From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:32904) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e5qTl-0008K2-Qc for guix-patches@gnu.org; Sat, 21 Oct 2017 05:54:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e5qTi-0005Xe-KU for guix-patches@gnu.org; Sat, 21 Oct 2017 05:54:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:44438) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1e5qTi-0005XD-Dm for guix-patches@gnu.org; Sat, 21 Oct 2017 05:54:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1e5qTi-0007ty-0s for guix-patches@gnu.org; Sat, 21 Oct 2017 05:54:02 -0400 Subject: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. Resent-Message-ID: From: Alex Vong References: <87wp76kv68.fsf@gmail.com> <20170718154906.GB16798@jasmine.lan> <87bmogzspe.fsf@gmail.com> <877ez4znze.fsf@gmail.com> <20170720195134.GA19680@jasmine.lan> <871sm03zyd.fsf@elephly.net> <87vajbchiv.fsf@gmail.com> Date: Sat, 21 Oct 2017 17:52:58 +0800 In-Reply-To: <87vajbchiv.fsf@gmail.com> (Alex Vong's message of "Thu, 19 Oct 2017 22:57:12 +0800") Message-ID: <87k1zon7yd.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ricardo Wurmus Cc: 27749@debbugs.gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Hello, This is the new patch. It is basically the first patch but with the sqlite and libedit bundled dependecies removed. I don't know if there are any other bundled dependencies so I am asking this on the heimdal mailing list. Also, since I am not a user of heimdal, we need someone to check if the new version does work properly (as some test failures occur). --=-=-= Content-Type: text/x-diff; charset=utf-8 Content-Disposition: inline; filename=0001-gnu-heimdal-Update-to-7.4.0.patch Content-Transfer-Encoding: quoted-printable From=204b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Tue, 18 Jul 2017 06:36:48 +0800 Subject: [PATCH] gnu: heimdal: Update to 7.4.0. * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0. [source]: Update source uri. [arguments]: Adjust #:configure-flags and build phases accordingly. [inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip and sqlite. =2D-- gnu/packages/kerberos.scm | 86 +++++++++++++++++++++++++++++++++++--------= ---- 1 file changed, 64 insertions(+), 22 deletions(-) diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index 801b4e44a..fde310e65 100644 =2D-- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -6,6 +6,7 @@ ;;; Copyright =C2=A9 2012, 2013 Nikita Karetnikov ;;; Copyright =C2=A9 2012, 2017 Ludovic Court=C3=A8s ;;; Copyright =C2=A9 2017 Ricardo Wurmus +;;; Copyright =C2=A9 2017 Alex Vong ;;; ;;; This file is part of GNU Guix. ;;; @@ -145,16 +146,15 @@ secure manner through client-server mutual authentica= tion via tickets.") (define-public heimdal (package (name "heimdal") =2D (version "1.5.3") + (version "7.4.0") (source (origin (method url-fetch) =2D (uri (string-append "http://www.h5l.org/dist/src/heimdal-" =2D version ".tar.gz")) + (uri (string-append "https://github.com/" name "/" name + "/releases/download/" name "-" version + "/" name "-" version ".tar.gz")) (sha256 (base32 =2D "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma")) =2D (patches (search-patches "heimdal-CVE-2017-6594.patch" =2D "heimdal-CVE-2017-11103.patch")) + "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x")) (modules '((guix build utils))) (snippet '(substitute* "configure" @@ -162,33 +162,75 @@ secure manner through client-server mutual authentica= tion via tickets.") (("Date=3D.