From unknown Wed Aug 20 04:12:01 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#62760 <62760@debbugs.gnu.org>
To: bug#62760 <62760@debbugs.gnu.org>
Subject: Status: [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos
Reply-To: bug#62760 <62760@debbugs.gnu.org>
Date: Wed, 20 Aug 2025 11:12:01 +0000

retitle 62760 [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos
reassign 62760 guix-patches
submitter 62760 Felix Lechner <felix.lechner@lease-up.com>
severity 62760 normal
tag 62760 patch

thanks


From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 10 15:50:35 2023
Received: (at submit) by debbugs.gnu.org; 10 Apr 2023 19:50:35 +0000
Received: from localhost ([127.0.0.1]:35987 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1plxX8-0003G6-Pa
	for submit@debbugs.gnu.org; Mon, 10 Apr 2023 15:50:35 -0400
Received: from lists.gnu.org ([209.51.188.17]:49358)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1plxX7-0003Fp-70
 for submit@debbugs.gnu.org; Mon, 10 Apr 2023 15:50:33 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <felix.lechner@us-core.com>)
 id 1plxX6-0000IY-Qs
 for guix-patches@gnu.org; Mon, 10 Apr 2023 15:50:32 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256)
 (Exim 4.90_1) (envelope-from <felix.lechner@us-core.com>)
 id 1plxX4-0006Bn-Oh
 for guix-patches@gnu.org; Mon, 10 Apr 2023 15:50:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=AGSEPjK53dwYQW0
 e13kdTJDLRxZI6g/SSGuontQuwUw=; h=date:subject:cc:to:from;
 d=lease-up.com; b=bcalglXgytf6gllp+L92f5WX6LV9qm9IblhLA1XBjX2fRtNeqC9R
 ffLqy+8KAc3tClBdUwo5uKZ4FGyrIGOxR526I6UO8tFKYEmFx5d0/NTTmOqXT1Ci+6aSUW
 TO/p6iegBJoI2yemHu0eT3dyoMp3YgWjGUGFAM2FG4sJaWxM0=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 5eb43a6f
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Mon, 10 Apr 2023 19:50:24 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id fdd1936d;
 Mon, 10 Apr 2023 19:50:24 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: guix-patches@gnu.org
Subject: [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos
Date: Mon, 10 Apr 2023 12:50:06 -0700
Message-Id: <cover.1681155077.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
X-Debbugs-CC: guix-devel@gnu.org
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=208.82.101.137;
 envelope-from=felix.lechner@us-core.com; helo=sail-ipv4.us-core.com
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 UNPARSEABLE_RELAY=0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.1 (-)
X-Debbugs-Envelope-To: submit
Cc: Felix Lechner <felix.lechner@lease-up.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.1 (--)

Hi,

This patch series addresses two serious vulnerabilities in Heimdal, which is
an implementation of the Kerberos protocol and therefore a security-relevant
package.

First, the version being shipped currently in Guix suffers from "a severe
vulnerability, possibly a 10.0 on the Common Vulnerability Scoring System
(CVSS) v3." The upstream developers "believe it should be possible to get an
RCE [remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [1]

Second, all recent upstream releases (but not the development branch) suffer
from a serious backporting error that NIST scored at a "7.5 HIGH". That issue
is being patched here. [2]

Finally, we enabled OpenLDAP support for the principals database (which is
different from using LDAP for user authorization) and modified the inputs to
be more in line with Debian packaging.

The packaging presented here passed some cursory testing for basic client and
server functionality locally, but that version did not include the patch for
CVE-2022-45142 because I did not know how to add it to my custom channel.

Kind regards
Felix Lechner

[1] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1

* * *

Felix Lechner (3):
  gnu: heimdal: Update to 7.8.0.
  gnu: heimdal: Patch for CVE-2022-45142.
  gnu: heimdal: Enable OpenLDAP support; converge inputs toward Debian
    packaging.

 gnu/packages/kerberos.scm                     | 25 +++++++---
 .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
 2 files changed, 68 insertions(+), 6 deletions(-)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch


base-commit: b08cdfc6d363e9ca63118303b4628542c54a612d
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 10 15:52:36 2023
Received: (at 62760) by debbugs.gnu.org; 10 Apr 2023 19:52:36 +0000
Received: from localhost ([127.0.0.1]:35992 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1plxZ6-0003N2-CO
	for submit@debbugs.gnu.org; Mon, 10 Apr 2023 15:52:36 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:39340)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1plxZ4-0003Mu-Fa
 for 62760@debbugs.gnu.org; Mon, 10 Apr 2023 15:52:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=uzSDAtQBQAbtihg
 DvoOF3DUz7whduu5DHBLE/6j73Ig=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=R0tldSr7YSPUfyMDW2YIta2iTAxwuxMN21zxpDhI
 57N6iob4og2F37Khi44U6u68bMTh61V21+/MRjm/UeugCSV/8c9NY0HNe/ulON1muRaZcZ
 ZkTGg/Y9t8ndYP425Li1hif8X4TK5JNtaVsTgz8+O+wSwfMKIoC5yT9m5I7Eo=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 263aef1b
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Mon, 10 Apr 2023 19:52:33 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id ff5eb31e;
 Mon, 10 Apr 2023 19:52:33 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 62760@debbugs.gnu.org
Subject: [PATCH 1/3] gnu: heimdal: Update to 7.8.0.
Date: Mon, 10 Apr 2023 12:52:24 -0700
Message-Id: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681155077.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <cover.1681155077.git.felix.lechner@lease-up.com>
References: <cover.1681155077.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 62760
Cc: Felix Lechner <felix.lechner@lease-up.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
upstream release announcement calls it "a severe vulnerability, possibly a
10.0 on the Common Vulnerability Scoring System (CVSS) v3."

