[bug#62760] [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos

[bug#62760] [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos

[Felix Lechner via Development of GNU Guix and the GNU System distribution.]

Hi,

This patch series addresses two serious vulnerabilities in Heimdal, which is
an implementation of the Kerberos protocol and therefore a security-relevant
package.

First, the version being shipped currently in Guix suffers from "a severe
vulnerability, possibly a 10.0 on the Common Vulnerability Scoring System
(CVSS) v3." The upstream developers "believe it should be possible to get an
RCE [remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [1]

Second, all recent upstream releases (but not the development branch) suffer
from a serious backporting error that NIST scored at a "7.5 HIGH". That issue
is being patched here. [2]

Finally, we enabled OpenLDAP support for the principals database (which is
different from using LDAP for user authorization) and modified the inputs to
be more in line with Debian packaging.

The packaging presented here passed some cursory testing for basic client and
server functionality locally, but that version did not include the patch for
CVE-2022-45142 because I did not know how to add it to my custom channel.

Kind regards
Felix Lechner

[1] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1

* * *

Felix Lechner (3):
  gnu: heimdal: Update to 7.8.0.
  gnu: heimdal: Patch for CVE-2022-45142.
  gnu: heimdal: Enable OpenLDAP support; converge inputs toward Debian
    packaging.

 gnu/packages/kerberos.scm                     | 25 +++++++---
 .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
 2 files changed, 68 insertions(+), 6 deletions(-)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch


base-commit: b08cdfc6d363e9ca63118303b4628542c54a612d
-- 
2.39.2

[bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0.

[Felix Lechner via Guix-patches via]

Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
upstream release announcement calls it "a severe vulnerability, possibly a
10.0 on the Common Vulnerability Scoring System (CVSS) v3."

The upstream developers further "believe it should be possible to get an RCE
[remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
[2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0

* gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.
---
 gnu/packages/kerberos.scm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 9454a5983e..ae4efcbc23 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
   #:use-module (gnu packages perl)
+  #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages libidn)
@@ -166,7 +167,7 @@ (define-public shishi
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "7.7.0")
+    (version "7.8.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -174,14 +175,14 @@ (define-public heimdal
                     "heimdal-" version "/" "heimdal-" version ".tar.gz"))
               (sha256
                (base32
-                "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
+                "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
               (modules '((guix build utils)))
               (snippet
                '(begin
                   (substitute* "configure"
                     (("User=.*$") "User=Guix\n")
                     (("Host=.*$") "Host=GNU")
-                    (("Date=.*$") "Date=2019\n"))))))
+                    (("Date=.*$") "Date=2022\n"))))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
@@ -249,7 +250,8 @@ (define-public heimdal
     (native-inputs (list e2fsprogs ;for 'compile_et'
                          texinfo
                          unzip ;for tests
-                         perl))
+                         perl
+                         python))
     (inputs (list readline
                   bash-minimal
                   bdb
-- 
2.39.2

[bug#62760] [PATCH 2/3] gnu: heimdal: Patch for CVE-2022-45142.

[Felix Lechner via Guix-patches via]

Several recent Heimdal releases are affected by the serious vulnerability
CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]

At the time of writing, the upstream developers had not yet cut any releases
post-7.8.0, which is why the patch is being applied here.

The patch was extracted from Helmut Grohne's public vulnerability
disclosure. [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1

* gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142.
---
 gnu/packages/kerberos.scm                     |  2 +
 .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index ae4efcbc23..0faf879e35 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -176,6 +176,8 @@ (define-public heimdal
               (sha256
                (base32
                 "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
+              (patches (search-patches
+                        "heimdal-CVE-2022-45142.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
diff --git a/gnu/packages/patches/heimdal-CVE-2022-45142.patch b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
new file mode 100644
index 0000000000..a7258a937c
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
@@ -0,0 +1,49 @@
+From: Helmut Grohne <helmut@...divi.de>
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne <helmut@...divi.de>
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+NB (Felix Lechner): The message above and the patch below were taken from the
+disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
++++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++    cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+     if (cmp) {
+ 	*minor_status = 0;
+ 	return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+     if (cmp) {
+ 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+ 	*minor_status = 0;
+--
+2.38.1
-- 
2.39.2

[bug#62760] [PATCH 3/3] gnu: heimdal: Enable OpenLDAP support; converge inputs toward Debian packaging.

