

> 2. A lots of libraries are bundled

Which directory are they in? We should take a look at them and weigh the
risk of adding new vulnerabilities through the use of (possibly old and
unmaintained) bundled libraries.

If things look complicated, maybe it's possible to apply a patch to this
older Heimdal while we figure everything out.

Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
long-term-support distro. I noticed an unrelated patch for Heimdal
1.6 here:
https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a

> 3. Many db tests fail

Do you think they are a problem in practice? Ludovic, you added Heimdal,
what do you think about this big version bump?

> 4. It does not build reproducibly

Not great but also not a blocker.

> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
> 
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.

>         #:phases (modify-phases %standard-phases
> +                  (add-after 'unpack 'pre-build
> +                    (lambda _
> +                      (for-each (lambda (file) ;fix sh paths
> +                                  (substitute* file
> +                                    (("/bin/sh")
> +                                     (which "sh"))))
> +                                '("appl/afsutil/pagsh.c" "tools/Makefile.am"))

Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
the generated Makefile directly?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 509 bytes --]

On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
> On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
> > THis patch upgrades heimdal to its latest version, fixing
> > CVE-2017-11103. Here are a few remarks:
> 
> Thanks! We also need to look at our samba package, which bundles heimdal
> (we should fix that).

This vulnerability in samba's bundled heimdal was fixed in
81dfbffc5480699f79ea23a82bf8a4a557176670. Perhaps we can find inspiration
for a patch there, if necessary.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 539 bytes --]

On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a

I'm not sure what version of heimdal FreeBSD packages, but they are
offering a patch for this, linked from their advisory:

https://www.freebsd.org/security/advisories/FreeBSD-SA-17:05.heimdal.asc

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[Alex Vong]

[-- Attachment #1.1: Type: text/plain, Size: 2508 bytes --]

Leo Famulari <leo@famulari.name> writes:

[...]
>> 2. A lots of libraries are bundled
>
> Which directory are they in? We should take a look at them and weigh the
> risk of adding new vulnerabilities through the use of (possibly old and
> unmaintained) bundled libraries.
>
They live in lib/. Also the configure script provides options to use
system library instead of bundled ones.

> If things look complicated, maybe it's possible to apply a patch to this
> older Heimdal while we figure everything out.
>
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a
>
Agree, we should patch the old version first and deal with the bundled
libraries and test failures later.

>> 3. Many db tests fail
>
> Do you think they are a problem in practice? Ludovic, you added Heimdal,
> what do you think about this big version bump?
>
I don't know. I am hoping some test failures will disappear after we
remove bundled libraries.

>> 4. It does not build reproducibly
>
> Not great but also not a blocker.
>
>> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Tue, 18 Jul 2017 06:36:48 +0800
>> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>> 
>> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
>> [source]: Update source uri.
>> [arguments]: Adjust #:configure-flags and build phases accordingly.
>> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
>
>>         #:phases (modify-phases %standard-phases
>> +                  (add-after 'unpack 'pre-build
>> +                    (lambda _
>> +                      (for-each (lambda (file) ;fix sh paths
>> +                                  (substitute* file
>> +                                    (("/bin/sh")
>> +                                     (which "sh"))))
>> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
>
> Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
> the generated Makefile directly?

I will try but personally I prefer patching the source and re-generate
the generated files. Patching the generated files feel like a hack to
me. What do you think?

Thanks for the suggestions!

Here is the patch:

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-gnu-heimdal-Fix-CVE-2017-11103.patch --]
[-- Type: text/x-diff, Size: 3800 bytes --]

From fedc82524dcc8d0e8052a4837d7864fe84ca6f8e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 19 Jul 2017 17:01:47 +0800
Subject: [PATCH] gnu: heimdal: Fix CVE-2017-11103.