The upstream developers further "believe it should be possible to get an RCE
[remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
[2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0

* gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.
---
 gnu/packages/kerberos.scm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 9454a5983e..ae4efcbc23 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
   #:use-module (gnu packages perl)
+  #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages libidn)
@@ -166,7 +167,7 @@ (define-public shishi
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "7.7.0")
+    (version "7.8.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -174,14 +175,14 @@ (define-public heimdal
                     "heimdal-" version "/" "heimdal-" version ".tar.gz"))
               (sha256
                (base32
-                "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
+                "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
               (modules '((guix build utils)))
               (snippet
                '(begin
                   (substitute* "configure"
                     (("User=.*$") "User=Guix\n")
                     (("Host=.*$") "Host=GNU")
-                    (("Date=.*$") "Date=2019\n"))))))
+                    (("Date=.*$") "Date=2022\n"))))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
@@ -249,7 +250,8 @@ (define-public heimdal
     (native-inputs (list e2fsprogs ;for 'compile_et'
                          texinfo
                          unzip ;for tests
-                         perl))
+                         perl
+                         python))
     (inputs (list readline
                   bash-minimal
                   bdb
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 10 15:52:39 2023
Received: (at 62760) by debbugs.gnu.org; 10 Apr 2023 19:52:39 +0000
Received: from localhost ([127.0.0.1]:35996 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1plxZ8-0003NG-P2
	for submit@debbugs.gnu.org; Mon, 10 Apr 2023 15:52:39 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:39340)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1plxZ7-0003Mu-Gp
 for 62760@debbugs.gnu.org; Mon, 10 Apr 2023 15:52:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=IJzA+eLCekX8Gmm
 Q09HQLZA4Z+ETmJXOnK/Z9HX5t9Q=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=JwpRWHLX+wHQoHDTLkANE1OBMzaNeCP4DkuxcpDc
 /Jc3uJEJYNNz+IjrfkENL54C1+Pwg1C5Z/r+jeBlRsWGqElzEp15OqDC/ZSIQhTxAR1hIX
 FfNrZhEJZxPyI7SHyf6aCocLevZIV/qcuCbk56HNxReN9cIZcCKZxOwY6r9RA=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 6f3ae34e
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Mon, 10 Apr 2023 19:52:36 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 9eca8e9e;
 Mon, 10 Apr 2023 19:52:36 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 62760@debbugs.gnu.org
Subject: [PATCH 2/3] gnu: heimdal: Patch for CVE-2022-45142.
Date: Mon, 10 Apr 2023 12:52:25 -0700
Message-Id: <52829030c170d0be6e11efdc69fddaa88f290ea9.1681155077.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <cover.1681155077.git.felix.lechner@lease-up.com>
References: <cover.1681155077.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 62760
Cc: Felix Lechner <felix.lechner@lease-up.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Several recent Heimdal releases are affected by the serious vulnerability
CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]

At the time of writing, the upstream developers had not yet cut any releases
post-7.8.0, which is why the patch is being applied here.

The patch was extracted from Helmut Grohne's public vulnerability
disclosure. [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1

* gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142.
---
 gnu/packages/kerberos.scm                     |  2 +
 .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index ae4efcbc23..0faf879e35 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -176,6 +176,8 @@ (define-public heimdal
               (sha256
                (base32
                 "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
+              (patches (search-patches
+                        "heimdal-CVE-2022-45142.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
diff --git a/gnu/packages/patches/heimdal-CVE-2022-45142.patch b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
new file mode 100644
index 0000000000..a7258a937c
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
@@ -0,0 +1,49 @@
+From: Helmut Grohne <helmut@...divi.de>
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne <helmut@...divi.de>
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+NB (Felix Lechner): The message above and the patch below were taken from the
+disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
++++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++    cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+     if (cmp) {
+ 	*minor_status = 0;
+ 	return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+     if (cmp) {
+ 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+ 	*minor_status = 0;
+--
+2.38.1
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 10 15:52:42 2023
Received: (at 62760) by debbugs.gnu.org; 10 Apr 2023 19:52:42 +0000
Received: from localhost ([127.0.0.1]:35998 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1plxZC-0003NX-Aa
	for submit@debbugs.gnu.org; Mon, 10 Apr 2023 15:52:42 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:39340)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1plxZ8-0003Mu-Gd
 for 62760@debbugs.gnu.org; Mon, 10 Apr 2023 15:52:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=JE/Qn3ThE/OOoaa
 ADgmvhxIq5bKee87XcmoK4LHfBgM=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=Pdw7VuXF7zjGJvpANqdM7TpQRji8zc8B9Bq3O8DO
 J9Y5+oXDcYN2m07HkpQYpiBx4iwldea/QBLr51cIm2qzGQTPewY5rqp7NcksLmu8br1YMe
 6fzRHLevJwRgL0elNFv5LiAS2w1F0MIRvyo2+6clS4ZLUXsMP8FfJmWTIIf7w=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 2ba2b248
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Mon, 10 Apr 2023 19:52:37 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id cc22c690;
 Mon, 10 Apr 2023 19:52:37 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 62760@debbugs.gnu.org
Subject: [PATCH 3/3] gnu: heimdal: Enable OpenLDAP support;
 converge inputs toward Debian packaging.
Date: Mon, 10 Apr 2023 12:52:26 -0700
Message-Id: <c821badc931f18a08bf34947d460f14b60d5c1e7.1681155077.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <cover.1681155077.git.felix.lechner@lease-up.com>
References: <cover.1681155077.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 62760
Cc: Felix Lechner <felix.lechner@lease-up.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

This commit took several cues for the inputs from the Debian packaging for
Heimdal. [1]

First, it was not clear why the alternative implementation mit-krb5 should be
supplied as an input to Heimdal. It was dropped.

The other inputs were added to address detection attempts in ./configure that
failed. They were evident from the build log.

Also enables support for the OpenLDAP backend for the principals database.