[Felix Lechner via Guix-patches via]

This commit took several cues for the inputs from the Debian packaging for
Heimdal. [1]

First, it was not clear why the alternative implementation mit-krb5 should be
supplied as an input to Heimdal. It was dropped.

The other inputs were added to address detection attempts in ./configure that
failed. They were evident from the build log.

Also enables support for the OpenLDAP backend for the principals database.

[1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2

* gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable
OpenLDAP; converge inputs toward Debian packaging.
---
 gnu/packages/kerberos.scm | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 0faf879e35..c9c86f9541 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -30,10 +30,12 @@
 
 (define-module (gnu packages kerberos)
   #:use-module (gnu packages)
+  #:use-module (gnu packages admin)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
+  #:use-module (gnu packages flex)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
@@ -41,6 +43,7 @@ (define-module (gnu packages kerberos)
   #:use-module (gnu packages libidn)
   #:use-module (gnu packages hurd)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages openldap)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages readline)
@@ -249,16 +252,22 @@ (define-public heimdal
                           (format #t "#!~a~%exit 1~%" (which "sh")))))))
        ;; Tests fail when run in parallel.
        #:parallel-tests? #f))
-    (native-inputs (list e2fsprogs ;for 'compile_et'
+    (native-inputs (list bison
+                         e2fsprogs ;for 'compile_et'
+                         flex
+                         libcap-ng
                          texinfo
                          unzip ;for tests
+                         openldap
                          perl
+                         pkg-config
                          python))
     (inputs (list readline
                   bash-minimal
                   bdb
                   e2fsprogs ;for libcom_err
-                  mit-krb5
+                  libcap-ng
+                  openldap
                   sqlite))
     (home-page "http://www.h5l.org/")
     (synopsis "Kerberos 5 network authentication")
-- 
2.39.2

[bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0.

[Leo Famulari]

On Mon, Apr 10, 2023 at 12:52:24PM -0700, Felix Lechner via Guix-patches via wrote:
> Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
> upstream release announcement calls it "a severe vulnerability, possibly a
> 10.0 on the Common Vulnerability Scoring System (CVSS) v3."
> 
> The upstream developers further "believe it should be possible to get an RCE
> [remote code execution] on a KDC, which means that credentials can be
> compromised that can be used to impersonate anyone in a realm or forest of
> realms." "While no zero-day exploit is known, such an exploit will likely be
> available soon after public disclosure." [2]
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
> [2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
> 
> * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.

Thanks for this!

> @@ -249,7 +250,8 @@ (define-public heimdal
>      (native-inputs (list e2fsprogs ;for 'compile_et'
>                           texinfo
>                           unzip ;for tests
> -                         perl))
> +                         perl
> +                         python))

Is this part intentional? It wasn't mentioned in the commit message.

[bug#62760] [PATCH 2/3] gnu: heimdal: Patch for CVE-2022-45142.

[Leo Famulari]

On Mon, Apr 10, 2023 at 12:52:25PM -0700, Felix Lechner via Guix-patches via wrote:
> * gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142.
> ---
>  gnu/packages/kerberos.scm                     |  2 +
>  .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++

It's necessary to register the new patch file in 'gnu/local.mk'.
Otherwise it won't be included in certain generated distributions of the
Guix source code. Examples are in the git log. Can you send a revised
patch?

[bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0.

[Felix Lechner via Guix-patches via]

Hi Leo,

On Mon, Apr 10, 2023 at 4:05 PM Leo Famulari <leo@famulari.name> wrote:
>
> > +                         python))
>
> Is this part intentional?

Yes, the sources for 7.8.0 failed to build without Python. I believe
it was due to that commit

    https://github.com/heimdal/heimdal/commit/6415a2032ec4b2ecc5917dae85b8f9e6f9e221d2

which fixed that issue:

    https://github.com/heimdal/heimdal/issues/696

Kind regards,
Felix Lechner

[bug#62760] [PATCH v2 1/3] gnu: heimdal: Update to 7.8.0.

[Felix Lechner via Guix-patches via]

Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
upstream release announcement calls it "a severe vulnerability, possibly a
10.0 on the Common Vulnerability Scoring System (CVSS) v3."

