Package: guix-patches;
Reported by: Felix Lechner <felix.lechner <at> lease-up.com>
Date: Mon, 10 Apr 2023 19:51:02 UTC
Severity: normal
Tags: patch
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 62760 in the body.
You can then email your comments to 62760 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-devel <at> gnu.org, guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Mon, 10 Apr 2023 19:51:02 GMT) Full text and rfc822 format available.Felix Lechner <felix.lechner <at> lease-up.com>:guix-devel <at> gnu.org, guix-patches <at> gnu.org.
(Mon, 10 Apr 2023 19:51:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: guix-patches <at> gnu.org Cc: Felix Lechner <felix.lechner <at> lease-up.com> Subject: [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos Date: Mon, 10 Apr 2023 12:50:06 -0700
Hi,
This patch series addresses two serious vulnerabilities in Heimdal, which is
an implementation of the Kerberos protocol and therefore a security-relevant
package.
First, the version being shipped currently in Guix suffers from "a severe
vulnerability, possibly a 10.0 on the Common Vulnerability Scoring System
(CVSS) v3." The upstream developers "believe it should be possible to get an
RCE [remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [1]
Second, all recent upstream releases (but not the development branch) suffer
from a serious backporting error that NIST scored at a "7.5 HIGH". That issue
is being patched here. [2]
Finally, we enabled OpenLDAP support for the principals database (which is
different from using LDAP for user authorization) and modified the inputs to
be more in line with Debian packaging.
The packaging presented here passed some cursory testing for basic client and
server functionality locally, but that version did not include the patch for
CVE-2022-45142 because I did not know how to add it to my custom channel.
Kind regards
Felix Lechner
[1] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1
* * *
Felix Lechner (3):
gnu: heimdal: Update to 7.8.0.
gnu: heimdal: Patch for CVE-2022-45142.
gnu: heimdal: Enable OpenLDAP support; converge inputs toward Debian
packaging.
gnu/packages/kerberos.scm | 25 +++++++---
.../patches/heimdal-CVE-2022-45142.patch | 49 +++++++++++++++++++
2 files changed, 68 insertions(+), 6 deletions(-)
create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch
base-commit: b08cdfc6d363e9ca63118303b4628542c54a612d
--
2.39.2
guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Mon, 10 Apr 2023 19:53:02 GMT) Full text and rfc822 format available.Message #8 received at 62760 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 62760 <at> debbugs.gnu.org Cc: Felix Lechner <felix.lechner <at> lease-up.com> Subject: [PATCH 1/3] gnu: heimdal: Update to 7.8.0. Date: Mon, 10 Apr 2023 12:52:24 -0700
Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
upstream release announcement calls it "a severe vulnerability, possibly a
10.0 on the Common Vulnerability Scoring System (CVSS) v3."
The upstream developers further "believe it should be possible to get an RCE
[remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [2]
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
[2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
* gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.
---
gnu/packages/kerberos.scm | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 9454a5983e..ae4efcbc23 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
#:use-module (gnu packages bison)
#:use-module (gnu packages dbm)
#:use-module (gnu packages perl)
+ #:use-module (gnu packages python)
#:use-module (gnu packages gettext)
#:use-module (gnu packages gnupg)
#:use-module (gnu packages libidn)
@@ -166,7 +167,7 @@ (define-public shishi
(define-public heimdal
(package
(name "heimdal")
- (version "7.7.0")
+ (version "7.8.0")
(source (origin
(method url-fetch)
(uri (string-append
@@ -174,14 +175,14 @@ (define-public heimdal
"heimdal-" version "/" "heimdal-" version ".tar.gz"))
(sha256
(base32
- "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
+ "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
(modules '((guix build utils)))
(snippet
'(begin
(substitute* "configure"
(("User=.*$") "User=Guix\n")
(("Host=.*$") "Host=GNU")
- (("Date=.*$") "Date=2019\n"))))))
+ (("Date=.*$") "Date=2022\n"))))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
@@ -249,7 +250,8 @@ (define-public heimdal
(native-inputs (list e2fsprogs ;for 'compile_et'
texinfo
unzip ;for tests
- perl))
+ perl
+ python))
(inputs (list readline
bash-minimal
bdb
--
2.39.2
guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Mon, 10 Apr 2023 19:53:02 GMT) Full text and rfc822 format available.Message #11 received at 62760 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 62760 <at> debbugs.gnu.org Cc: Felix Lechner <felix.lechner <at> lease-up.com> Subject: [PATCH 2/3] gnu: heimdal: Patch for CVE-2022-45142. Date: Mon, 10 Apr 2023 12:52:25 -0700
Several recent Heimdal releases are affected by the serious vulnerability
CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]
At the time of writing, the upstream developers had not yet cut any releases
post-7.8.0, which is why the patch is being applied here.