* gnu/packages/patches/heimdal-CVE-2017-11103.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kerberos.scm (heimdal)[source]: Use it.
---
 gnu/local.mk                                      |  1 +
 gnu/packages/kerberos.scm                         |  1 +
 gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 +++++++++++++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 92ad112cf..d2ae454c0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
   %D%/packages/patches/hdf-eos5-fix-szip.patch			\
   %D%/packages/patches/hdf-eos5-fortrantests.patch		\
+  %D%/packages/patches/heimdal-CVE-2017-11103.patch		\
   %D%/packages/patches/higan-remove-march-native-flag.patch	\
   %D%/packages/patches/hubbub-sort-entities.patch		\
   %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch        \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..3b0050fc1 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,7 @@ secure manner through client-server mutual authentication via tickets.")
               (sha256
                (base32
                 "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+              (patches (search-patches "heimdal-CVE-2017-11103.patch"))
               (modules '((guix build utils)))
               (snippet
                '(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 000000000..d76f0df36
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'.  Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+     /* check server referral and save principal */
+     ret = _krb5_principalname2krb5_principal (context,
+ 					      &tmp_principal,
+-					      rep->kdc_rep.ticket.sname,
+-					      rep->kdc_rep.ticket.realm);
++					      rep->enc_part.sname,
++					      rep->enc_part.srealm);
+     if (ret)
+ 	goto out;
+     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+-- 
+2.13.3
+
-- 
2.13.3


[-- Attachment #1.3: Type: text/plain, Size: 14 bytes --]


Cheers,
Alex

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[Alex Vong]

[-- Attachment #1.1: Type: text/plain, Size: 379 bytes --]

I find out that our version of heimdal is also affected by
CVE-2017-6594. So I amend the previous patch to fix it as well.

Changes to 'NEWS' and files in 'tests/' does not apply, so I remove
them. Also, I change hunk#4 of 'kdc/krb5tgs.c' so that it applies.

It used to be:

foo
foo*
+bar
+bar*
baz
baz*

Now it is:

foo
foo*
+bar
+bar*
<empty-line>

Here is the updated patch:

[-- Attachment #1.2: 0001-gnu-heimdal-Fix-CVE-2017-6594-11103.patch --]
[-- Type: scm, Size: 7339 bytes --]

From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 19 Jul 2017 17:01:47 +0800
Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.

