From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60961)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e5CGt-0007eb-FJ
	for guix-patches@gnu.org; Thu, 19 Oct 2017 10:58:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e5CGo-0008QQ-KO
	for guix-patches@gnu.org; Thu, 19 Oct 2017 10:58:07 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:41816)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1e5CGo-0008QM-Fq
	for guix-patches@gnu.org; Thu, 19 Oct 2017 10:58:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e5CGo-0001Cp-3i
	for guix-patches@gnu.org; Thu, 19 Oct 2017 10:58:02 -0400
Subject: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes
	CVE-2017-11103].
Resent-Message-ID: <handler.27749.B27749.15084250584602@debbugs.gnu.org>
From: Alex Vong <alexvong1995@gmail.com>
References: <87wp76kv68.fsf@gmail.com> <20170718154906.GB16798@jasmine.lan>
	<87bmogzspe.fsf@gmail.com> <877ez4znze.fsf@gmail.com>
	<20170720195134.GA19680@jasmine.lan> <871sm03zyd.fsf@elephly.net>
Date: Thu, 19 Oct 2017 22:57:12 +0800
In-Reply-To: <871sm03zyd.fsf@elephly.net> (Ricardo Wurmus's message of "Wed,
	18 Oct 2017 23:31:38 +0200")
Message-ID: <87vajbchiv.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Ricardo Wurmus <rekado@elephly.net>
Cc: 27749@debbugs.gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Ricardo Wurmus <rekado@elephly.net> writes:

> Hi Alex,
>
>> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>>> Here is the updated patch:
>>>
>>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>>> From: Alex Vong <alexvong1995@gmail.com>
>>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>>
>>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>>> * gnu/local.mk (dist_patch_DATA): Add them.
>>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>>
>> Thanks! I recreated the commit since the patch no longer applied to
>> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>>
>> I'm leaving this bug open for now so we can discuss the update.
>
> As mentioned before, the new release bundles a bunch of third party
> libraries.  It is not clear to me if *all* things under =E2=80=9Clib=E2=
=80=9D are
> external libraries or if some of them are part of the source code of
> heimdal.
>
No, I don't think so. At least the heimdal/ subdirectory[0] should
contain non-third-party code.

> Can we learn from the Debian package for heimdal here?
>
Good suggestion, I think the Build-Depends field in [1] will help. For
exmaples, we should not use the bundled sqlite.

> I think we really ought to update from the very old version we are using
> currently.
>
Agree, our version is even older than the one in Debian old stable.

> --
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
> https://elephly.net

[0]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/lib.
[1]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/debian/c=
ontrol

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlnovUkACgkQxYq4eRf1
Ea4B2g//YD3cKmklgFhFoeYmjIzw2YvqGBdKa+N2ktuelNSGkCM8QCCKV6AmSOoK
fjvNyxoKfq79Syir6s9zqBh1gs16YAXYBuUGsJHwfoKAmqjvMh5i+6qxlhh0mt3Y
HW4A7cnM/5S3et/LU44Mtu9NjQupaNqCKb6UCOlPa7iBjnQ6+FMMihzNQGbBqNgW
gOFLZUOPl5kZLaNahk0VF9YojCVOSZdL/GjdD0HCLZqI7TSgRqPeSXb6YJk8CvG3
JEVDc+H8tmYSKZ2gIGfuClVaBhKPQ/bPV88EQklF54GQhhSsMjent6kCpgCbminY
o+tVNIio7xh2SVDLOvKqP6hATBaiESct3ylfBoC3GJbkdUrtFKzIRURS4QsLdYK3
oyGiEWOXESWEnlAdZNXIkmbCdYevzyCCLKq6n9tJ9+jO5CPAa+N/L3wZQK/8DAcU
N2a/s1mfhSedsb1ugj9jRsN8O+i0+Z9jPiXbvwTYBy9g3P9JUoHEeb1WXoymj9KF
GiBLqsgDUNKfZELgpqutkNJAfp1uwQR4Ekr1rvbYpBLrCfvX0wpSqvqZSSSV8QQg
NXTyZwqYLQb4BGbnPFs8ypbgfbrgRtwiNFLZq+y3LM6dXw7EZyyVbPWGe+0CmX2s
M1gV75fnV+wHI9XC0FTS8/1VBW9ui1ZXRDzGHvSLtKGzjwkI4Y8=
=4lsb
-----END PGP SIGNATURE-----
--=-=-=--