The patch was extracted from Helmut Grohne's public vulnerability
disclosure. [2]
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1
* gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142.
---
gnu/packages/kerberos.scm | 2 +
.../patches/heimdal-CVE-2022-45142.patch | 49 +++++++++++++++++++
2 files changed, 51 insertions(+)
create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index ae4efcbc23..0faf879e35 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -176,6 +176,8 @@ (define-public heimdal
(sha256
(base32
"0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
+ (patches (search-patches
+ "heimdal-CVE-2022-45142.patch"))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/gnu/packages/patches/heimdal-CVE-2022-45142.patch b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
new file mode 100644
index 0000000000..a7258a937c
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
@@ -0,0 +1,49 @@
+From: Helmut Grohne <helmut@...divi.de>
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne <helmut@...divi.de>
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+NB (Felix Lechner): The message above and the patch below were taken from the
+disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
++++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ return GSS_S_FAILURE;
+ }
+
+- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+ if (cmp) {
+ *minor_status = 0;
+ return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ return GSS_S_FAILURE;
+ }
+
+- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+ if (cmp) {
+ _gsskrb5_release_buffer(minor_status, output_message_buffer);
+ *minor_status = 0;
+--
+2.38.1
--
2.39.2
guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Mon, 10 Apr 2023 19:53:02 GMT) Full text and rfc822 format available.Message #14 received at 62760 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 62760 <at> debbugs.gnu.org Cc: Felix Lechner <felix.lechner <at> lease-up.com> Subject: [PATCH 3/3] gnu: heimdal: Enable OpenLDAP support; converge inputs toward Debian packaging. Date: Mon, 10 Apr 2023 12:52:26 -0700
This commit took several cues for the inputs from the Debian packaging for
Heimdal. [1]
First, it was not clear why the alternative implementation mit-krb5 should be
supplied as an input to Heimdal. It was dropped.
The other inputs were added to address detection attempts in ./configure that
failed. They were evident from the build log.
Also enables support for the OpenLDAP backend for the principals database.
[1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2
* gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable
OpenLDAP; converge inputs toward Debian packaging.
---
gnu/packages/kerberos.scm | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 0faf879e35..c9c86f9541 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -30,10 +30,12 @@
(define-module (gnu packages kerberos)
#:use-module (gnu packages)
+ #:use-module (gnu packages admin)
#:use-module (gnu packages autotools)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
#:use-module (gnu packages dbm)
+ #:use-module (gnu packages flex)
#:use-module (gnu packages perl)
#:use-module (gnu packages python)
#:use-module (gnu packages gettext)
@@ -41,6 +43,7 @@ (define-module (gnu packages kerberos)
#:use-module (gnu packages libidn)
#:use-module (gnu packages hurd)
#:use-module (gnu packages linux)
+ #:use-module (gnu packages openldap)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages compression)
#:use-module (gnu packages readline)
@@ -249,16 +252,22 @@ (define-public heimdal
(format #t "#!~a~%exit 1~%" (which "sh")))))))
;; Tests fail when run in parallel.
