From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id GJ35FL19NWTrjwAASxT56A
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 11 Apr 2023 17:33:17 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id YA4AFL19NWTBnwAAG6o9tA
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 11 Apr 2023 17:33:17 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id DC4A6380F2
	for <larch@yhetil.org>; Tue, 11 Apr 2023 17:33:16 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1pmFzV-0002J3-2L; Tue, 11 Apr 2023 11:33:05 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pmFzS-0002Ie-JD
 for guix-patches@gnu.org; Tue, 11 Apr 2023 11:33:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pmFzR-0000BL-Uf
 for guix-patches@gnu.org; Tue, 11 Apr 2023 11:33:01 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1pmFzR-0000Uf-Qs
 for guix-patches@gnu.org; Tue, 11 Apr 2023 11:33:01 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#62760] [PATCH 0/3] Two serious vulnerabilities in Heimdal
 Kerberos
Resent-From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 11 Apr 2023 15:33:01 +0000
Resent-Message-ID: <handler.62760.B62760.16812271741883@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 62760
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Felix Lechner <felix.lechner@lease-up.com>
Cc: 62760@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Received: via spool by 62760-submit@debbugs.gnu.org id=B62760.16812271741883
 (code B ref 62760); Tue, 11 Apr 2023 15:33:01 +0000
Received: (at 62760) by debbugs.gnu.org; 11 Apr 2023 15:32:54 +0000
Received: from localhost ([127.0.0.1]:37999 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1pmFzJ-0000UI-K1
 for submit@debbugs.gnu.org; Tue, 11 Apr 2023 11:32:53 -0400
Received: from mail-qv1-f46.google.com ([209.85.219.46]:35790)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1pmFzG-0000U2-JY
 for 62760@debbugs.gnu.org; Tue, 11 Apr 2023 11:32:52 -0400
Received: by mail-qv1-f46.google.com with SMTP id e9so5709293qvv.2
 for <62760@debbugs.gnu.org>; Tue, 11 Apr 2023 08:32:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1681227165; x=1683819165;
 h=mime-version:user-agent:message-id:in-reply-to:date:references
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=BMHJm4rLkWvfhtETPmdCNi5ICR6SdT3cDZeK64dVl4Y=;
 b=NSlZDHYmi38NoxxWrojZ9aVsV5QxNhKuBXl80nxb/lG3oTcy0JKE4V1aHmPEvPCQdf
 tz79vgSoFiOfrv3xekRpxziAtGKbV0TJoGKRNoAcuaNpN34vPlWTzuL2znFxpWbrlUN/
 yQm/FYudlyir+84MuJoWCIQN/jLrdl69uVkP8QVNL/SCVU1DCO7RX9QT7XKdnxiYqrz5
 XCQDDvXH4OEvOfnkX49eqJl0G7U2LRVBKAIREy7M5QC2j7cr6LUv0GDmb+Lpp4u+WiwF
 /FdxuhRd9iDyGSWmmGFlP3Huebflw5l/e+HBxJ+GnOj7HTkxXnRJtvcINc5J9MgJpNh3
 0LUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1681227165; x=1683819165;
 h=mime-version:user-agent:message-id:in-reply-to:date:references
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=BMHJm4rLkWvfhtETPmdCNi5ICR6SdT3cDZeK64dVl4Y=;
 b=5BjN2ZFJami/agA8faQEqnq3ivvgEt9PXvPBucyeMbSGxoeoFvx4H0JgPgQRLEXmXC
 6CzP42b4PjY5cbXC4Ssto/DBvco18mqK5f+dmUeYH4oDxNx10C9t3jB9RUWBK6PpuiKl
 MTMtagudaSeoWX/sFg7y2Ic3aDE7y3pZ9WMWwVxnHWWZHAifHBI9mfdpeB7MUQckT5j1
 Csflhe3j4WaJUD7WpqyRDRjHfKsGraXoki1ho7KFD5yZNo/oBj/YPwoHG1qL7LdyyP2l
 GVls/U6vRbKC1GAcA7b0Zv8Wx3EpL7o5docHNisV3Z9h9I9mGl6zRaZ6MCMbT5+XMWC3
 W6pA==
X-Gm-Message-State: AAQBX9cC+McdtpDM1xCqCl8Hw7OYaXjcCp5Otlk8iX8BeocLUQvSV8Ik
 grw5GPz+mefXqQmaSeisP5A3JLAQ3v8=
X-Google-Smtp-Source: AKy350Y0Z/V4U77uqSWARyD82pDvP8YOBRJ73THYjq4PhIul+I0EYwisNXhn4+yqz8kjOjAo6YLnpA==
X-Received: by 2002:ad4:5c8f:0:b0:56e:a96b:a3a1 with SMTP id
 o15-20020ad45c8f000000b0056ea96ba3a1mr5798030qvh.7.1681227164818; 
 Tue, 11 Apr 2023 08:32:44 -0700 (PDT)
Received: from hurd (dsl-152-224.b2b2c.ca. [66.158.152.224])
 by smtp.gmail.com with ESMTPSA id
 y136-20020a37648e000000b0074aafac45c1sm578742qkb.47.2023.04.11.08.32.43
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 11 Apr 2023 08:32:44 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
References: <cover.1681155077.git.felix.lechner@lease-up.com>
 <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com>
Date: Tue, 11 Apr 2023 11:32:43 -0400
In-Reply-To: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com>
 (Felix Lechner's message of "Mon, 10 Apr 2023 21:23:11 -0700")
Message-ID: <87wn2imo2s.fsf_-_@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: guix-patches-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1681227197; a=rsa-sha256; cv=none;
	b=CvpaVgBditIgGsHryyz89K8fB46XgmxLcFrdtPv+Y0xTUlikvA5ZcQ20IXrfYVoal5QoS/
	0UKrM+tfchBraZ6zt+AivxMvThyIUVYL28w6yVWdcbvTOczcXu7QgmKpMk282Aibpqqn16
	w94LQaX3fipL7aXUyyTdCUCoKagslgDvBWw4ZHw10wa3nILIlDJCd9f4Si04Wd5mJt83Sl
	4l5pgdbdC8xvax5C6AWY+IG3Br5XWNlDAh1Klqb081xt8mEXLtLrzfPGZLgXBP9SXii7/I
	n/qenuLafhvQtVJJkU2QZ/HS0ktrTX0G5T0eTFY8bJ8mQ8dpyNucf4bO+Z/C8A==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=NSlZDHYm;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1681227197;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post:
	 dkim-signature; bh=BMHJm4rLkWvfhtETPmdCNi5ICR6SdT3cDZeK64dVl4Y=;
	b=ooQ+70dEDsRd9r4KTIzMFvH8cJH1P/3wCV+j+z5sAC7CrpWEXU7XRY3SGWvnP876btLfA4
	GtIuxtG9+HKButpgq7TF87GHHHiH0k+uLVOcoJ6Kdr2x0uL8t9/U39twE4qT0khBUftlCQ
	S28LXaZ0zkHM/KGEfFtATvLz/kVZ+EnZoq0qr9ZbWIGrv0F/qtzt9bcwb8XFtURW6bU0Gn
	+uEE4DN/pOmjO0mYDmjgkjt0r3M4rnZgP81WidG9+eKASpsTP3q/4BKhShQbzS5PH7OiyB
	shvZuTLtWPMk3tgU4n+S9QZf5SPGwyyeh6GNNNFetIFcHb2I6t7nOUlfgtKfwQ==
X-Migadu-Spam-Score: 5.78
X-Migadu-Scanner: scn1.migadu.com
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=NSlZDHYm;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
X-Spam-Score: 5.78
X-Migadu-Queue-Id: DC4A6380F2
X-TUID: OXbzXz6ZWtNK

