[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].

[Alex Vong <alexvong1995@gmail.com>]

[-- Attachment #1.1: Type: text/plain, Size: 2508 bytes --]

Leo Famulari <leo@famulari.name> writes:

[...]
>> 2. A lots of libraries are bundled
>
> Which directory are they in? We should take a look at them and weigh the
> risk of adding new vulnerabilities through the use of (possibly old and
> unmaintained) bundled libraries.
>
They live in lib/. Also the configure script provides options to use
system library instead of bundled ones.

> If things look complicated, maybe it's possible to apply a patch to this
> older Heimdal while we figure everything out.
>
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a
>
Agree, we should patch the old version first and deal with the bundled
libraries and test failures later.

>> 3. Many db tests fail
>
> Do you think they are a problem in practice? Ludovic, you added Heimdal,
> what do you think about this big version bump?
>
I don't know. I am hoping some test failures will disappear after we
remove bundled libraries.

>> 4. It does not build reproducibly
>
> Not great but also not a blocker.
>
>> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Tue, 18 Jul 2017 06:36:48 +0800
>> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>> 
>> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
>> [source]: Update source uri.
>> [arguments]: Adjust #:configure-flags and build phases accordingly.
>> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
>
>>         #:phases (modify-phases %standard-phases
>> +                  (add-after 'unpack 'pre-build
>> +                    (lambda _
>> +                      (for-each (lambda (file) ;fix sh paths
>> +                                  (substitute* file
>> +                                    (("/bin/sh")
>> +                                     (which "sh"))))
>> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
>
> Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
> the generated Makefile directly?

I will try but personally I prefer patching the source and re-generate
the generated files. Patching the generated files feel like a hack to
me. What do you think?

Thanks for the suggestions!

Here is the patch:

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-gnu-heimdal-Fix-CVE-2017-11103.patch --]
[-- Type: text/x-diff, Size: 3800 bytes --]

From fedc82524dcc8d0e8052a4837d7864fe84ca6f8e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 19 Jul 2017 17:01:47 +0800
Subject: [PATCH] gnu: heimdal: Fix CVE-2017-11103.

* gnu/packages/patches/heimdal-CVE-2017-11103.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kerberos.scm (heimdal)[source]: Use it.
---
 gnu/local.mk                                      |  1 +
 gnu/packages/kerberos.scm                         |  1 +
 gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 +++++++++++++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 92ad112cf..d2ae454c0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
   %D%/packages/patches/hdf-eos5-fix-szip.patch			\
   %D%/packages/patches/hdf-eos5-fortrantests.patch		\
+  %D%/packages/patches/heimdal-CVE-2017-11103.patch		\
   %D%/packages/patches/higan-remove-march-native-flag.patch	\
   %D%/packages/patches/hubbub-sort-entities.patch		\
   %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch        \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..3b0050fc1 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,7 @@ secure manner through client-server mutual authentication via tickets.")
               (sha256
                (base32
                 "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+              (patches (search-patches "heimdal-CVE-2017-11103.patch"))
               (modules '((guix build utils)))
               (snippet
                '(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 000000000..d76f0df36
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'.  Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+     /* check server referral and save principal */
+     ret = _krb5_principalname2krb5_principal (context,
+ 					      &tmp_principal,
+-					      rep->kdc_rep.ticket.sname,
+-					      rep->kdc_rep.ticket.realm);
++					      rep->enc_part.sname,
++					      rep->enc_part.srealm);
+     if (ret)
+ 	goto out;
+     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+-- 
+2.13.3
+
-- 
2.13.3


[-- Attachment #1.3: Type: text/plain, Size: 14 bytes --]


Cheers,
Alex

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]