The upstream developers further "believe it should be possible to get an RCE
[remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
[2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0

* gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.
---
 gnu/packages/kerberos.scm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 9454a5983e..ae4efcbc23 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
   #:use-module (gnu packages perl)
+  #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages libidn)
@@ -166,7 +167,7 @@ (define-public shishi
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "7.7.0")
+    (version "7.8.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -174,14 +175,14 @@ (define-public heimdal
                     "heimdal-" version "/" "heimdal-" version ".tar.gz"))
               (sha256
                (base32
-                "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
+                "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
               (modules '((guix build utils)))
               (snippet
                '(begin
                   (substitute* "configure"
                     (("User=.*$") "User=Guix\n")
                     (("Host=.*$") "Host=GNU")
-                    (("Date=.*$") "Date=2019\n"))))))
+                    (("Date=.*$") "Date=2022\n"))))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
@@ -249,7 +250,8 @@ (define-public heimdal
     (native-inputs (list e2fsprogs ;for 'compile_et'
                          texinfo
                          unzip ;for tests
-                         perl))
+                         perl
+                         python))
     (inputs (list readline
                   bash-minimal
                   bdb

base-commit: b08cdfc6d363e9ca63118303b4628542c54a612d
-- 
2.39.2

[bug#62760] [PATCH v2 2/3] gnu: heimdal: Patch for CVE-2022-45142.

[Felix Lechner via Guix-patches via]

Several recent Heimdal releases are affected by the serious vulnerability
CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]

At the time of writing, the upstream developers had not yet cut any releases
post-7.8.0, which is why the patch is being applied here.

The patch was extracted from Helmut Grohne's public vulnerability
disclosure. [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1

* gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/kerberos.scm                     |  2 +
 .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b7e19b6bc2..f4cd3f448a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1327,6 +1327,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
   %D%/packages/patches/hdf-eos5-fix-szip.patch			\
   %D%/packages/patches/hdf-eos5-fortrantests.patch		\
+  %D%/packages/patches/heimdal-CVE-2022-45142.patch		\
   %D%/packages/patches/helm-fix-gcc-9-build.patch		\
   %D%/packages/patches/http-parser-CVE-2020-8287.patch		\
   %D%/packages/patches/htslib-for-stringtie.patch		\
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index ae4efcbc23..0faf879e35 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -176,6 +176,8 @@ (define-public heimdal
               (sha256
                (base32
                 "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
+              (patches (search-patches
+                        "heimdal-CVE-2022-45142.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
diff --git a/gnu/packages/patches/heimdal-CVE-2022-45142.patch b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
new file mode 100644
index 0000000000..a7258a937c
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
@@ -0,0 +1,49 @@
+From: Helmut Grohne <helmut@...divi.de>
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne <helmut@...divi.de>
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+NB (Felix Lechner): The message above and the patch below were taken from the
+disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
++++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++    cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+     if (cmp) {
+ 	*minor_status = 0;
+ 	return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+     if (cmp) {
+ 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+ 	*minor_status = 0;
+--
+2.38.1
-- 
2.39.2

[bug#62760] [PATCH v2 3/3] gnu: heimdal: Enable OpenLDAP support; converge inputs toward Debian packaging.

[Felix Lechner via Guix-patches via]

This commit took several cues for the inputs from the Debian packaging for
Heimdal. [1]

First, it was not clear why the alternative implementation mit-krb5 should be
supplied as an input to Heimdal. It was dropped.

The other inputs were added to address detection attempts in ./configure that
failed. They were evident from the build log.

Also enables support for the OpenLDAP backend for the principals database.

[1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2

* gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable
OpenLDAP; converge inputs toward Debian packaging.
---
 gnu/packages/kerberos.scm | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 0faf879e35..c9c86f9541 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -30,10 +30,12 @@
 
 (define-module (gnu packages kerberos)
   #:use-module (gnu packages)
+  #:use-module (gnu packages admin)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
+  #:use-module (gnu packages flex)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
@@ -41,6 +43,7 @@ (define-module (gnu packages kerberos)
   #:use-module (gnu packages libidn)
   #:use-module (gnu packages hurd)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages openldap)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages readline)
@@ -249,16 +252,22 @@ (define-public heimdal
                           (format #t "#!~a~%exit 1~%" (which "sh")))))))
        ;; Tests fail when run in parallel.
        #:parallel-tests? #f))
-    (native-inputs (list e2fsprogs ;for 'compile_et'
+    (native-inputs (list bison
+                         e2fsprogs ;for 'compile_et'
+                         flex
+                         libcap-ng
                          texinfo
                          unzip ;for tests
+                         openldap
                          perl
+                         pkg-config
                          python))
     (inputs (list readline
                   bash-minimal
                   bdb
                   e2fsprogs ;for libcom_err
-                  mit-krb5
+                  libcap-ng
+                  openldap
                   sqlite))
     (home-page "http://www.h5l.org/")
     (synopsis "Kerberos 5 network authentication")
-- 
2.39.2

