From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id +GmAHS5/NWQuzgAASxT56A (envelope-from ) for ; Tue, 11 Apr 2023 17:39:26 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id KDEgHS5/NWQuYAAAauVa8A (envelope-from ) for ; Tue, 11 Apr 2023 17:39:26 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 384FF3F461 for ; Tue, 11 Apr 2023 17:39:26 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pmG5I-0004hp-PN; Tue, 11 Apr 2023 11:39:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pmG5H-0004fg-3r for guix-patches@gnu.org; Tue, 11 Apr 2023 11:39:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pmG5G-0000vL-Ro for guix-patches@gnu.org; Tue, 11 Apr 2023 11:39:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pmG5G-0000e8-FU for guix-patches@gnu.org; Tue, 11 Apr 2023 11:39:02 -0400 Subject: bug#62760: [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-To: guix-patches@gnu.org Resent-Date: Tue, 11 Apr 2023 15:39:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: cc-closed 62760 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Felix Lechner Cc: 62760-done@debbugs.gnu.org, Leo Famulari Mail-Followup-To: 62760@debbugs.gnu.org, maxim.cournoyer@gmail.com, felix.lechner@lease-up.com Received: via spool by 62760-done@debbugs.gnu.org id=D62760.16812274892411 (code D ref 62760); Tue, 11 Apr 2023 15:39:02 +0000 Received: (at 62760-done) by debbugs.gnu.org; 11 Apr 2023 15:38:09 +0000 Received: from localhost ([127.0.0.1]:38007 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pmG4O-0000co-RJ for submit@debbugs.gnu.org; Tue, 11 Apr 2023 11:38:09 -0400 Received: from mail-qv1-f54.google.com ([209.85.219.54]:37807) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pmG4M-0000cF-0P for 62760-done@debbugs.gnu.org; Tue, 11 Apr 2023 11:38:07 -0400 Received: by mail-qv1-f54.google.com with SMTP id l1so8860742qvv.4 for <62760-done@debbugs.gnu.org>; Tue, 11 Apr 2023 08:38:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681227480; x=1683819480; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=q2/fyS1LKyEhh+UT4pV8ZKrxFJEPLNOs7+ypZCO9J+w=; b=SQyMAkp8pTNHIflfaU11QOlj+5J2hPKYdwtcrfrHYoOHX3jOFyr3Abj4bivyQzU63i uQ0rWBwsj/rY30J+RzoPFjCvRkLpknaKIDYvIsxkccbQmVUnVOmAR1fiUSJDFxGIZ3YQ /9IEk8i3A2iky9tlyuudKeXRwmC4q4gI7pCpoZ3IrfoIkSHqpDs10SB4YM8yIhvSo8Pp l4yLBBotzZsHs6xTxQ8WiMX7KdCAcvthp3iQGTQoVKG/tjPHASosI3mT3ySjs6K1yqUr m81b89BUGxYfvpoRNAic3jPIlJEEF6ufkP6nca9+X7GW93PjgqbDJQzbd/IDOZFTiq/m LKZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681227480; x=1683819480; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=q2/fyS1LKyEhh+UT4pV8ZKrxFJEPLNOs7+ypZCO9J+w=; b=hKJniZRyTVyjyVmRQs1+7Wu7lqjfkCRJrSN3ObkwZ0jy3zncetd1sed0hXo5t8p0we hoXTKYslD7RY+i4jVLmXAveSlJHfbWbiGeoTnq0GwoLSI5eY/yR+GD3L33hukLH/8Bxy J90Uu4/KlHzRAk611gc/oD95FlN76HOXBGDAKr2sUUMq4NbE/u+iXBDe7WFQS7OhhWvH Ua1Qbn6veODSEzL07RwFtECz66vCMrkuEekTbk6GPkGGtka5zCE0oNFF6MePEkUV9uOu /pWm0ln3aCrgo/9cCAYyii195551QEqaPXjNS86+tgRyu9A1+DvT8SkVVdaMGWpI7XbF +Mjg== X-Gm-Message-State: AAQBX9fz0/vB+TF8wkTKC/WxpPceLl0AOeNCB+RNkynM0/MbVqCgDT1+ 9IURYEAcXzLtGQeMtxVIYEo= X-Google-Smtp-Source: AKy350Ykk1pYWLa488sRsfljqv9CbKwUFrb4GBrgLCmrb3NyzUE8qmJf+SpRDdbhDXBbC5LuHPwFSQ== X-Received: by 2002:ad4:5ba6:0:b0:5ed:ca29:22f9 with SMTP id 6-20020ad45ba6000000b005edca2922f9mr7466241qvq.26.1681227480432; Tue, 11 Apr 2023 08:38:00 -0700 (PDT) Received: from hurd (dsl-152-224.b2b2c.ca. [66.158.152.224]) by smtp.gmail.com with ESMTPSA id r23-20020ae9d617000000b007464fcca543sm4001377qkk.50.2023.04.11.08.37.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Apr 2023 08:37:59 -0700 (PDT) From: Maxim Cournoyer References: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com> Date: Tue, 11 Apr 2023 11:37:58 -0400 In-Reply-To: (Felix Lechner's message of "Mon, 10 Apr 2023 21:23:13 -0700") Message-ID: <87o7numnu1.fsf_-_@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1681227566; a=rsa-sha256; cv=none; b=O8AtJaG6icWzgZr4Fg72PS5mcDgibH8x9ylBd7ytJl6unrZUd3b1cBan0Hly2k1cIND7Il NipVGtGGdGRfgKEvwx4irH/uEnV2wiQgB8sOpqTL7YrYIuD7nEter9Jxt3WWFb7AsrbKJK XtdkKONvy4XGGmFqqFLDTrcacd+gfUaUWCmZQrMf4Ev+wAgwyTzQPFL/8bKGis+8Hom/yp brJlVvOemWTJua3kR7KySbjUpNggnPkSWVAp16sfsM6cDwWQRiI3EAQnybJgpnFine8MLP 