#:parallel-tests? #f))
- (native-inputs (list e2fsprogs ;for 'compile_et'
+ (native-inputs (list bison
+ e2fsprogs ;for 'compile_et'
+ flex
+ libcap-ng
texinfo
unzip ;for tests
+ openldap
perl
+ pkg-config
python))
(inputs (list readline
bash-minimal
bdb
e2fsprogs ;for libcom_err
- mit-krb5
+ libcap-ng
+ openldap
sqlite))
(home-page "http://www.h5l.org/")
(synopsis "Kerberos 5 network authentication")
--
2.39.2
guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Mon, 10 Apr 2023 23:06:02 GMT) Full text and rfc822 format available.Message #17 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Leo Famulari <leo <at> famulari.name> To: Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> Cc: Felix Lechner <felix.lechner <at> lease-up.com>, 62760 <at> debbugs.gnu.org Subject: Re: [bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0. Date: Mon, 10 Apr 2023 19:05:35 -0400
On Mon, Apr 10, 2023 at 12:52:24PM -0700, Felix Lechner via Guix-patches via wrote: > Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The > upstream release announcement calls it "a severe vulnerability, possibly a > 10.0 on the Common Vulnerability Scoring System (CVSS) v3." > > The upstream developers further "believe it should be possible to get an RCE > [remote code execution] on a KDC, which means that credentials can be > compromised that can be used to impersonate anyone in a realm or forest of > realms." "While no zero-day exploit is known, such an exploit will likely be > available soon after public disclosure." [2] > > [1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640 > [2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0 > > * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0. Thanks for this! > @@ -249,7 +250,8 @@ (define-public heimdal > (native-inputs (list e2fsprogs ;for 'compile_et' > texinfo > unzip ;for tests > - perl)) > + perl > + python)) Is this part intentional? It wasn't mentioned in the commit message.
guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Mon, 10 Apr 2023 23:06:02 GMT) Full text and rfc822 format available.guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Mon, 10 Apr 2023 23:09:02 GMT) Full text and rfc822 format available.Message #23 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Leo Famulari <leo <at> famulari.name> To: Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> Cc: Felix Lechner <felix.lechner <at> lease-up.com>, 62760 <at> debbugs.gnu.org Subject: Re: [bug#62760] [PATCH 2/3] gnu: heimdal: Patch for CVE-2022-45142. Date: Mon, 10 Apr 2023 19:07:56 -0400
On Mon, Apr 10, 2023 at 12:52:25PM -0700, Felix Lechner via Guix-patches via wrote: > * gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142. > --- > gnu/packages/kerberos.scm | 2 + > .../patches/heimdal-CVE-2022-45142.patch | 49 +++++++++++++++++++ It's necessary to register the new patch file in 'gnu/local.mk'. Otherwise it won't be included in certain generated distributions of the Guix source code. Examples are in the git log. Can you send a revised patch?
guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Mon, 10 Apr 2023 23:09:02 GMT) Full text and rfc822 format available.guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Tue, 11 Apr 2023 04:16:02 GMT) Full text and rfc822 format available.Message #29 received at 62760 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: Leo Famulari <leo <at> famulari.name> Cc: 62760 <at> debbugs.gnu.org Subject: Re: [bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0. Date: Mon, 10 Apr 2023 21:15:04 -0700
Hi Leo,
On Mon, Apr 10, 2023 at 4:05 PM Leo Famulari <leo <at> famulari.name> wrote:
>
> > + python))
>
> Is this part intentional?
Yes, the sources for 7.8.0 failed to build without Python. I believe
it was due to that commit
https://github.com/heimdal/heimdal/commit/6415a2032ec4b2ecc5917dae85b8f9e6f9e221d2
which fixed that issue:
https://github.com/heimdal/heimdal/issues/696
Kind regards,
Felix Lechner
guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Tue, 11 Apr 2023 04:24:02 GMT) Full text and rfc822 format available.Message #32 received at 62760 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 62760 <at> debbugs.gnu.org Cc: Felix Lechner <felix.lechner <at> lease-up.com>, Leo Famulari <leo <at> famulari.name> Subject: [PATCH v2 1/3] gnu: heimdal: Update to 7.8.0. Date: Mon, 10 Apr 2023 21:23:11 -0700
Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
upstream release announcement calls it "a severe vulnerability, possibly a
10.0 on the Common Vulnerability Scoring System (CVSS) v3."