[bug#62760] [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos

[Maxim Cournoyer]

Hello,

Felix Lechner <felix.lechner@lease-up.com> writes:

> Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
> upstream release announcement calls it "a severe vulnerability, possibly a
> 10.0 on the Common Vulnerability Scoring System (CVSS) v3."
>
> The upstream developers further "believe it should be possible to get an RCE
> [remote code execution] on a KDC, which means that credentials can be
> compromised that can be used to impersonate anyone in a realm or forest of
> realms." "While no zero-day exploit is known, such an exploit will likely be
> available soon after public disclosure." [2]
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
> [2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
>
> * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.

I've fixed the commit message to use the GNU ChangeLog style;
see: info '(standards) Style of Change Logs'.

> ---
>  gnu/packages/kerberos.scm | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index 9454a5983e..ae4efcbc23 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
>    #:use-module (gnu packages bison)
>    #:use-module (gnu packages dbm)
>    #:use-module (gnu packages perl)
> +  #:use-module (gnu packages python)
>    #:use-module (gnu packages gettext)
>    #:use-module (gnu packages gnupg)
>    #:use-module (gnu packages libidn)
> @@ -166,7 +167,7 @@ (define-public shishi
>  (define-public heimdal
>    (package
>      (name "heimdal")
> -    (version "7.7.0")
> +    (version "7.8.0")
>      (source (origin
>                (method url-fetch)
>                (uri (string-append
> @@ -174,14 +175,14 @@ (define-public heimdal
>                      "heimdal-" version "/" "heimdal-" version ".tar.gz"))
>                (sha256
>                 (base32
> -                "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
> +                "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
>                (modules '((guix build utils)))
>                (snippet
>                 '(begin
>                    (substitute* "configure"
>                      (("User=.*$") "User=Guix\n")
>                      (("Host=.*$") "Host=GNU")
> -                    (("Date=.*$") "Date=2019\n"))))))
> +                    (("Date=.*$") "Date=2022\n"))))))
>      (build-system gnu-build-system)
>      (arguments
>       `(#:configure-flags
> @@ -249,7 +250,8 @@ (define-public heimdal
>      (native-inputs (list e2fsprogs ;for 'compile_et'
>                           texinfo
>                           unzip ;for tests
> -                         perl))
> +                         perl
> +                         python))

Thanks!  I've dropped perl, which appears unnecessary to build/run the
test suite.

-- 
Thanks,
Maxim

[bug#62760] [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos

[Maxim Cournoyer]

Hi,

Felix Lechner <felix.lechner@lease-up.com> writes:

> Several recent Heimdal releases are affected by the serious vulnerability
> CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]
>
> At the time of writing, the upstream developers had not yet cut any releases
> post-7.8.0, which is why the patch is being applied here.
>
> The patch was extracted from Helmut Grohne's public vulnerability
> disclosure. [2]
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
> [2] https://www.openwall.com/lists/oss-security/2023/02/08/1
>
> * gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for
> CVE-2022-45142.

I've fixed the change log commit message like so:

--8<---------------cut here---------------start------------->8---
* gnu/packages/patches/heimdal-CVE-2022-45142.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/kerberos.scm (heimdal)[source]: Apply it.
--8<---------------cut here---------------end--------------->8---
    
> ---
>  gnu/local.mk                                  |  1 +
>  gnu/packages/kerberos.scm                     |  2 +
>  .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
>  3 files changed, 52 insertions(+)
>  create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index b7e19b6bc2..f4cd3f448a 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1327,6 +1327,7 @@ dist_patch_DATA =						\
>    %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
>    %D%/packages/patches/hdf-eos5-fix-szip.patch			\
>    %D%/packages/patches/hdf-eos5-fortrantests.patch		\
> +  %D%/packages/patches/heimdal-CVE-2022-45142.patch		\
>    %D%/packages/patches/helm-fix-gcc-9-build.patch		\
>    %D%/packages/patches/http-parser-CVE-2020-8287.patch		\
>    %D%/packages/patches/htslib-for-stringtie.patch		\
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index ae4efcbc23..0faf879e35 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -176,6 +176,8 @@ (define-public heimdal
>                (sha256
>                 (base32
>                  "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
> +              (patches (search-patches
> +                        "heimdal-CVE-2022-45142.patch"))