[1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2

* gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable
OpenLDAP; converge inputs toward Debian packaging.
---
 gnu/packages/kerberos.scm | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 0faf879e35..c9c86f9541 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -30,10 +30,12 @@
 
 (define-module (gnu packages kerberos)
   #:use-module (gnu packages)
+  #:use-module (gnu packages admin)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
+  #:use-module (gnu packages flex)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
@@ -41,6 +43,7 @@ (define-module (gnu packages kerberos)
   #:use-module (gnu packages libidn)
   #:use-module (gnu packages hurd)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages openldap)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages readline)
@@ -249,16 +252,22 @@ (define-public heimdal
                           (format #t "#!~a~%exit 1~%" (which "sh")))))))
        ;; Tests fail when run in parallel.
        #:parallel-tests? #f))
-    (native-inputs (list e2fsprogs ;for 'compile_et'
+    (native-inputs (list bison
+                         e2fsprogs ;for 'compile_et'
+                         flex
+                         libcap-ng
                          texinfo
                          unzip ;for tests
+                         openldap
                          perl
+                         pkg-config
                          python))
     (inputs (list readline
                   bash-minimal
                   bdb
                   e2fsprogs ;for libcom_err
-                  mit-krb5
+                  libcap-ng
+                  openldap
                   sqlite))
     (home-page "http://www.h5l.org/")
     (synopsis "Kerberos 5 network authentication")
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 10 19:05:43 2023
Received: (at submit) by debbugs.gnu.org; 10 Apr 2023 23:05:43 +0000
Received: from localhost ([127.0.0.1]:36102 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pm0Zy-0000Wc-TY
	for submit@debbugs.gnu.org; Mon, 10 Apr 2023 19:05:43 -0400
Received: from lists.gnu.org ([209.51.188.17]:50936)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1pm0Zx-0000WV-Hm
 for submit@debbugs.gnu.org; Mon, 10 Apr 2023 19:05:41 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1pm0Zw-0005fi-Sr
 for guix-patches@gnu.org; Mon, 10 Apr 2023 19:05:40 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1pm0Zu-0006aJ-Fk
 for guix-patches@gnu.org; Mon, 10 Apr 2023 19:05:40 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id DA7C45C019E;
 Mon, 10 Apr 2023 19:05:37 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute4.internal (MEProxy); Mon, 10 Apr 2023 19:05:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:cc:content-type:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=mesmtp; t=1681167937;
 x=1681254337; bh=OROUsPkdE29SN37aW4uG5RaiMTo2TZdVI/VoZl0MnJY=; b=
 UjzphPAvNYTbFrQ59GqrhxwabG26lEfmh5Ct4rpPLQV5yXQJchsU/osc1Vrmyd70
 ugQWTRPkKHHGyOC467+vbUuBy2As3U8zhbqTecuZjN2nq8bs1Z03NuqAKHHvxUUa
 kRIly6ILR3H4PLeTXZe5WAabwPOLdlQ0j9jfbTzPY94=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm2; t=1681167937; x=1681254337; bh=OROUsPkdE29SN
 37aW4uG5RaiMTo2TZdVI/VoZl0MnJY=; b=mWnJVcFn6lYakNhbZcX638pejYEL5
 sLr4O2NA7SbOefG15ANFS7Ixg6PgK7ufNYADEnn8GF2WPNg44TXaegIHXiNjOFFx
 YCZn7yy4clCrMR5fDy90TnImFdzO48mhb07PKt3SsAKxiepF9jJgiq6mzxCfYJe1
 PywtWg6M1jfbKQoSZDQ24iRA1U0th10NMu1gxfOe/0QGInBe9+/hSWDY1N5T7scA
 eRBdcZwJ7VecbboBIF9BNWaVzay7RbawcjiiDsyjPHtuo+wxAlzqL/vdarxttj79
 9bNoDe3z1R79kTqTg4LEdtD1F6ps/11wzqSipYapEjpeOXPY7oXN7vpHQ==
X-ME-Sender: <xms:QZY0ZHC_r9MgbGtQqY5QP7GAqBwBomt8sLDD6-C8XtipoufrvoyNyw>
 <xme:QZY0ZNg-CetoFyIO_nDLZOjktuL9i3bk9Ipq0PjwKVeMbtPGBEmvqYpTvqQ3QcZGz
 dsRuuS0OabVRHhztw>
X-ME-Received: <xmr:QZY0ZCkq5pftkAUSYxDJz_NKAVDPiycGBf0jd52TWYvZwNnVp2ajwHm3Y4Hr9eicm2qVdR7ZrY7vApciLqhf9K2y>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdekfedgudelucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 gfrhhlucfvnfffucdlqdeimdenucfjughrpeffhffvvefukfhfgggtuggjsehttdertddt
 tddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrih
 drnhgrmhgvqeenucggtffrrghtthgvrhhnpeehgfegtdfgffeiudekveeuheevgfektdfh
 vdfggfdtuefgffdtvdevffegueduffenucffohhmrghinhepnhhishhtrdhgohhvpdhgih
 hthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhl
 fhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:QZY0ZJw1kCe7AKAW_BoLW3JYkd3kqqfMst3Ns6EpP4t9_tlPQKLkWA>
 <xmx:QZY0ZMS_pFhmqliOs6Gappv-XF5uc1qEhFLJ705FjAtC-YBZWkVyXg>
 <xmx:QZY0ZMZaBgTIevktbmg5fCyUEXlsGg27-j9J0gGBlJcjYraLCNvxfA>
 <xmx:QZY0ZHLYxWlP1oMyZ8rT1BiLUBDTuSd-cFAzE2sjIwR6dnD2Pro8Pw>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 10 Apr 2023 19:05:37 -0400 (EDT)
Date: Mon, 10 Apr 2023 19:05:35 -0400
From: Leo Famulari <leo@famulari.name>
To: Felix Lechner via Guix-patches via <guix-patches@gnu.org>
Subject: Re: [bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0.
Message-ID: <ZDSWP/3sLIZDTrJA@jasmine.lan>
References: <cover.1681155077.git.felix.lechner@lease-up.com>
 <754f9ad3afb378e4e0100b865ca81b28181e3054.1681155077.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681155077.git.felix.lechner@lease-up.com>
Received-SPF: pass client-ip=66.111.4.27; envelope-from=leo@famulari.name;
 helo=out3-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: Felix Lechner <felix.lechner@lease-up.com>, 62760@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