* gnu/packages/patches/heimdal-CVE-2017-6594.patch,
gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/kerberos.scm (heimdal)[source]: Use them.
---
 gnu/local.mk                                      |  2 +
 gnu/packages/kerberos.scm                         |  2 +
 gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 ++++++++++++
 gnu/packages/patches/heimdal-CVE-2017-6594.patch  | 85 +++++++++++++++++++++++
 4 files changed, 134 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch
 create mode 100644 gnu/packages/patches/heimdal-CVE-2017-6594.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 92ad112cf..5f4bc47a0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
   %D%/packages/patches/hdf-eos5-fix-szip.patch			\
   %D%/packages/patches/hdf-eos5-fortrantests.patch		\
+  %D%/packages/patches/heimdal-CVE-2017-6594.patch		\
+  %D%/packages/patches/heimdal-CVE-2017-11103.patch		\
   %D%/packages/patches/higan-remove-march-native-flag.patch	\
   %D%/packages/patches/hubbub-sort-entities.patch		\
   %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch        \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..59fd944c6 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,8 @@ secure manner through client-server mutual authentication via tickets.")
               (sha256
                (base32
                 "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+              (patches (search-patches "heimdal-CVE-2017-6594.patch"
+                                       "heimdal-CVE-2017-11103.patch"))
               (modules '((guix build utils)))
               (snippet
                '(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 000000000..d76f0df36
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'.  Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+     /* check server referral and save principal */
+     ret = _krb5_principalname2krb5_principal (context,
+ 					      &tmp_principal,
+-					      rep->kdc_rep.ticket.sname,
+-					      rep->kdc_rep.ticket.realm);
++					      rep->enc_part.sname,
++					      rep->enc_part.srealm);
+     if (ret)
+ 	goto out;
+     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+-- 
+2.13.3
+
diff --git a/gnu/packages/patches/heimdal-CVE-2017-6594.patch b/gnu/packages/patches/heimdal-CVE-2017-6594.patch
new file mode 100644
index 000000000..714af6030
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-6594.patch
@@ -0,0 +1,85 @@
+Fix CVE-2017-6594:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594
+https://security-tracker.debian.org/tracker/CVE-2017-6594
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837
+
+To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and
+files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified.
+
+From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@twosigma.com>
+Date: Wed, 10 Aug 2016 23:31:14 +0000
+Subject: [PATCH] Fix transit path validation CVE-2017-6594
+
+Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
+to not be added to the transit path of issued tickets.  This may, in
+some cases, enable bypass of capath policy in Heimdal versions 1.5
+through 7.2.
+
+Note, this may break sites that rely on the bug.  With the bug some
+incomplete [capaths] worked, that should not have.  These may now break
+authentication in some cross-realm configurations.
+---
+ NEWS                   | 14 ++++++++++++++
+ kdc/krb5tgs.c          | 12 ++++++++++--
+ tests/kdc/check-kdc.in | 17 +++++++++++++++++
+ tests/kdc/krb5.conf.in |  4 ++++
+ 4 files changed, 45 insertions(+), 2 deletions(-)
+
+diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
+index 6048b9c55..98503812f 100644
+--- a/kdc/krb5tgs.c
++++ b/kdc/krb5tgs.c
+@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context,
+ 		  "Decoding transited encoding");
+ 	return ret;
+     }
++
++    /*
++     * If the realm of the presented tgt is neither the client nor the server
++     * realm, it is a transit realm and must be added to transited set.
++     */
+     if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
+-	/* not us, so add the previous realm to transited set */
+ 	if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
+ 	    ret = ERANGE;
+ 	    goto free_realms;
+@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context,
+ 	       const char *server_name,
+ 	       hdb_entry_ex *client,
+ 	       krb5_principal client_principal,
++               const char *tgt_realm,
+ 	       hdb_entry_ex *krbtgt,
+ 	       krb5_enctype krbtgt_etype,
+ 	       krb5_principals spp,
+@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context,
+ 				 &tgt->transited, &et,
+ 				 krb5_principal_get_realm(context, client_principal),
+ 				 krb5_principal_get_realm(context, server->entry.principal),
+-				 krb5_principal_get_realm(context, krbtgt->entry.principal));
++				 tgt_realm);
+     if(ret)
+ 	goto out;
+ 
+@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context,
+     krb5_keyblock sessionkey;
+     krb5_kvno kvno;
+     krb5_data rspac;
++    const char *tgt_realm = /* Realm of TGT issuer */
++        krb5_principal_get_realm(context, krbtgt->entry.principal);
+
+@@ -2324,6 +2331,7 @@ server_lookup:
+ 			 spn,
+ 			 client,
+ 			 cp,
++                         tgt_realm,
+ 			 krbtgt_out,
+ 			 tkey_sign->key.keytype,
+ 			 spp,
+-- 
+2.13.3
+
-- 
2.13.3


[-- Attachment #1.3: Type: text/plain, Size: 14 bytes --]


Cheers,
Alex

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 970 bytes --]

On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
> Here is the updated patch:
> 
> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Wed, 19 Jul 2017 17:01:47 +0800
> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
> 
> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.

Thanks! I recreated the commit since the patch no longer applied to
'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.

I'm leaving this bug open for now so we can discuss the update.

By the way everyone, the vulnerability disclosure / promotion web page,
<https://orpheus-lyre.info>, has a nice primer on the bug (warning, the
page plays music automatically). Thanks for including that, Alex.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[Ricardo Wurmus]

Hi Alex,

> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>> Here is the updated patch:
>>
>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>
>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>
> Thanks! I recreated the commit since the patch no longer applied to
> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>
> I'm leaving this bug open for now so we can discuss the update.

As mentioned before, the new release bundles a bunch of third party
libraries.  It is not clear to me if *all* things under “lib” are
external libraries or if some of them are part of the source code of
heimdal.

Can we learn from the Debian package for heimdal here?

I think we really ought to update from the very old version we are using
currently.

