From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id aMgwFzN+NWQGBgAASxT56A
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 11 Apr 2023 17:35:15 +0200
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id GP82FjN+NWScjAAAG6o9tA
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 11 Apr 2023 17:35:15 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id DAB353F3B3
	for <larch@yhetil.org>; Tue, 11 Apr 2023 17:35:14 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1pmG1R-0003DC-KF; Tue, 11 Apr 2023 11:35:05 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pmG1P-0003Cd-3L
 for guix-patches@gnu.org; Tue, 11 Apr 2023 11:35:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pmG1O-0000KD-Dm
 for guix-patches@gnu.org; Tue, 11 Apr 2023 11:35:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1pmG1O-0000Xt-47
 for guix-patches@gnu.org; Tue, 11 Apr 2023 11:35:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#62760] [PATCH 0/3] Two serious vulnerabilities in Heimdal
 Kerberos
Resent-From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 11 Apr 2023 15:35:02 +0000
Resent-Message-ID: <handler.62760.B62760.16812272762059@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 62760
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Felix Lechner <felix.lechner@lease-up.com>
Cc: 62760@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Received: via spool by 62760-submit@debbugs.gnu.org id=B62760.16812272762059
 (code B ref 62760); Tue, 11 Apr 2023 15:35:02 +0000
Received: (at 62760) by debbugs.gnu.org; 11 Apr 2023 15:34:36 +0000
Received: from localhost ([127.0.0.1]:38003 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1pmG0y-0000X9-5e
 for submit@debbugs.gnu.org; Tue, 11 Apr 2023 11:34:36 -0400
Received: from mail-qt1-f175.google.com ([209.85.160.175]:38494)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1pmG0v-0000Wp-9J
 for 62760@debbugs.gnu.org; Tue, 11 Apr 2023 11:34:34 -0400
Received: by mail-qt1-f175.google.com with SMTP id fc12so4791907qtb.5
 for <62760@debbugs.gnu.org>; Tue, 11 Apr 2023 08:34:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1681227267; x=1683819267;
 h=mime-version:user-agent:message-id:in-reply-to:date:references
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=XebWWRDaLx1NbnNEUldvHp1hRpGgIOkUJMmyrlRZ+14=;
 b=pdm0PpMs4PrrApNoS5YEL/MrTojT8D3mAFXO+Ar7BhxrrWNnuCWiFZyXNJjLKKu5fX
 Bszh+sTYrJKA9s9gMaXmNA07QazY4NVBIRWOOz5xKskp2O/m+xgm6BhoHKWIObjb5s70
 paOZ1LPIfHO8kgsUG4dv6/CeZaqpxdiieIDzJq+tFDkK7l9vyqRl/RMrW8MI3A6DYi3H
 PhnQ/O7DkGikN8LPjl5cfBbXcOUmlINRYfRZMATzU8o6tzajt5hVY7Xx5n5aU+ny+X3K
 dmLSAGxL7F3ZH3Lfu2zFQxeBhdmfGZqZIftBMYEyMvC9u3HJv+bnri70f3nWUyVYUJSb
 BFgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1681227267; x=1683819267;
 h=mime-version:user-agent:message-id:in-reply-to:date:references
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=XebWWRDaLx1NbnNEUldvHp1hRpGgIOkUJMmyrlRZ+14=;
 b=NJad9kfDbg9Rxu+kGTLfpv4FtBO+/hGcmjebAIn4GGccIo+SDBi9kv8TTPu8XxLsTJ
 iCfi9RL/8zLmgppYyJ8xmznV6AVsO6NIhVjIGB8ur+UmTq8JDEWEM6GS7XBUh3JDgsnm
 KlpGm6KG3yYpUmnHrzqlvjozYClrXsMJLdSyztr4EWQt9HbbfNY+3gTzitAC3pOgFzvZ
 eYfaeiZ+ZH4vh6XW/w1bhSDsf3CcLwkE+KltdwLujbbhq+hrWGJRoW44UkR9wnEMnETO
 gxDALaL/6bJqyhjcx23uuPPVRx7g+vPOCP3GqG67leoTrKILpfaOAE10m5R8Fowl2gOC
 mCvw==
X-Gm-Message-State: AAQBX9fwWJZT5n3nqJ9yT74HvB6O/VHMCCxnZB7ndZT9F252enRNnl0v
 +m+fWVCWGc9OHNT+3bYBd0I=
X-Google-Smtp-Source: AKy350YgYd558KcxWDmM3WO0KaYrqMD5r8bs8nHD+IT6RFAB5LS21XhFhfzoHg0sJGYSVFaLnX7AkA==
X-Received: by 2002:a05:622a:1a83:b0:3d2:a927:21b8 with SMTP id
 s3-20020a05622a1a8300b003d2a92721b8mr25143748qtc.11.1681227267651; 
 Tue, 11 Apr 2023 08:34:27 -0700 (PDT)
Received: from hurd (dsl-152-224.b2b2c.ca. [66.158.152.224])
 by smtp.gmail.com with ESMTPSA id
 jr38-20020a05622a802600b003e6a1bf26a4sm1455223qtb.64.2023.04.11.08.34.27
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 11 Apr 2023 08:34:27 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
References: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com>
 <6458bcfc33fec031de1a1574a8e073ac04d1ea3e.1681186993.git.felix.lechner@lease-up.com>
Date: Tue, 11 Apr 2023 11:34:26 -0400
In-Reply-To: <6458bcfc33fec031de1a1574a8e073ac04d1ea3e.1681186993.git.felix.lechner@lease-up.com>
 (Felix Lechner's message of "Mon, 10 Apr 2023 21:23:12 -0700")
Message-ID: <87sfd6mnzx.fsf_-_@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: guix-patches-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1681227315; a=rsa-sha256; cv=none;
	b=eyhOjLYyQubpVXdomxIZOZmxTQXop/+K2yWlra2BX3ddpL2E9MvChUPPCFF79DSh++bVnn
	lpnkrIrgwayx88pGTZiLRfzfrtLkPfEcf9ZU9ME6OcMY3sMvLxhX+z6S9Nr7Ne6eSxs+HV
	p9qmiz87+Hdxs1XJVmiqha+/Myohv7i3C8dhj0p5jyENaDWeHn3BPbf6YAjpVyEd8QJGEJ
	3h3ZDPGSfxyeH+RPFx7O0WcsR/5EqkDNcpgXKqjsfFbLyrwNNAQfX7jo6xdpKllsH/OvkZ
	ecshtbjQZEhQQfceyriD9pvK8oI1EWWwPWHWmo1qjZPuoII3cE/fFClaCzAHCQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=pdm0PpMs;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1681227315;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post:
	 dkim-signature; bh=XebWWRDaLx1NbnNEUldvHp1hRpGgIOkUJMmyrlRZ+14=;
	b=Iipjn206fpCNjl+1PTn1JVS3F6DMEbvG+dFiuUYleCMKFf3bh7DTnir4FpnaX1vIeC+V9/
	M3KP6dEVm2xLOrVWCDBgFpas346J3S5/ewLz5m/fCnALTiIDgJ01HWuXGtgoZ2CCt9oMpo
	uWF6ojzkmUT9KYvyVemzxibYl46pvKf5rVpv+1Ei4GaXUVO18cDQayMW7pjYUc0eVCu7mg
	8sV1dQgIZWiwHpeYHSPVaEESljkpMXA26GV4GtEJFFEoX0XRMKBr67yP0g7A1V74oio2XX
	5vOhoUuajwnid2vuizsfxSnkE4vrKF5yzEzUHcEBdxH/+KYFM6Lj3s61xKV7uQ==
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=pdm0PpMs;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Scanner: scn0.migadu.com
X-Migadu-Spam-Score: -2.92
X-Spam-Score: -2.92
X-Migadu-Queue-Id: DAB353F3B3
X-TUID: ITLirBY6K7Vd