On Mon, Apr 10, 2023 at 12:52:24PM -0700, Felix Lechner via Guix-patches via wrote:
> Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
> upstream release announcement calls it "a severe vulnerability, possibly a
> 10.0 on the Common Vulnerability Scoring System (CVSS) v3."
> 
> The upstream developers further "believe it should be possible to get an RCE
> [remote code execution] on a KDC, which means that credentials can be
> compromised that can be used to impersonate anyone in a realm or forest of
> realms." "While no zero-day exploit is known, such an exploit will likely be
> available soon after public disclosure." [2]
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
> [2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
> 
> * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.

Thanks for this!

> @@ -249,7 +250,8 @@ (define-public heimdal
>      (native-inputs (list e2fsprogs ;for 'compile_et'
>                           texinfo
>                           unzip ;for tests
> -                         perl))
> +                         perl
> +                         python))

Is this part intentional? It wasn't mentioned in the commit message.




From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 10 19:08:02 2023
Received: (at submit) by debbugs.gnu.org; 10 Apr 2023 23:08:02 +0000
Received: from localhost ([127.0.0.1]:36112 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pm0cD-0000aV-Tv
	for submit@debbugs.gnu.org; Mon, 10 Apr 2023 19:08:02 -0400
Received: from lists.gnu.org ([209.51.188.17]:35130)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1pm0cC-0000aI-Ag
 for submit@debbugs.gnu.org; Mon, 10 Apr 2023 19:08:00 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1pm0cC-0005zO-4c
 for guix-patches@gnu.org; Mon, 10 Apr 2023 19:08:00 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1pm0cA-0006pM-P6
 for guix-patches@gnu.org; Mon, 10 Apr 2023 19:07:59 -0400
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
 by mailout.nyi.internal (Postfix) with ESMTP id 400A75C0162;
 Mon, 10 Apr 2023 19:07:58 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute2.internal (MEProxy); Mon, 10 Apr 2023 19:07:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:cc:content-type:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=mesmtp; t=1681168078;
 x=1681254478; bh=ZxKk8QGUuZan7ilZcus3Ho+FF3dWh2yxt2BCIEbD+i0=; b=
 BccyBs3Ua2MKyeDAzEXDmG0DDM+7rJQm8fTnYq1YLE7sQ1uXJDpVYeabv4gl+q5U
 fE4jvEeqv9Go1HnpviK8Vcnu0PlwKAJozBwd20+laTHbEuSKkN4WZeN5eFhD2KZS
 WxxEnYHb1Xi7k4F084bAzRwqvdYHMmfiphlsnANx4PQ=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm2; t=1681168078; x=1681254478; bh=ZxKk8QGUuZan7
 ilZcus3Ho+FF3dWh2yxt2BCIEbD+i0=; b=VpX1tim5UyD1NZqGrzTxfmfvE0IJn
 f09aW8SqAkipumFPSochB+WUTTBLKhQOXrMYISYacDUDpmAxxC1MOYdSz40mzaFK
 JzwMCj+F9tt5PDG2zJXlotlR5PZqBG1Tf+m0ibfOIUMdNQ5gzBNRAn0ICBO2D9wQ
 4am3vI633OPsaBwnCnv7hpzIsNVujlvM/zVsP5GLToo8NaXEFiVo6+BxdRZ0uuqQ
 al6x+sRMQpTw3jluzed5B141yN0POfUdwkOR+RsN76U1Gv91T+lb+KhCTqPJwvMJ
 Z+zkvbGq0Pt2rX/pHRMKDoC4J/YktLUVOHYFRDkle52ZNU5aproJBybOA==
X-ME-Sender: <xms:zpY0ZJ6CDA66xqdUzWcN02lelK-Y1YgOkQWg64UxPBFYOYyFox0e3g>
 <xme:zpY0ZG6tS-6YCPa49Vmir9MINj3-0Dnt6h89tWVhbAxwu01OY7PJVw3_Sf7u1RZI1
 mPo7jpl0SleXrXDxQ>
X-ME-Received: <xmr:zpY0ZAcE0rAfnhI7WnL_sQbUF3SKjUraKXYz-h6S-cu_iVfl4UmGoEGNOEdkq7eEwPhCJgrK0nPMbtHwcPNgo2IM>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdekfedgudelucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepfffhvfevuffkfhggtggujgesthdtredttddtvdenucfhrhhomhepnfgvohcu
 hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth
 htvghrnhepieetudehfeekueefleegudfhjefgleehfeeluefhfeffgfeuudelhedvjeel
 ieetnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplh
 gvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:zpY0ZCJtYQZcul4YcCMk3ThP1N6_OoZNrn84Oy2DcxoHgcNXa1QO4Q>
 <xmx:zpY0ZNLHI5NGpDsey4mbxSYs_dhaPQ5XEKxV5w2tE0V8idqSgfqp_A>
 <xmx:zpY0ZLxcQZ7VxbTabTLQeh872OtlHwL1sqDMrfNl4PZbFPqGHKRJ8A>
 <xmx:zpY0ZLg6mFTsFMNTr99soGwNNroT2AUfMgXgJn0PZ-253s3ucgWcQA>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 10 Apr 2023 19:07:57 -0400 (EDT)
Date: Mon, 10 Apr 2023 19:07:56 -0400
From: Leo Famulari <leo@famulari.name>
To: Felix Lechner via Guix-patches via <guix-patches@gnu.org>
Subject: Re: [bug#62760] [PATCH 2/3] gnu: heimdal: Patch for CVE-2022-45142.
Message-ID: <ZDSWzHXVkvsyDC0e@jasmine.lan>
References: <cover.1681155077.git.felix.lechner@lease-up.com>
 <52829030c170d0be6e11efdc69fddaa88f290ea9.1681155077.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <52829030c170d0be6e11efdc69fddaa88f290ea9.1681155077.git.felix.lechner@lease-up.com>
Received-SPF: pass client-ip=66.111.4.27; envelope-from=leo@famulari.name;
 helo=out3-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: Felix Lechner <felix.lechner@lease-up.com>, 62760@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