The upstream developers further "believe it should be possible to get an RCE
[remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [2]
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
[2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
* gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.
---
gnu/packages/kerberos.scm | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 9454a5983e..ae4efcbc23 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
#:use-module (gnu packages bison)
#:use-module (gnu packages dbm)
#:use-module (gnu packages perl)
+ #:use-module (gnu packages python)
#:use-module (gnu packages gettext)
#:use-module (gnu packages gnupg)
#:use-module (gnu packages libidn)
@@ -166,7 +167,7 @@ (define-public shishi
(define-public heimdal
(package
(name "heimdal")
- (version "7.7.0")
+ (version "7.8.0")
(source (origin
(method url-fetch)
(uri (string-append
@@ -174,14 +175,14 @@ (define-public heimdal
"heimdal-" version "/" "heimdal-" version ".tar.gz"))
(sha256
(base32
- "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
+ "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
(modules '((guix build utils)))
(snippet
'(begin
(substitute* "configure"
(("User=.*$") "User=Guix\n")
(("Host=.*$") "Host=GNU")
- (("Date=.*$") "Date=2019\n"))))))
+ (("Date=.*$") "Date=2022\n"))))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
@@ -249,7 +250,8 @@ (define-public heimdal
(native-inputs (list e2fsprogs ;for 'compile_et'
texinfo
unzip ;for tests
- perl))
+ perl
+ python))
(inputs (list readline
bash-minimal
bdb
base-commit: b08cdfc6d363e9ca63118303b4628542c54a612d
--
2.39.2
guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Tue, 11 Apr 2023 04:24:02 GMT) Full text and rfc822 format available.Message #35 received at 62760 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 62760 <at> debbugs.gnu.org Cc: Felix Lechner <felix.lechner <at> lease-up.com>, Leo Famulari <leo <at> famulari.name> Subject: [PATCH v2 2/3] gnu: heimdal: Patch for CVE-2022-45142. Date: Mon, 10 Apr 2023 21:23:12 -0700
Several recent Heimdal releases are affected by the serious vulnerability
CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]
At the time of writing, the upstream developers had not yet cut any releases
post-7.8.0, which is why the patch is being applied here.
The patch was extracted from Helmut Grohne's public vulnerability
disclosure. [2]
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1
* gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142.
---
gnu/local.mk | 1 +
gnu/packages/kerberos.scm | 2 +
.../patches/heimdal-CVE-2022-45142.patch | 49 +++++++++++++++++++
3 files changed, 52 insertions(+)
create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index b7e19b6bc2..f4cd3f448a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1327,6 +1327,7 @@ dist_patch_DATA = \
%D%/packages/patches/hdf-eos5-remove-gctp.patch \
%D%/packages/patches/hdf-eos5-fix-szip.patch \
%D%/packages/patches/hdf-eos5-fortrantests.patch \
+ %D%/packages/patches/heimdal-CVE-2022-45142.patch \
%D%/packages/patches/helm-fix-gcc-9-build.patch \
%D%/packages/patches/http-parser-CVE-2020-8287.patch \
%D%/packages/patches/htslib-for-stringtie.patch \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index ae4efcbc23..0faf879e35 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -176,6 +176,8 @@ (define-public heimdal
(sha256
(base32
"0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
+ (patches (search-patches
+ "heimdal-CVE-2022-45142.patch"))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/gnu/packages/patches/heimdal-CVE-2022-45142.patch b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
new file mode 100644
index 0000000000..a7258a937c
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
@@ -0,0 +1,49 @@
+From: Helmut Grohne <helmut@...divi.de>
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne <helmut@...divi.de>
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+NB (Felix Lechner): The message above and the patch below were taken from the
+disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
++++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ return GSS_S_FAILURE;
+ }
+
+- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+ if (cmp) {
+ *minor_status = 0;
+ return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ return GSS_S_FAILURE;
+ }
+
+- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+ if (cmp) {
+ _gsskrb5_release_buffer(minor_status, output_message_buffer);
+ *minor_status = 0;
+--
+2.38.1
--
2.39.2
guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Tue, 11 Apr 2023 04:24:03 GMT) Full text and rfc822 format available.Message #38 received at 62760 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 62760 <at> debbugs.gnu.org Cc: Felix Lechner <felix.lechner <at> lease-up.com>, Leo Famulari <leo <at> famulari.name> Subject: [PATCH v2 3/3] gnu: heimdal: Enable OpenLDAP support; converge inputs toward Debian packaging. Date: Mon, 10 Apr 2023 21:23:13 -0700
This commit took several cues for the inputs from the Debian packaging for
Heimdal. [1]
First, it was not clear why the alternative implementation mit-krb5 should be
supplied as an input to Heimdal. It was dropped.