Hi,

Felix Lechner <felix.lechner@lease-up.com> writes:

> Several recent Heimdal releases are affected by the serious vulnerability
> CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]
>
> At the time of writing, the upstream developers had not yet cut any releases
> post-7.8.0, which is why the patch is being applied here.
>
> The patch was extracted from Helmut Grohne's public vulnerability
> disclosure. [2]
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
> [2] https://www.openwall.com/lists/oss-security/2023/02/08/1
>
> * gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for
> CVE-2022-45142.

I've fixed the change log commit message like so:

--8<---------------cut here---------------start------------->8---
* gnu/packages/patches/heimdal-CVE-2022-45142.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/kerberos.scm (heimdal)[source]: Apply it.
--8<---------------cut here---------------end--------------->8---
    
> ---
>  gnu/local.mk                                  |  1 +
>  gnu/packages/kerberos.scm                     |  2 +
>  .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
>  3 files changed, 52 insertions(+)
>  create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index b7e19b6bc2..f4cd3f448a 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1327,6 +1327,7 @@ dist_patch_DATA =						\
>    %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
>    %D%/packages/patches/hdf-eos5-fix-szip.patch			\
>    %D%/packages/patches/hdf-eos5-fortrantests.patch		\
> +  %D%/packages/patches/heimdal-CVE-2022-45142.patch		\
>    %D%/packages/patches/helm-fix-gcc-9-build.patch		\
>    %D%/packages/patches/http-parser-CVE-2020-8287.patch		\
>    %D%/packages/patches/htslib-for-stringtie.patch		\
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index ae4efcbc23..0faf879e35 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -176,6 +176,8 @@ (define-public heimdal
>                (sha256
>                 (base32
>                  "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
> +              (patches (search-patches
> +                        "heimdal-CVE-2022-45142.patch"))

Nitpick; I've used the more conventional indentation for patches:

--8<---------------cut here---------------start------------->8---
              (patches
               (search-patches "heimdal-CVE-2022-45142.patch"))
--8<---------------cut here---------------end--------------->8---

Thank you!
-- 
Maxim