On Mon, Apr 10, 2023 at 12:52:25PM -0700, Felix Lechner via Guix-patches via wrote:
> * gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142.
> ---
>  gnu/packages/kerberos.scm                     |  2 +
>  .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++

It's necessary to register the new patch file in 'gnu/local.mk'.
Otherwise it won't be included in certain generated distributions of the
Guix source code. Examples are in the git log. Can you send a revised
patch?




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 11 00:15:48 2023
Received: (at 62760) by debbugs.gnu.org; 11 Apr 2023 04:15:48 +0000
Received: from localhost ([127.0.0.1]:36289 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pm5Q4-0003Bk-CF
	for submit@debbugs.gnu.org; Tue, 11 Apr 2023 00:15:48 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:41596)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@lease-up.com>) id 1pm5Q1-0003Ba-RC
 for 62760@debbugs.gnu.org; Tue, 11 Apr 2023 00:15:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=ILXZy8m1IJ3J6Gi
 qgKbgE/SX4jRYYWDO8sNSHJL6Tds=;
 h=cc:to:subject:date:from:in-reply-to:
 references; d=lease-up.com; b=Q7MZ79QyJJEyjPyBBrj72hwr/52nSUpK6rkANThC
 lJWY8KjU/VQKue6mzkmVqWQJVCAMn0DHGOBSd2+irt9LT7yp0ON3ph+20KVzmr+gogo/QL
 lWHApkHyn/xU8nJ+s2EP9so6B2+NlPlbN1T3YqxixFkbZVK42aDU15gan38Jc=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id fe7ba2eb
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO)
 for <62760@debbugs.gnu.org>; Tue, 11 Apr 2023 04:15:43 +0000 (UTC)
Received: by mail-lj1-f170.google.com with SMTP id q15so3557916ljp.5
 for <62760@debbugs.gnu.org>; Mon, 10 Apr 2023 21:15:42 -0700 (PDT)
X-Gm-Message-State: AAQBX9enXxI88+8LVCxgqrmRQ5+ROWhIVRSDwAb6UonQKxOJaVWvjWkb
 DEN8H317EOVHXRigVUO3OdhgjA8OUSvIVJAu3SI=
X-Google-Smtp-Source: AKy350YL8QiXCjnkB1easWAJoj7B81MNJiAkF7fl6BiCLKvbfae8FZEwvGcm12UG8oar02aIf0oOQjPeFgPvqnXlK1I=
X-Received: by 2002:a2e:3015:0:b0:2a7:8a4c:4c1d with SMTP id
 w21-20020a2e3015000000b002a78a4c4c1dmr402330ljw.8.1681186541082; Mon, 10 Apr
 2023 21:15:41 -0700 (PDT)
MIME-Version: 1.0
References: <cover.1681155077.git.felix.lechner@lease-up.com>
 <754f9ad3afb378e4e0100b865ca81b28181e3054.1681155077.git.felix.lechner@lease-up.com>
 <ZDSWP/3sLIZDTrJA@jasmine.lan>
In-Reply-To: <ZDSWP/3sLIZDTrJA@jasmine.lan>
From: Felix Lechner <felix.lechner@lease-up.com>
Date: Mon, 10 Apr 2023 21:15:04 -0700
X-Gmail-Original-Message-ID: <CAFHYt54uH9yfdfBaa6m3UDWGJt7v7A-9UVS4UmWWRipVyiO7uw@mail.gmail.com>
Message-ID: <CAFHYt54uH9yfdfBaa6m3UDWGJt7v7A-9UVS4UmWWRipVyiO7uw@mail.gmail.com>
Subject: Re: [bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0.
To: Leo Famulari <leo@famulari.name>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 62760
Cc: 62760@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Leo,

On Mon, Apr 10, 2023 at 4:05=E2=80=AFPM Leo Famulari <leo@famulari.name> wr=
ote:
>
> > +                         python))
>
> Is this part intentional?

Yes, the sources for 7.8.0 failed to build without Python. I believe
it was due to that commit

    https://github.com/heimdal/heimdal/commit/6415a2032ec4b2ecc5917dae85b8f=
9e6f9e221d2

which fixed that issue:

    https://github.com/heimdal/heimdal/issues/696

Kind regards,
Felix Lechner




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 11 00:23:25 2023
Received: (at 62760) by debbugs.gnu.org; 11 Apr 2023 04:23:25 +0000
Received: from localhost ([127.0.0.1]:36294 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pm5XR-0003NL-Av
	for submit@debbugs.gnu.org; Tue, 11 Apr 2023 00:23:25 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:38294)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1pm5XP-0003N6-9z
 for 62760@debbugs.gnu.org; Tue, 11 Apr 2023 00:23:23 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=9VuAP7AXflDoxuO
 CNMa822hRRDcclF69gS1JC6Rq6I8=; h=date:subject:cc:to:from;
 d=lease-up.com; b=O7464E2cBKl9olX/r7Zh0fneVQwhmL+1kFLhq6OJfZhk2WtGXU4t
 eJ/+tqaftHWAuU6oV5ZMeQPgqFdPVR5pQyrG36ZgLBY7lJtjzViOhNJidLl/CO4FK5rhZH
 kIrxpj/QsUWXX60dqxzDrlhZo09Xk37nato7OU/ve2T/0AqAE=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 468b28a3
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Tue, 11 Apr 2023 04:23:22 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 375d7ef8;
 Tue, 11 Apr 2023 04:23:21 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 62760@debbugs.gnu.org
Subject: [PATCH v2 1/3] gnu: heimdal: Update to 7.8.0.
Date: Mon, 10 Apr 2023 21:23:11 -0700
Message-Id: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 62760
Cc: Felix Lechner <felix.lechner@lease-up.com>,
 Leo Famulari <leo@famulari.name>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
upstream release announcement calls it "a severe vulnerability, possibly a
10.0 on the Common Vulnerability Scoring System (CVSS) v3."