7MJ+keb3i5mf9qRjjCrKWldiQTdDSaea2v1jjUMnblmOkSMlRDKL0mWQh4zT8A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=SQyMAkp8; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1681227566; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-to:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=q2/fyS1LKyEhh+UT4pV8ZKrxFJEPLNOs7+ypZCO9J+w=; b=AKl9wtxCYC9CHmGTEOL0r23dXfMGLloQkl86+WD7pRaBf17IjqvYyX+vJD1J+oqQhO2im9 xwCEzlttIOEIDH5KhAAhvZ1ocIji6ahQXGRYCQTI354ggU5/NkXRWIrTa8WWfTxAUU0duW sIkCF5xxn9l1LrT7PFaYaN9ZzG+vhdIbE1L2kTLYI/osT6d1MGkMy8K0kKpHAitmq9aTi2 0z+3U9/c9Juwk3pM++DH7gT93RicjxtAtyDAbFw0TjCvC1775IFjOoDrOnhvDKOCSy1zfK sA7jSpBGOAteaYr9JOila4778eWzWy+PdJ0EZfqQtAiPnIJs5QJeiguSm5Bq9Q== Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=SQyMAkp8; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Scanner: scn0.migadu.com X-Migadu-Spam-Score: -2.92 X-Spam-Score: -2.92 X-Migadu-Queue-Id: 384FF3F461 X-TUID: RLyQIjdZLfij Hello, Felix Lechner writes: > This commit took several cues for the inputs from the Debian packaging for > Heimdal. [1] > > First, it was not clear why the alternative implementation mit-krb5 should be > supplied as an input to Heimdal. It was dropped. I'm not sure why I needed to add it in the past; I think the build was broken then without it. > The other inputs were added to address detection attempts in ./configure that > failed. They were evident from the build log. > > Also enables support for the OpenLDAP backend for the principals database. > [1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2 > * gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable > OpenLDAP; converge inputs toward Debian packaging. I've fixed the change log to read as: --8<---------------cut here---------------start------------->8--- gnu: heimdal: Enable OpenLDAP support. * gnu/packages/kerberos.scm (heimdal)[native-inputs]: Add flex, libcap-ng, openldap and pkg-config. [inputs]: Remove mit-krb5. Add libcap-ng and openldap. --8<---------------cut here---------------end--------------->8--- But then noticed that libcap-ng and openldap needed not be added to native-inputs, so I removed those. These are run time libraries. > --- > gnu/packages/kerberos.scm | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > > diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm > index 0faf879e35..c9c86f9541 100644 > --- a/gnu/packages/kerberos.scm > +++ b/gnu/packages/kerberos.scm > @@ -30,10 +30,12 @@ > > (define-module (gnu packages kerberos) > #:use-module (gnu packages) > + #:use-module (gnu packages admin) > #:use-module (gnu packages autotools) > #:use-module (gnu packages bash) > #:use-module (gnu packages bison) > #:use-module (gnu packages dbm) > + #:use-module (gnu packages flex) > #:use-module (gnu packages perl) > #:use-module (gnu packages python) > #:use-module (gnu packages gettext) > @@ -41,6 +43,7 @@ (define-module (gnu packages kerberos) > #:use-module (gnu packages libidn) > #:use-module (gnu packages hurd) > #:use-module (gnu packages linux) > + #:use-module (gnu packages openldap) > #:use-module (gnu packages pkg-config) > #:use-module (gnu packages compression) > #:use-module (gnu packages readline) > @@ -249,16 +252,22 @@ (define-public heimdal > (format #t "#!~a~%exit 1~%" (which "sh"))))))) > ;; Tests fail when run in parallel. > #:parallel-tests? #f)) > - (native-inputs (list e2fsprogs ;for 'compile_et' > + (native-inputs (list bison > + e2fsprogs ;for 'compile_et' > + flex > + libcap-ng > texinfo > unzip ;for tests > + openldap > perl > + pkg-config > python)) > (inputs (list readline > bash-minimal > bdb > e2fsprogs ;for libcom_err > - mit-krb5 > + libcap-ng > + openldap > sqlite)) > (home-page "http://www.h5l.org/") > (synopsis "Kerberos 5 network authentication") Modified like: --8<---------------cut here---------------start------------->8--- diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index a97c2ac87b..9e2f6acd56 100644 --- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -253,18 +253,16 @@ (define-public heimdal ;; Tests fail when run in parallel. #:parallel-tests? #f)) (native-inputs (list bison - e2fsprogs ;for 'compile_et' + e2fsprogs ;for 'compile_et' flex - libcap-ng texinfo - unzip ;for tests - openldap + unzip ;for tests pkg-config python)) (inputs (list readline bash-minimal bdb - e2fsprogs ;for libcom_err + e2fsprogs ;for libcom_err libcap-ng openldap sqlite)) --8<---------------cut here---------------end--------------->8--- And installed! -- Thanks, Maxim