From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp12.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id MJ5NNL1oNGTmnwAASxT56A
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 10 Apr 2023 21:51:25 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp12.migadu.com with LMTPS
	id 0G4ZNL1oNGSatAAAauVa8A
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 10 Apr 2023 21:51:25 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id B07BE32642
	for <larch@yhetil.org>; Mon, 10 Apr 2023 21:51:25 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1plxXc-0000K1-Td; Mon, 10 Apr 2023 15:51:04 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1plxXb-0000JR-Bo; Mon, 10 Apr 2023 15:51:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1plxXb-0006Fn-4U; Mon, 10 Apr 2023 15:51:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1plxXa-0003JE-Jz; Mon, 10 Apr 2023 15:51:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#62760] [PATCH 0/3] Two serious vulnerabilities in Heimdal
 Kerberos
Resent-From: Felix Lechner <felix.lechner@lease-up.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-devel@gnu.org, guix-patches@gnu.org
Resent-Date: Mon, 10 Apr 2023 19:51:02 +0000
Resent-Message-ID: <handler.62760.B.168115623512536@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 62760
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 62760@debbugs.gnu.org
Cc: Felix Lechner <felix.lechner@lease-up.com>, guix-devel@gnu.org
X-Debbugs-Original-To: guix-patches@gnu.org
X-Debbugs-Original-Xcc: guix-devel@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.168115623512536
 (code B ref -1); Mon, 10 Apr 2023 19:51:02 +0000
Received: (at submit) by debbugs.gnu.org; 10 Apr 2023 19:50:35 +0000
Received: from localhost ([127.0.0.1]:35987 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1plxX8-0003G6-Pa
 for submit@debbugs.gnu.org; Mon, 10 Apr 2023 15:50:35 -0400
Received: from lists.gnu.org ([209.51.188.17]:49358)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1plxX7-0003Fp-70
 for submit@debbugs.gnu.org; Mon, 10 Apr 2023 15:50:33 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <felix.lechner@us-core.com>)
 id 1plxX6-0000IY-Qs
 for guix-patches@gnu.org; Mon, 10 Apr 2023 15:50:32 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256)
 (Exim 4.90_1) (envelope-from <felix.lechner@us-core.com>)
 id 1plxX4-0006Bn-Oh
 for guix-patches@gnu.org; Mon, 10 Apr 2023 15:50:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=AGSEPjK53dwYQW0
 e13kdTJDLRxZI6g/SSGuontQuwUw=; h=date:subject:cc:to:from;
 d=lease-up.com; b=bcalglXgytf6gllp+L92f5WX6LV9qm9IblhLA1XBjX2fRtNeqC9R
 ffLqy+8KAc3tClBdUwo5uKZ4FGyrIGOxR526I6UO8tFKYEmFx5d0/NTTmOqXT1Ci+6aSUW
 TO/p6iegBJoI2yemHu0eT3dyoMp3YgWjGUGFAM2FG4sJaWxM0=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 5eb43a6f
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Mon, 10 Apr 2023 19:50:24 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id fdd1936d;
 Mon, 10 Apr 2023 19:50:24 +0000 (UTC)
Date: Mon, 10 Apr 2023 12:50:06 -0700
Message-Id: <cover.1681155077.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=208.82.101.137;
 envelope-from=felix.lechner@us-core.com; helo=sail-ipv4.us-core.com
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 UNPARSEABLE_RELAY=0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-devel@gnu.org
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Reply-to:  Felix Lechner <felix.lechner@lease-up.com>
From:  Felix Lechner via "Development of GNU Guix and the GNU System distribution."
 <guix-devel@gnu.org>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1681156285; a=rsa-sha256; cv=none;
	b=RMsRbAbKm+ibHvlYuzUaMJsw1GMSuoc8x0Bw5hT0EElG8+M7tx5yUEliVp6/UcSJZMURZG
	qdzkijywsd32I3ULyDqFH0WwAxzAj2GWc8TXKh+R9E9xuws2OchHK1VEMt7jPdvQrMX/uB
	xVOHkW28Y5KrNeoF9p7tAgjUTktI+24ERRaoq0KVhZ6WYDzUI8Qxnb1dPBIz+hGvdDPXVi
	qgv0aBV+oMwItGKebxMyzGFnA0vkHNThwVPyEwi39iMa+CRI75T4b+ibrlRG0cZTyGfE0C
	NOJKDaKe8uWLCasmNFkjOh9yTK7yOvF9Enlx/rqxreKybdkEE4rzGWAo0j3csA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=bcalglXg;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1681156285;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=YV6OfHrAciRY9VZJgV80OJbVgwq0S5UX2NI9Qu8EIE8=;
	b=mlOPCPsaZHzskrBX9+VaK2hE6WbQkMzGhA8XXw5IK3ZSGu7Lf8u7swrW8rRPneTkIk12r9
	Tv97HExnsegWzW4xFoeiYdK/GdSiiJyfxiOYf/X4sn4PaTrWnnqJx31Jd6Rn4ZJ7NRqqaP
	rUd53OSLHAghROXXONpJqYwAWyDpU8mUnH3RiIKp2qNXgyCMhtUFxhH9EoetqNgHwhUKn3
	ndE8OAkOigExNJP900gRhUNUW8ZxvzfoUdRdUeiwUF7WAg0FBamXTc5EdYayW2UXWG3fXY
	BPxr2dIivSSB10gG37Bg0pxh1HUw10ok3rh/wOGjE9kr8BLbt6x9yXpGthTvwQ==
X-Migadu-Spam-Score: -3.42
X-Migadu-Scanner: scn1.migadu.com
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=bcalglXg;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Spam-Score: -3.42
X-Migadu-Queue-Id: B07BE32642
X-TUID: 6m7yH/yth4SF

Hi,

This patch series addresses two serious vulnerabilities in Heimdal, which is
an implementation of the Kerberos protocol and therefore a security-relevant
package.

First, the version being shipped currently in Guix suffers from "a severe
vulnerability, possibly a 10.0 on the Common Vulnerability Scoring System
(CVSS) v3." The upstream developers "believe it should be possible to get an
RCE [remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [1]

Second, all recent upstream releases (but not the development branch) suffer
from a serious backporting error that NIST scored at a "7.5 HIGH". That issue
is being patched here. [2]

Finally, we enabled OpenLDAP support for the principals database (which is
different from using LDAP for user authorization) and modified the inputs to
be more in line with Debian packaging.

The packaging presented here passed some cursory testing for basic client and
server functionality locally, but that version did not include the patch for
CVE-2022-45142 because I did not know how to add it to my custom channel.

Kind regards
Felix Lechner

[1] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1

* * *

Felix Lechner (3):
  gnu: heimdal: Update to 7.8.0.
  gnu: heimdal: Patch for CVE-2022-45142.
  gnu: heimdal: Enable OpenLDAP support; converge inputs toward Debian
    packaging.

 gnu/packages/kerberos.scm                     | 25 +++++++---
 .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
 2 files changed, 68 insertions(+), 6 deletions(-)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch


base-commit: b08cdfc6d363e9ca63118303b4628542c54a612d
-- 
2.39.2