The upstream developers further "believe it should be possible to get an RCE
[remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
[2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0

* gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.
---
 gnu/packages/kerberos.scm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 9454a5983e..ae4efcbc23 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
   #:use-module (gnu packages perl)
+  #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages libidn)
@@ -166,7 +167,7 @@ (define-public shishi
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "7.7.0")
+    (version "7.8.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -174,14 +175,14 @@ (define-public heimdal
                     "heimdal-" version "/" "heimdal-" version ".tar.gz"))
               (sha256
                (base32
-                "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
+                "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
               (modules '((guix build utils)))
               (snippet
                '(begin
                   (substitute* "configure"
                     (("User=.*$") "User=Guix\n")
                     (("Host=.*$") "Host=GNU")
-                    (("Date=.*$") "Date=2019\n"))))))
+                    (("Date=.*$") "Date=2022\n"))))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
@@ -249,7 +250,8 @@ (define-public heimdal
     (native-inputs (list e2fsprogs ;for 'compile_et'
                          texinfo
                          unzip ;for tests
-                         perl))
+                         perl
+                         python))
     (inputs (list readline
                   bash-minimal
                   bdb

base-commit: b08cdfc6d363e9ca63118303b4628542c54a612d
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 11 00:23:27 2023
Received: (at 62760) by debbugs.gnu.org; 11 Apr 2023 04:23:27 +0000
Received: from localhost ([127.0.0.1]:36297 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pm5XS-0003Nb-Pk
	for submit@debbugs.gnu.org; Tue, 11 Apr 2023 00:23:27 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:38294)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1pm5XQ-0003N6-92
 for 62760@debbugs.gnu.org; Tue, 11 Apr 2023 00:23:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=CRMH2peYPgWU9N/
 S+jNxg6KJqZk5DyzJDzaMjeEebBY=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=e24JfXl+xvULuA299oGW+8Xde4U8bNp/BsGxQv7v
 8+lueTLuZMsL+YSk2dOu/EUchivV+OVMBzSsUJUwnJdh15nOHkmIUkL45PoyDA0UUYaK97
 Qs92pMjQd5TlM+VYUkdSwSGTS/pM4gZ2/YcFS0tJrydi2JLrFDf1siukRHB+g=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id e259bef0
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Tue, 11 Apr 2023 04:23:23 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 3229d00c;
 Tue, 11 Apr 2023 04:23:22 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 62760@debbugs.gnu.org
Subject: [PATCH v2 2/3] gnu: heimdal: Patch for CVE-2022-45142.
Date: Mon, 10 Apr 2023 21:23:12 -0700
Message-Id: <6458bcfc33fec031de1a1574a8e073ac04d1ea3e.1681186993.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com>
References: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 62760
Cc: Felix Lechner <felix.lechner@lease-up.com>,
 Leo Famulari <leo@famulari.name>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Several recent Heimdal releases are affected by the serious vulnerability
CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]

At the time of writing, the upstream developers had not yet cut any releases
post-7.8.0, which is why the patch is being applied here.

The patch was extracted from Helmut Grohne's public vulnerability
disclosure. [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1

* gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for CVE-2022-45142.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/kerberos.scm                     |  2 +
 .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b7e19b6bc2..f4cd3f448a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1327,6 +1327,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
   %D%/packages/patches/hdf-eos5-fix-szip.patch			\
   %D%/packages/patches/hdf-eos5-fortrantests.patch		\
+  %D%/packages/patches/heimdal-CVE-2022-45142.patch		\
   %D%/packages/patches/helm-fix-gcc-9-build.patch		\
   %D%/packages/patches/http-parser-CVE-2020-8287.patch		\
   %D%/packages/patches/htslib-for-stringtie.patch		\
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index ae4efcbc23..0faf879e35 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -176,6 +176,8 @@ (define-public heimdal
               (sha256
                (base32
                 "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
+              (patches (search-patches
+                        "heimdal-CVE-2022-45142.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
diff --git a/gnu/packages/patches/heimdal-CVE-2022-45142.patch b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
new file mode 100644
index 0000000000..a7258a937c
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2022-45142.patch
@@ -0,0 +1,49 @@
+From: Helmut Grohne <helmut@...divi.de>
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne <helmut@...divi.de>
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+NB (Felix Lechner): The message above and the patch below were taken from the
+disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
++++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++    cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+     if (cmp) {
+ 	*minor_status = 0;
+ 	return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+     if (cmp) {
+ 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+ 	*minor_status = 0;
+--
+2.38.1
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 11 00:23:27 2023
Received: (at 62760) by debbugs.gnu.org; 11 Apr 2023 04:23:27 +0000
Received: from localhost ([127.0.0.1]:36299 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pm5XT-0003Nd-BZ
	for submit@debbugs.gnu.org; Tue, 11 Apr 2023 00:23:27 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:38294)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1pm5XR-0003N6-9D
 for 62760@debbugs.gnu.org; Tue, 11 Apr 2023 00:23:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=JE/Qn3ThE/OOoaa
 ADgmvhxIq5bKee87XcmoK4LHfBgM=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=V1eSyaLojtgG9PQqBsl9h1eZfG3eeHMBWrL4uSA3
 tLRVnUGk7hbHY8ZtILOnM1e03jShSYALinKj9tl7RJren8tM0bBef2pAoOMwhDQbNFnF3a
 WHwza0XBZkNevHmQrXtxmCr+9O/SogyFgmhncCSdh6T8O/QLTrb7Eg1nvW510=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id f0dd42c2
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Tue, 11 Apr 2023 04:23:24 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 518ae985;
 Tue, 11 Apr 2023 04:23:23 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 62760@debbugs.gnu.org
Subject: [PATCH v2 3/3] gnu: heimdal: Enable OpenLDAP support;
 converge inputs toward Debian packaging.
Date: Mon, 10 Apr 2023 21:23:13 -0700
Message-Id: <e20d2f3ee51ca4a284ab519bcd56dd6f24fe3922.1681186993.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com>
References: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 62760
Cc: Felix Lechner <felix.lechner@lease-up.com>,
 Leo Famulari <leo@famulari.name>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