The other inputs were added to address detection attempts in ./configure that
failed. They were evident from the build log.
Also enables support for the OpenLDAP backend for the principals database.
[1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2
* gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable
OpenLDAP; converge inputs toward Debian packaging.
---
gnu/packages/kerberos.scm | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 0faf879e35..c9c86f9541 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -30,10 +30,12 @@
(define-module (gnu packages kerberos)
#:use-module (gnu packages)
+ #:use-module (gnu packages admin)
#:use-module (gnu packages autotools)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
#:use-module (gnu packages dbm)
+ #:use-module (gnu packages flex)
#:use-module (gnu packages perl)
#:use-module (gnu packages python)
#:use-module (gnu packages gettext)
@@ -41,6 +43,7 @@ (define-module (gnu packages kerberos)
#:use-module (gnu packages libidn)
#:use-module (gnu packages hurd)
#:use-module (gnu packages linux)
+ #:use-module (gnu packages openldap)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages compression)
#:use-module (gnu packages readline)
@@ -249,16 +252,22 @@ (define-public heimdal
(format #t "#!~a~%exit 1~%" (which "sh")))))))
;; Tests fail when run in parallel.
#:parallel-tests? #f))
- (native-inputs (list e2fsprogs ;for 'compile_et'
+ (native-inputs (list bison
+ e2fsprogs ;for 'compile_et'
+ flex
+ libcap-ng
texinfo
unzip ;for tests
+ openldap
perl
+ pkg-config
python))
(inputs (list readline
bash-minimal
bdb
e2fsprogs ;for libcom_err
- mit-krb5
+ libcap-ng
+ openldap
sqlite))
(home-page "http://www.h5l.org/")
(synopsis "Kerberos 5 network authentication")
--
2.39.2
guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Tue, 11 Apr 2023 15:33:01 GMT) Full text and rfc822 format available.Message #41 received at 62760 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Felix Lechner <felix.lechner <at> lease-up.com> Cc: 62760 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name> Subject: Re: bug#62760: [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos Date: Tue, 11 Apr 2023 11:32:43 -0400
Hello,
Felix Lechner <felix.lechner <at> lease-up.com> writes:
> Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
> upstream release announcement calls it "a severe vulnerability, possibly a
> 10.0 on the Common Vulnerability Scoring System (CVSS) v3."
>
> The upstream developers further "believe it should be possible to get an RCE
> [remote code execution] on a KDC, which means that credentials can be
> compromised that can be used to impersonate anyone in a realm or forest of
> realms." "While no zero-day exploit is known, such an exploit will likely be
> available soon after public disclosure." [2]
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
> [2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
>
> * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.
I've fixed the commit message to use the GNU ChangeLog style;
see: info '(standards) Style of Change Logs'.