*$") "Date=3D2017\n"))))) (build-system gnu-build-system) (arguments =2D '(#:configure-flags (list =2D ;; Work around a linker error. =2D "CFLAGS=3D-pthread" + '(#:modules ((guix build gnu-build-system) + (guix build utils) + (srfi srfi-26)) + + #:configure-flags (list + (string-append "CPPFLAGS=3D-D_PATH_BSHELL=3D" + (assoc-ref %build-inputs "bash") + "/bin/sh") =20 ;; Avoid 7 MiB of .a files. "--disable-static" =20 ;; Do not build libedit. =2D (string-append =2D "--with-readline-lib=3D" =2D (assoc-ref %build-inputs "readline") "/lib") =2D (string-append =2D "--with-readline-include=3D" =2D (assoc-ref %build-inputs "readline") "/includ= e")) + (string-append "--with-readline=3D" + (assoc-ref %build-inputs "readlin= e")) + + ;; Do not build sqlite. + (string-append "--with-sqlite3=3D" + (assoc-ref %build-inputs "sqlite"= ))) =20 #:phases (modify-phases %standard-phases + (add-after 'unpack 'pre-build + (lambda _ + (for-each (lambda (file) ;fix sh paths + (substitute* file + (("/bin/sh") + (which "sh")))) + '("appl/afsutil/pagsh.c" "tools/Makefile.a= m")) + (substitute* "lib/roken/getxxyyy.c" ;set user during= test + (("user =3D getenv\\(\"USER\"\\);") + (format #f + "#ifndef TEST_GETXXYYY +#error \"TEST_GETXXYYY is not defined\" +#endif +user =3D \"~a\"; +" + (passwd:name (getpwuid (getuid)))))) + #t)) + + (add-after 'pre-build 'autogen + (lambda _ + (zero? (system* "sh" "autogen.sh")))) + + ;; FIXME: figure out the complete list of bundled librar= ies + (add-after 'configure 'remove-bundled-libraries + (lambda _ + (for-each delete-file-recursively + '("lib/libedit" "lib/sqlite")))) + (add-before 'check 'skip-tests (lambda _ =2D ;; The test simply runs 'ftp --version && ftp --he= lp' =2D ;; but that fails in the chroot because 'ftp' trie= s to =2D ;; do a service lookup before printing the help/ve= rsion. =2D (substitute* "appl/ftp/ftp/Makefile.in" =2D (("^CHECK_LOCAL =3D.*") =2D "CHECK_LOCAL =3D no-check-local\n")) + ;; skip db tests for now + ;; FIXME: figure out why they fail + (call-with-output-file "tests/db/have-db.in" + (cut format <> "#!~a~%exit 1~%" (which "sh"))) #t))))) + (native-inputs `(("e2fsprogs" ,e2fsprogs))) ;for 'compile_et' =2D (inputs `(("readline" ,readline) + (inputs `(("autoconf" ,autoconf) ;for autogen + ("automake" ,automake) + ("libtool" ,libtool) + ("perl" ,perl) + ("perl-json" ,perl-json) + + ("texinfo" ,texinfo) ;for doc + ("unzip" ,unzip) ;for test + + ("readline" ,readline) + ("sqlite" ,sqlite) ("bdb" ,bdb) ("e2fsprogs" ,e2fsprogs))) ;for libcom_err (home-page "http://www.h5l.org/") =2D-=20 2.14.2 --=-=-= Content-Type: text/plain Cheers, Alex --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlnrGPoACgkQxYq4eRf1 Ea4eKRAAlhzW4SoYKsplNxPmnDurV3xetKX54sZAeourh6yET3nftVkCQAci6WTu m3erDk3uFEY++uYlymgiV/SI9qZr7zupVCgN1QMZuBE8JcbsmDVyf03CPqM0I3BE 25neMjEniNR06K5XBzv3WFR6j2O7UaZTQ3ELA779N5+X+oYT/ujjNOzRUsHHdMn1 0Js/083JrVdfs51yKyAc44OPJzADzqntAj7e2+tFtCarJ9qLs6W4iyqqCs3W1qlp hYIcpM5e+AFjWpsZkzTnN5DU3mLtgMZO+BIxLcWSkDXi0Tgq5Crw018sc36y2+xj 9R3DYeh7LJfybxGP9dgo++a1ZzKu2Xt5NGk31SLE77U+tqdvc7S3ZkXLG9t+77mx 7mHxMAnQRzbcC3a3m4mnlq47h2CwXsF119s4AdVy2AwQ8gZYnpTewU5EJmlS0CTc B+bmncJdGlKlvIgGOnAb/0wkLwoYjvbUzMg6WOs9LG4hxmdMm9gMNbUeCTfJva0F cpfM4UkaZF3mN4dzen7xvoW1lkAE/ByDGiMUh3TJY0JLb2wOyEdLgzgUJNFBjxMX 2pNVE7KKiYAWLbYJQg7FpzIAUe5Hmc2IfrIfcUxFk7lHEtftTJ8p6PCTeuAUqPpY BNR1z8icEQ798XOVYK6ef/k8kkJEUAo9s0+7I5amFJ8iN5J9H+A= =EbAc -----END PGP SIGNATURE----- --==-=-=--