This commit took several cues for the inputs from the Debian packaging for
Heimdal. [1]

First, it was not clear why the alternative implementation mit-krb5 should be
supplied as an input to Heimdal. It was dropped.

The other inputs were added to address detection attempts in ./configure that
failed. They were evident from the build log.

Also enables support for the OpenLDAP backend for the principals database.

[1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2

* gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable
OpenLDAP; converge inputs toward Debian packaging.
---
 gnu/packages/kerberos.scm | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 0faf879e35..c9c86f9541 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -30,10 +30,12 @@
 
 (define-module (gnu packages kerberos)
   #:use-module (gnu packages)
+  #:use-module (gnu packages admin)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
+  #:use-module (gnu packages flex)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
@@ -41,6 +43,7 @@ (define-module (gnu packages kerberos)
   #:use-module (gnu packages libidn)
   #:use-module (gnu packages hurd)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages openldap)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages readline)
@@ -249,16 +252,22 @@ (define-public heimdal
                           (format #t "#!~a~%exit 1~%" (which "sh")))))))
        ;; Tests fail when run in parallel.
        #:parallel-tests? #f))
-    (native-inputs (list e2fsprogs ;for 'compile_et'
+    (native-inputs (list bison
+                         e2fsprogs ;for 'compile_et'
+                         flex
+                         libcap-ng
                          texinfo
                          unzip ;for tests
+                         openldap
                          perl
+                         pkg-config
                          python))
     (inputs (list readline
                   bash-minimal
                   bdb
                   e2fsprogs ;for libcom_err
-                  mit-krb5
+                  libcap-ng
+                  openldap
                   sqlite))
     (home-page "http://www.h5l.org/")
     (synopsis "Kerberos 5 network authentication")
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 11 11:32:54 2023
Received: (at 62760) by debbugs.gnu.org; 11 Apr 2023 15:32:54 +0000
Received: from localhost ([127.0.0.1]:37999 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pmFzJ-0000UI-K1
	for submit@debbugs.gnu.org; Tue, 11 Apr 2023 11:32:53 -0400
Received: from mail-qv1-f46.google.com ([209.85.219.46]:35790)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1pmFzG-0000U2-JY
 for 62760@debbugs.gnu.org; Tue, 11 Apr 2023 11:32:52 -0400
Received: by mail-qv1-f46.google.com with SMTP id e9so5709293qvv.2
 for <62760@debbugs.gnu.org>; Tue, 11 Apr 2023 08:32:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1681227165; x=1683819165;
 h=mime-version:user-agent:message-id:in-reply-to:date:references
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=BMHJm4rLkWvfhtETPmdCNi5ICR6SdT3cDZeK64dVl4Y=;
 b=NSlZDHYmi38NoxxWrojZ9aVsV5QxNhKuBXl80nxb/lG3oTcy0JKE4V1aHmPEvPCQdf
 tz79vgSoFiOfrv3xekRpxziAtGKbV0TJoGKRNoAcuaNpN34vPlWTzuL2znFxpWbrlUN/
 yQm/FYudlyir+84MuJoWCIQN/jLrdl69uVkP8QVNL/SCVU1DCO7RX9QT7XKdnxiYqrz5
 XCQDDvXH4OEvOfnkX49eqJl0G7U2LRVBKAIREy7M5QC2j7cr6LUv0GDmb+Lpp4u+WiwF
 /FdxuhRd9iDyGSWmmGFlP3Huebflw5l/e+HBxJ+GnOj7HTkxXnRJtvcINc5J9MgJpNh3
 0LUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1681227165; x=1683819165;
 h=mime-version:user-agent:message-id:in-reply-to:date:references
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=BMHJm4rLkWvfhtETPmdCNi5ICR6SdT3cDZeK64dVl4Y=;
 b=5BjN2ZFJami/agA8faQEqnq3ivvgEt9PXvPBucyeMbSGxoeoFvx4H0JgPgQRLEXmXC
 6CzP42b4PjY5cbXC4Ssto/DBvco18mqK5f+dmUeYH4oDxNx10C9t3jB9RUWBK6PpuiKl
 MTMtagudaSeoWX/sFg7y2Ic3aDE7y3pZ9WMWwVxnHWWZHAifHBI9mfdpeB7MUQckT5j1
 Csflhe3j4WaJUD7WpqyRDRjHfKsGraXoki1ho7KFD5yZNo/oBj/YPwoHG1qL7LdyyP2l
 GVls/U6vRbKC1GAcA7b0Zv8Wx3EpL7o5docHNisV3Z9h9I9mGl6zRaZ6MCMbT5+XMWC3
 W6pA==
X-Gm-Message-State: AAQBX9cC+McdtpDM1xCqCl8Hw7OYaXjcCp5Otlk8iX8BeocLUQvSV8Ik
 grw5GPz+mefXqQmaSeisP5A3JLAQ3v8=
X-Google-Smtp-Source: AKy350Y0Z/V4U77uqSWARyD82pDvP8YOBRJ73THYjq4PhIul+I0EYwisNXhn4+yqz8kjOjAo6YLnpA==
X-Received: by 2002:ad4:5c8f:0:b0:56e:a96b:a3a1 with SMTP id
 o15-20020ad45c8f000000b0056ea96ba3a1mr5798030qvh.7.1681227164818; 
 Tue, 11 Apr 2023 08:32:44 -0700 (PDT)
Received: from hurd (dsl-152-224.b2b2c.ca. [66.158.152.224])
 by smtp.gmail.com with ESMTPSA id
 y136-20020a37648e000000b0074aafac45c1sm578742qkb.47.2023.04.11.08.32.43
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 11 Apr 2023 08:32:44 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Felix Lechner <felix.lechner@lease-up.com>
Subject: Re: bug#62760: [PATCH 0/3] Two serious vulnerabilities in Heimdal
 Kerberos
References: <cover.1681155077.git.felix.lechner@lease-up.com>
 <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com>
Date: Tue, 11 Apr 2023 11:32:43 -0400
In-Reply-To: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com>
 (Felix Lechner's message of "Mon, 10 Apr 2023 21:23:11 -0700")
Message-ID: <87wn2imo2s.fsf_-_@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 62760
Cc: 62760@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hello,

