From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41080)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dXlDC-0007aU-P7
	for guix-patches@gnu.org; Wed, 19 Jul 2017 05:24:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dXlD8-0005sI-KC
	for guix-patches@gnu.org; Wed, 19 Jul 2017 05:24:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:44480)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dXlD8-0005rf-FJ
	for guix-patches@gnu.org; Wed, 19 Jul 2017 05:24:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dXlD8-0001Aw-A2
	for guix-patches@gnu.org; Wed, 19 Jul 2017 05:24:02 -0400
Subject: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
	CVE-2017-11103].
Resent-Message-ID: <handler.27749.B27749.15004562154473@debbugs.gnu.org>
From: Alex Vong <alexvong1995@gmail.com>
References: <87wp76kv68.fsf@gmail.com> <20170718154906.GB16798@jasmine.lan>
Date: Wed, 19 Jul 2017 17:22:53 +0800
In-Reply-To: <20170718154906.GB16798@jasmine.lan> (Leo Famulari's message of
	"Tue, 18 Jul 2017 11:49:06 -0400")
Message-ID: <87bmogzspe.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 27749@debbugs.gnu.org

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@famulari.name> writes:

[...]
>> 2. A lots of libraries are bundled
>
> Which directory are they in? We should take a look at them and weigh the
> risk of adding new vulnerabilities through the use of (possibly old and
> unmaintained) bundled libraries.
>
They live in lib/. Also the configure script provides options to use
system library instead of bundled ones.

> If things look complicated, maybe it's possible to apply a patch to this
> older Heimdal while we figure everything out.
>
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=3Ddebi=
an/jessie&id=3D6d27073da8b45b5c67ca4ad74696489e49c4df1a
>
Agree, we should patch the old version first and deal with the bundled
libraries and test failures later.

>> 3. Many db tests fail
>
> Do you think they are a problem in practice? Ludovic, you added Heimdal,
> what do you think about this big version bump?
>
I don't know. I am hoping some test failures will disappear after we
remove bundled libraries.

>> 4. It does not build reproducibly
>
> Not great but also not a blocker.
>
>> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Tue, 18 Jul 2017 06:36:48 +0800
>> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>>=20
>> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
>> [source]: Update source uri.
>> [arguments]: Adjust #:configure-flags and build phases accordingly.
>> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
>
>>         #:phases (modify-phases %standard-phases
>> +                  (add-after 'unpack 'pre-build
>> +                    (lambda _
>> +                      (for-each (lambda (file) ;fix sh paths
>> +                                  (substitute* file
>> +                                    (("/bin/sh")
>> +                                     (which "sh"))))
>> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
>
> Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
> the generated Makefile directly?

I will try but personally I prefer patching the source and re-generate
the generated files. Patching the generated files feel like a hack to
me. What do you think?

Thanks for the suggestions!

Here is the patch:

--=-=-=
Content-Type: text/x-diff
Content-Disposition: inline;
 filename=0001-gnu-heimdal-Fix-CVE-2017-11103.patch
Content-Transfer-Encoding: quoted-printable

From=20fedc82524dcc8d0e8052a4837d7864fe84ca6f8e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 19 Jul 2017 17:01:47 +0800
Subject: [PATCH] gnu: heimdal: Fix CVE-2017-11103.

* gnu/packages/patches/heimdal-CVE-2017-11103.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kerberos.scm (heimdal)[source]: Use it.
=2D--
 gnu/local.mk                                      |  1 +
 gnu/packages/kerberos.scm                         |  1 +
 gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 +++++++++++++++++++=
++++
 3 files changed, 47 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 92ad112cf..d2ae454c0 100644
=2D-- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,7 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
   %D%/packages/patches/hdf-eos5-fix-szip.patch			\
   %D%/packages/patches/hdf-eos5-fortrantests.patch		\
+  %D%/packages/patches/heimdal-CVE-2017-11103.patch		\
   %D%/packages/patches/higan-remove-march-native-flag.patch	\
   %D%/packages/patches/hubbub-sort-entities.patch		\
   %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch        \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..3b0050fc1 100644
=2D-- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,7 @@ secure manner through client-server mutual authenticati=
on via tickets.")
               (sha256
                (base32
                 "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+              (patches (search-patches "heimdal-CVE-2017-11103.patch"))
               (modules '((guix build utils)))
               (snippet
                '(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packag=
es/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 000000000..d76f0df36
=2D-- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1=
cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name valida=
tion
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'.  Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+     /* check server referral and save principal */
+     ret =3D _krb5_principalname2krb5_principal (context,
+ 					      &tmp_principal,
+-					      rep->kdc_rep.ticket.sname,
+-					      rep->kdc_rep.ticket.realm);
++					      rep->enc_part.sname,
++					      rep->enc_part.srealm);
+     if (ret)
+ 	goto out;
+     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) =3D=3D 0){
+--=20
+2.13.3
+
=2D-=20
2.13.3


--=-=-=
Content-Type: text/plain


Cheers,
Alex

--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllvJO0ACgkQxYq4eRf1
Ea57ZBAAk2OiiDkgnO/KfAAuR9F24kCCM7aNa2tmccDlDgI6RKr5dMQUnvmrBU7h
LI7yvMq523kkxKFA+31p/pjhrBSCZsGEe4UIJDtPEcS+h3IgwHTBOB0stV2HqxlS
tuL/v1wK7ZcyrhN4qPWQfjGS7gim35TY5e/p/vFL+JhALom1o9PuxA1blAVGdbTL
XJAKWyh9jALmYswFtxQMOntYqy3O9yKfWP4oVGf/3+mhywByEBJ5Kca7ipJDvGKg
GzLKTCm/x6VT7RuGlUDaClre0PJkB8i26JhNjvWDu59BKqNnrKI7TmcxOi1hlKSj
hxUNy50M2iWgDQEsysEoGNkZgUeGQRPsD3Kt8c0gqpe7yszf8kXcVQGnE1FwBKlx
2wQymH5EQlB4541qQIOBoy/FvRI+p+iPeiCSxDO/J4sFACcLNWakMyjuUcKEhYO0
S7/AuFKhhuvZwuadMA2JWI9glSPVo6FyMvfAMeSo1H2Kw7iHDkJgmIepFLpLZR9l
ssmrL2tDoutFbjrYq5LOG6N3DcDn12hfCZ24wZiORZP5E6S7389RN4GlmAabgNQm
ypGI+fd5kPfSwBo3rQqJPBdPetsAyOedYc7uYNMJo+OT7s0hA/LzB0bcZiFAfeez
ROPTnzg/CEqNM16TDUYZ5YE6IZN2g3dNtKY6WmqCs+/xquxXylg=
=oKma
-----END PGP SIGNATURE-----
--==-=-=--