Nitpick; I've used the more conventional indentation for patches:

--8<---------------cut here---------------start------------->8---
              (patches
               (search-patches "heimdal-CVE-2022-45142.patch"))
--8<---------------cut here---------------end--------------->8---

Thank you!
-- 
Maxim

bug#62760: [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos

[Maxim Cournoyer]

Hello,

Felix Lechner <felix.lechner@lease-up.com> writes:

> This commit took several cues for the inputs from the Debian packaging for
> Heimdal. [1]
>
> First, it was not clear why the alternative implementation mit-krb5 should be
> supplied as an input to Heimdal. It was dropped.

I'm not sure why I needed to add it in the past; I think the build was
broken then without it.

> The other inputs were added to address detection attempts in ./configure that
> failed. They were evident from the build log.
>
> Also enables support for the OpenLDAP backend for the principals database.

> [1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2

> * gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable
> OpenLDAP; converge inputs toward Debian packaging.

I've fixed the change log to read as:

--8<---------------cut here---------------start------------->8---
gnu: heimdal: Enable OpenLDAP support.

* gnu/packages/kerberos.scm (heimdal)[native-inputs]:
Add flex, libcap-ng,  openldap and pkg-config.
[inputs]: Remove mit-krb5.  Add libcap-ng and openldap.
--8<---------------cut here---------------end--------------->8---

But then noticed that libcap-ng and openldap needed not be added to
native-inputs, so I removed those.  These are run time libraries.

> ---
>  gnu/packages/kerberos.scm | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index 0faf879e35..c9c86f9541 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -30,10 +30,12 @@
>  
>  (define-module (gnu packages kerberos)
>    #:use-module (gnu packages)
> +  #:use-module (gnu packages admin)
>    #:use-module (gnu packages autotools)
>    #:use-module (gnu packages bash)
>    #:use-module (gnu packages bison)
>    #:use-module (gnu packages dbm)
> +  #:use-module (gnu packages flex)
>    #:use-module (gnu packages perl)
>    #:use-module (gnu packages python)
>    #:use-module (gnu packages gettext)
> @@ -41,6 +43,7 @@ (define-module (gnu packages kerberos)
>    #:use-module (gnu packages libidn)
>    #:use-module (gnu packages hurd)
>    #:use-module (gnu packages linux)
> +  #:use-module (gnu packages openldap)
>    #:use-module (gnu packages pkg-config)
>    #:use-module (gnu packages compression)
>    #:use-module (gnu packages readline)
> @@ -249,16 +252,22 @@ (define-public heimdal
>                            (format #t "#!~a~%exit 1~%" (which "sh")))))))
>         ;; Tests fail when run in parallel.
>         #:parallel-tests? #f))
> -    (native-inputs (list e2fsprogs ;for 'compile_et'
> +    (native-inputs (list bison
> +                         e2fsprogs ;for 'compile_et'
> +                         flex
> +                         libcap-ng
>                           texinfo
>                           unzip ;for tests
> +                         openldap
>                           perl
> +                         pkg-config
>                           python))
>      (inputs (list readline
>                    bash-minimal
>                    bdb
>                    e2fsprogs ;for libcom_err
> -                  mit-krb5
> +                  libcap-ng
> +                  openldap
>                    sqlite))
>      (home-page "http://www.h5l.org/")
>      (synopsis "Kerberos 5 network authentication")

Modified like:

--8<---------------cut here---------------start------------->8---
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index a97c2ac87b..9e2f6acd56 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -253,18 +253,16 @@ (define-public heimdal
        ;; Tests fail when run in parallel.
        #:parallel-tests? #f))
     (native-inputs (list bison
-                         e2fsprogs ;for 'compile_et'
+                         e2fsprogs      ;for 'compile_et'
                          flex
-                         libcap-ng
                          texinfo
-                         unzip ;for tests
-                         openldap
+                         unzip          ;for tests
                          pkg-config
                          python))
     (inputs (list readline
                   bash-minimal
                   bdb
-                  e2fsprogs ;for libcom_err
+                  e2fsprogs             ;for libcom_err
                   libcap-ng
                   openldap
                   sqlite))
--8<---------------cut here---------------end--------------->8---

And installed!

-- 
Thanks,
Maxim