Hello,

Felix Lechner <felix.lechner@lease-up.com> writes:

> Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
> upstream release announcement calls it "a severe vulnerability, possibly a
> 10.0 on the Common Vulnerability Scoring System (CVSS) v3."
>
> The upstream developers further "believe it should be possible to get an RCE
> [remote code execution] on a KDC, which means that credentials can be
> compromised that can be used to impersonate anyone in a realm or forest of
> realms." "While no zero-day exploit is known, such an exploit will likely be
> available soon after public disclosure." [2]
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
> [2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
>
> * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.

I've fixed the commit message to use the GNU ChangeLog style;
see: info '(standards) Style of Change Logs'.

> ---
>  gnu/packages/kerberos.scm | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index 9454a5983e..ae4efcbc23 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
>    #:use-module (gnu packages bison)
>    #:use-module (gnu packages dbm)
>    #:use-module (gnu packages perl)
> +  #:use-module (gnu packages python)
>    #:use-module (gnu packages gettext)
>    #:use-module (gnu packages gnupg)
>    #:use-module (gnu packages libidn)
> @@ -166,7 +167,7 @@ (define-public shishi
>  (define-public heimdal
>    (package
>      (name "heimdal")
> -    (version "7.7.0")
> +    (version "7.8.0")
>      (source (origin
>                (method url-fetch)
>                (uri (string-append
> @@ -174,14 +175,14 @@ (define-public heimdal
>                      "heimdal-" version "/" "heimdal-" version ".tar.gz"))
>                (sha256
>                 (base32
> -                "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
> +                "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
>                (modules '((guix build utils)))
>                (snippet
>                 '(begin
>                    (substitute* "configure"
>                      (("User=.*$") "User=Guix\n")
>                      (("Host=.*$") "Host=GNU")
> -                    (("Date=.*$") "Date=2019\n"))))))
> +                    (("Date=.*$") "Date=2022\n"))))))
>      (build-system gnu-build-system)
>      (arguments
>       `(#:configure-flags
> @@ -249,7 +250,8 @@ (define-public heimdal
>      (native-inputs (list e2fsprogs ;for 'compile_et'
>                           texinfo
>                           unzip ;for tests
> -                         perl))
> +                         perl
> +                         python))

Thanks!  I've dropped perl, which appears unnecessary to build/run the
test suite.

-- 
Thanks,
Maxim