GNU bug report logs - #34632
[PATCH 0/2] Change from GSS to MIT-KRB5.

Previous Next

Full log

Message #34 received at 34632-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: Ludovic Courtès <ludo <at> gnu.org>, 34632-done <at> debbugs.gnu.org,
 Leo Famulari <leo <at> famulari.name>
Subject: Re: [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.
Date: Wed, 15 May 2019 19:06:47 -0400

Hello Marius,

Marius Bakke <mbakke <at> fastmail.com> writes:

[...]

>>> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
>>> think that, if GSS was being examined to the same degree, we would learn
>>> of many serious bugs. Any significant C codebase of this age will have
>>> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>>>
>>> [0]
>>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
>>
>> Just FYI,
>>
>> I had ping'd the GSS mailing list with this message:
>> http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
>> there haven't been a reply (yet).
>>
>> So it looks like it was a wise decision to make the switch! Sorry for
>> doubting, eh!
>
> Thank you very much for checking with upstream :-)
>
> I was on the fence about this switch myself, and submitted this patch
> hoping for feedback along these lines.
>
> It would be great to get Shishi and GSS into Googles OSS-Fuzz and
> similar so that we can be more confident in the implementation.

Would it be possible to add a fuzz phase to our GNU build system? If
it's not too expensive to run, it could be a security enhancer for the
Guix System! AFL (which is one of the two fuzzers used by Google's
OSS-fuzz service, and which we already have in Guix).

Food for thoughts!

> For now I've pushed these patches in 996186b..828d376.

Thank you,

Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.