> ---
> gnu/packages/kerberos.scm | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index 9454a5983e..ae4efcbc23 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
> #:use-module (gnu packages bison)
> #:use-module (gnu packages dbm)
> #:use-module (gnu packages perl)
> + #:use-module (gnu packages python)
> #:use-module (gnu packages gettext)
> #:use-module (gnu packages gnupg)
> #:use-module (gnu packages libidn)
> @@ -166,7 +167,7 @@ (define-public shishi
> (define-public heimdal
> (package
> (name "heimdal")
> - (version "7.7.0")
> + (version "7.8.0")
> (source (origin
> (method url-fetch)
> (uri (string-append
> @@ -174,14 +175,14 @@ (define-public heimdal
> "heimdal-" version "/" "heimdal-" version ".tar.gz"))
> (sha256
> (base32
> - "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
> + "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
> (modules '((guix build utils)))
> (snippet
> '(begin
> (substitute* "configure"
> (("User=.*$") "User=Guix\n")
> (("Host=.*$") "Host=GNU")
> - (("Date=.*$") "Date=2019\n"))))))
> + (("Date=.*$") "Date=2022\n"))))))
> (build-system gnu-build-system)
> (arguments
> `(#:configure-flags
> @@ -249,7 +250,8 @@ (define-public heimdal
> (native-inputs (list e2fsprogs ;for 'compile_et'
> texinfo
> unzip ;for tests
> - perl))
> + perl
> + python))
Thanks! I've dropped perl, which appears unnecessary to build/run the
test suite.
--
Thanks,
Maxim
guix-patches <at> gnu.org:bug#62760; Package guix-patches.
(Tue, 11 Apr 2023 15:35:02 GMT) Full text and rfc822 format available.Message #44 received at 62760 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Felix Lechner <felix.lechner <at> lease-up.com> Cc: 62760 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name> Subject: Re: bug#62760: [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos Date: Tue, 11 Apr 2023 11:34:26 -0400
Hi,
Felix Lechner <felix.lechner <at> lease-up.com> writes:
> Several recent Heimdal releases are affected by the serious vulnerability
> CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]
>
> At the time of writing, the upstream developers had not yet cut any releases
> post-7.8.0, which is why the patch is being applied here.
>
> The patch was extracted from Helmut Grohne's public vulnerability
> disclosure. [2]
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
> [2] https://www.openwall.com/lists/oss-security/2023/02/08/1
>
> * gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for
> CVE-2022-45142.
I've fixed the change log commit message like so:
--8<---------------cut here---------------start------------->8---
* gnu/packages/patches/heimdal-CVE-2022-45142.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/kerberos.scm (heimdal)[source]: Apply it.
--8<---------------cut here---------------end--------------->8---
> ---
> gnu/local.mk | 1 +
> gnu/packages/kerberos.scm | 2 +
> .../patches/heimdal-CVE-2022-45142.patch | 49 +++++++++++++++++++
> 3 files changed, 52 insertions(+)
> create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index b7e19b6bc2..f4cd3f448a 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1327,6 +1327,7 @@ dist_patch_DATA = \
> %D%/packages/patches/hdf-eos5-remove-gctp.patch \
> %D%/packages/patches/hdf-eos5-fix-szip.patch \
> %D%/packages/patches/hdf-eos5-fortrantests.patch \
> + %D%/packages/patches/heimdal-CVE-2022-45142.patch \
> %D%/packages/patches/helm-fix-gcc-9-build.patch \
> %D%/packages/patches/http-parser-CVE-2020-8287.patch \
> %D%/packages/patches/htslib-for-stringtie.patch \
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index ae4efcbc23..0faf879e35 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -176,6 +176,8 @@ (define-public heimdal
> (sha256
> (base32
> "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
> + (patches (search-patches
> + "heimdal-CVE-2022-45142.patch"))
Nitpick; I've used the more conventional indentation for patches:
--8<---------------cut here---------------start------------->8---
(patches
(search-patches "heimdal-CVE-2022-45142.patch"))
--8<---------------cut here---------------end--------------->8---
Thank you!