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 1796 bytes --]

Ricardo Wurmus <rekado@elephly.net> writes:

> Hi Alex,
>
>> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>>> Here is the updated patch:
>>>
>>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>>> From: Alex Vong <alexvong1995@gmail.com>
>>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>>
>>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>>> * gnu/local.mk (dist_patch_DATA): Add them.
>>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>>
>> Thanks! I recreated the commit since the patch no longer applied to
>> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>>
>> I'm leaving this bug open for now so we can discuss the update.
>
> As mentioned before, the new release bundles a bunch of third party
> libraries.  It is not clear to me if *all* things under “lib” are
> external libraries or if some of them are part of the source code of
> heimdal.
>
No, I don't think so. At least the heimdal/ subdirectory[0] should
contain non-third-party code.

> Can we learn from the Debian package for heimdal here?
>
Good suggestion, I think the Build-Depends field in [1] will help. For
exmaples, we should not use the bundled sqlite.

> I think we really ought to update from the very old version we are using
> currently.
>
Agree, our version is even older than the one in Debian old stable.

> --
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
> https://elephly.net

[0]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/lib.
[1]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/debian/control

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[Alex Vong]

[-- Attachment #1.1: Type: text/plain, Size: 366 bytes --]

Hello,

This is the new patch. It is basically the first patch but with the
sqlite and libedit bundled dependecies removed. I don't know if there
are any other bundled dependencies so I am asking this on the heimdal
mailing list.

Also, since I am not a user of heimdal, we need someone to check if the
new version does work properly (as some test failures occur).


[-- Attachment #1.2: 0001-gnu-heimdal-Update-to-7.4.0.patch --]
[-- Type: text/x-diff, Size: 6463 bytes --]

From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Tue, 18 Jul 2017 06:36:48 +0800
Subject: [PATCH] gnu: heimdal: Update to 7.4.0.

* gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
[source]: Update source uri.
[arguments]: Adjust #:configure-flags and build phases accordingly.
[inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip
and sqlite.
---
 gnu/packages/kerberos.scm | 86 +++++++++++++++++++++++++++++++++++------------
 1 file changed, 64 insertions(+), 22 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 801b4e44a..fde310e65 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -145,16 +146,15 @@ secure manner through client-server mutual authentication via tickets.")
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "1.5.3")
+    (version "7.4.0")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://www.h5l.org/dist/src/heimdal-"
-                                  version ".tar.gz"))
+              (uri (string-append "https://github.com/" name "/" name
+                                  "/releases/download/" name "-" version
+                                  "/" name "-" version ".tar.gz"))
               (sha256
                (base32
-                "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
-              (patches (search-patches "heimdal-CVE-2017-6594.patch"
-                                       "heimdal-CVE-2017-11103.patch"))
+                "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x"))
               (modules '((guix build utils)))
               (snippet
                '(substitute* "configure"
@@ -162,33 +162,75 @@ secure manner through client-server mutual authentication via tickets.")
                   (("Date=.*$") "Date=2017\n")))))
     (build-system gnu-build-system)
     (arguments
-     '(#:configure-flags (list
-                          ;; Work around a linker error.
-                          "CFLAGS=-pthread"
+     '(#:modules ((guix build gnu-build-system)
+                  (guix build utils)
+                  (srfi srfi-26))
+
+       #:configure-flags (list
+                          (string-append "CPPFLAGS=-D_PATH_BSHELL="
+                                         (assoc-ref %build-inputs "bash")
+                                         "/bin/sh")
 
                           ;; Avoid 7 MiB of .a files.
                           "--disable-static"
 
                           ;; Do not build libedit.
-                          (string-append
-                           "--with-readline-lib="
-                           (assoc-ref %build-inputs "readline") "/lib")
-                          (string-append
-                           "--with-readline-include="
-                           (assoc-ref %build-inputs "readline") "/include"))
+                          (string-append "--with-readline="
+                                         (assoc-ref %build-inputs "readline"))
+
+                          ;; Do not build sqlite.
+                          (string-append "--with-sqlite3="
+                                         (assoc-ref %build-inputs "sqlite")))
 
        #:phases (modify-phases %standard-phases
+                  (add-after 'unpack 'pre-build
+                    (lambda _
+                      (for-each (lambda (file) ;fix sh paths
+                                  (substitute* file
+                                    (("/bin/sh")
+                                     (which "sh"))))
+                                '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
+                      (substitute* "lib/roken/getxxyyy.c" ;set user during test
+                        (("user = getenv\\(\"USER\"\\);")
+                         (format #f
+                                 "#ifndef TEST_GETXXYYY
+#error \"TEST_GETXXYYY is not defined\"
+#endif
+user = \"~a\";
+"
+                                 (passwd:name (getpwuid (getuid))))))
+                      #t))
+
+                  (add-after 'pre-build 'autogen
+                    (lambda _
+                      (zero? (system* "sh" "autogen.sh"))))
+
+                  ;; FIXME: figure out the complete list of bundled libraries
+                  (add-after 'configure 'remove-bundled-libraries
+                    (lambda _
+                      (for-each delete-file-recursively
+                                '("lib/libedit" "lib/sqlite"))))
+
                   (add-before 'check 'skip-tests
                     (lambda _
-                      ;; The test simply runs 'ftp --version && ftp --help'
-                      ;; but that fails in the chroot because 'ftp' tries to
-                      ;; do a service lookup before printing the help/version.
-                      (substitute* "appl/ftp/ftp/Makefile.in"
-                        (("^CHECK_LOCAL =.*")
-                         "CHECK_LOCAL = no-check-local\n"))
+                      ;; skip db tests for now
+                      ;; FIXME: figure out why they fail
+                      (call-with-output-file "tests/db/have-db.in"
+                        (cut format <> "#!~a~%exit 1~%" (which "sh")))
                       #t)))))
+
     (native-inputs `(("e2fsprogs" ,e2fsprogs)))   ;for 'compile_et'
-    (inputs `(("readline" ,readline)
+    (inputs `(("autoconf" ,autoconf)              ;for autogen
+              ("automake" ,automake)
+              ("libtool" ,libtool)
+              ("perl" ,perl)
+              ("perl-json" ,perl-json)
+
+              ("texinfo" ,texinfo)                ;for doc
+              ("unzip" ,unzip)                    ;for test
+
+              ("readline" ,readline)
+              ("sqlite" ,sqlite)
               ("bdb" ,bdb)
               ("e2fsprogs" ,e2fsprogs)))          ;for libcom_err
     (home-page "http://www.h5l.org/")
-- 
2.14.2


[-- Attachment #1.3: Type: text/plain, Size: 14 bytes --]


Cheers,
Alex

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 983 bytes --]

On Sat, Oct 21, 2017 at 05:52:58PM +0800, Alex Vong wrote:
> Hello,
> 
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
> 
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
> 

> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
> 
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip
> and sqlite.

What's the status of this patch? Did anyone test it?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#27749: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[宋文武]

Alex Vong <alexvong1995@gmail.com> writes:

> Hello,
>
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
>
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
>
> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
>

Hello, I adjust this patch to version '7.5.0', and pushed, thank you!

Closing now :-)

[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 892 bytes --]

Thanks for taking care of it!


On 10 June 2018 at 16:04, 宋文武 <iyzsong@member.fsf.org> wrote:

> Alex Vong <alexvong1995@gmail.com> writes:
>
> > Hello,
> >
> > This is the new patch. It is basically the first patch but with the
> > sqlite and libedit bundled dependecies removed. I don't know if there
> > are any other bundled dependencies so I am asking this on the heimdal
> > mailing list.
> >
> > Also, since I am not a user of heimdal, we need someone to check if the
> > new version does work properly (as some test failures occur).
> >
> > From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> > From: Alex Vong <alexvong1995@gmail.com>
> > Date: Tue, 18 Jul 2017 06:36:48 +0800
> > Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
> >
>
> Hello, I adjust this patch to version '7.5.0', and pushed, thank you!
>
> Closing now :-)
>

[-- Attachment #2: Type: text/html, Size: 1443 bytes --]