--
Maxim
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:Felix Lechner <felix.lechner <at> lease-up.com>:Message #49 received at 62760-done <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Felix Lechner <felix.lechner <at> lease-up.com> Cc: 62760-done <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name> Subject: Re: bug#62760: [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos Date: Tue, 11 Apr 2023 11:37:58 -0400
Hello,
Felix Lechner <felix.lechner <at> lease-up.com> writes:
> This commit took several cues for the inputs from the Debian packaging for
> Heimdal. [1]
>
> First, it was not clear why the alternative implementation mit-krb5 should be
> supplied as an input to Heimdal. It was dropped.
I'm not sure why I needed to add it in the past; I think the build was
broken then without it.
> The other inputs were added to address detection attempts in ./configure that
> failed. They were evident from the build log.
>
> Also enables support for the OpenLDAP backend for the principals database.
> [1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2
> * gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable
> OpenLDAP; converge inputs toward Debian packaging.
I've fixed the change log to read as:
--8<---------------cut here---------------start------------->8---
gnu: heimdal: Enable OpenLDAP support.
* gnu/packages/kerberos.scm (heimdal)[native-inputs]:
Add flex, libcap-ng, openldap and pkg-config.
[inputs]: Remove mit-krb5. Add libcap-ng and openldap.
--8<---------------cut here---------------end--------------->8---
But then noticed that libcap-ng and openldap needed not be added to
native-inputs, so I removed those. These are run time libraries.
> ---
> gnu/packages/kerberos.scm | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index 0faf879e35..c9c86f9541 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -30,10 +30,12 @@
>
> (define-module (gnu packages kerberos)
> #:use-module (gnu packages)
> + #:use-module (gnu packages admin)
> #:use-module (gnu packages autotools)
> #:use-module (gnu packages bash)
> #:use-module (gnu packages bison)
> #:use-module (gnu packages dbm)
> + #:use-module (gnu packages flex)
> #:use-module (gnu packages perl)
> #:use-module (gnu packages python)
> #:use-module (gnu packages gettext)
> @@ -41,6 +43,7 @@ (define-module (gnu packages kerberos)
> #:use-module (gnu packages libidn)
> #:use-module (gnu packages hurd)
> #:use-module (gnu packages linux)
> + #:use-module (gnu packages openldap)
> #:use-module (gnu packages pkg-config)
> #:use-module (gnu packages compression)
> #:use-module (gnu packages readline)
> @@ -249,16 +252,22 @@ (define-public heimdal
> (format #t "#!~a~%exit 1~%" (which "sh")))))))
> ;; Tests fail when run in parallel.
> #:parallel-tests? #f))
> - (native-inputs (list e2fsprogs ;for 'compile_et'
> + (native-inputs (list bison
> + e2fsprogs ;for 'compile_et'
> + flex
> + libcap-ng
> texinfo
> unzip ;for tests
> + openldap
> perl
> + pkg-config
> python))
> (inputs (list readline
> bash-minimal
> bdb
> e2fsprogs ;for libcom_err
> - mit-krb5
> + libcap-ng
> + openldap
> sqlite))
> (home-page "http://www.h5l.org/")
> (synopsis "Kerberos 5 network authentication")
Modified like:
--8<---------------cut here---------------start------------->8---
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index a97c2ac87b..9e2f6acd56 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -253,18 +253,16 @@ (define-public heimdal
;; Tests fail when run in parallel.
#:parallel-tests? #f))
(native-inputs (list bison
- e2fsprogs ;for 'compile_et'
+ e2fsprogs ;for 'compile_et'
flex
- libcap-ng
texinfo
- unzip ;for tests
- openldap
+ unzip ;for tests
pkg-config
python))
(inputs (list readline
bash-minimal
bdb
- e2fsprogs ;for libcom_err
+ e2fsprogs ;for libcom_err
libcap-ng
openldap
sqlite))
--8<---------------cut here---------------end--------------->8---
And installed!
--
Thanks,
Maxim
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Wed, 10 May 2023 11:24:09 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.