Felix Lechner <felix.lechner@lease-up.com> writes:

> Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
> upstream release announcement calls it "a severe vulnerability, possibly a
> 10.0 on the Common Vulnerability Scoring System (CVSS) v3."
>
> The upstream developers further "believe it should be possible to get an RCE
> [remote code execution] on a KDC, which means that credentials can be
> compromised that can be used to impersonate anyone in a realm or forest of
> realms." "While no zero-day exploit is known, such an exploit will likely be
> available soon after public disclosure." [2]
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
> [2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
>
> * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.

I've fixed the commit message to use the GNU ChangeLog style;
see: info '(standards) Style of Change Logs'.

> ---
>  gnu/packages/kerberos.scm | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index 9454a5983e..ae4efcbc23 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
>    #:use-module (gnu packages bison)
>    #:use-module (gnu packages dbm)
>    #:use-module (gnu packages perl)
> +  #:use-module (gnu packages python)
>    #:use-module (gnu packages gettext)
>    #:use-module (gnu packages gnupg)
>    #:use-module (gnu packages libidn)
> @@ -166,7 +167,7 @@ (define-public shishi
>  (define-public heimdal
>    (package
>      (name "heimdal")
> -    (version "7.7.0")
> +    (version "7.8.0")
>      (source (origin
>                (method url-fetch)
>                (uri (string-append
> @@ -174,14 +175,14 @@ (define-public heimdal
>                      "heimdal-" version "/" "heimdal-" version ".tar.gz"))
>                (sha256
>                 (base32
> -                "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
> +                "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
>                (modules '((guix build utils)))
>                (snippet
>                 '(begin
>                    (substitute* "configure"
>                      (("User=.*$") "User=Guix\n")
>                      (("Host=.*$") "Host=GNU")
> -                    (("Date=.*$") "Date=2019\n"))))))
> +                    (("Date=.*$") "Date=2022\n"))))))
>      (build-system gnu-build-system)
>      (arguments
>       `(#:configure-flags
> @@ -249,7 +250,8 @@ (define-public heimdal
>      (native-inputs (list e2fsprogs ;for 'compile_et'
>                           texinfo
>                           unzip ;for tests
> -                         perl))
> +                         perl
> +                         python))

Thanks!  I've dropped perl, which appears unnecessary to build/run the
test suite.

-- 
Thanks,
Maxim




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 11 11:34:36 2023
Received: (at 62760) by debbugs.gnu.org; 11 Apr 2023 15:34:36 +0000
Received: from localhost ([127.0.0.1]:38003 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pmG0y-0000X9-5e
	for submit@debbugs.gnu.org; Tue, 11 Apr 2023 11:34:36 -0400
Received: from mail-qt1-f175.google.com ([209.85.160.175]:38494)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1pmG0v-0000Wp-9J
 for 62760@debbugs.gnu.org; Tue, 11 Apr 2023 11:34:34 -0400
Received: by mail-qt1-f175.google.com with SMTP id fc12so4791907qtb.5
 for <62760@debbugs.gnu.org>; Tue, 11 Apr 2023 08:34:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1681227267; x=1683819267;
 h=mime-version:user-agent:message-id:in-reply-to:date:references
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=XebWWRDaLx1NbnNEUldvHp1hRpGgIOkUJMmyrlRZ+14=;
 b=pdm0PpMs4PrrApNoS5YEL/MrTojT8D3mAFXO+Ar7BhxrrWNnuCWiFZyXNJjLKKu5fX
 Bszh+sTYrJKA9s9gMaXmNA07QazY4NVBIRWOOz5xKskp2O/m+xgm6BhoHKWIObjb5s70
 paOZ1LPIfHO8kgsUG4dv6/CeZaqpxdiieIDzJq+tFDkK7l9vyqRl/RMrW8MI3A6DYi3H
 PhnQ/O7DkGikN8LPjl5cfBbXcOUmlINRYfRZMATzU8o6tzajt5hVY7Xx5n5aU+ny+X3K
 dmLSAGxL7F3ZH3Lfu2zFQxeBhdmfGZqZIftBMYEyMvC9u3HJv+bnri70f3nWUyVYUJSb
 BFgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1681227267; x=1683819267;
 h=mime-version:user-agent:message-id:in-reply-to:date:references
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=XebWWRDaLx1NbnNEUldvHp1hRpGgIOkUJMmyrlRZ+14=;
 b=NJad9kfDbg9Rxu+kGTLfpv4FtBO+/hGcmjebAIn4GGccIo+SDBi9kv8TTPu8XxLsTJ
 iCfi9RL/8zLmgppYyJ8xmznV6AVsO6NIhVjIGB8ur+UmTq8JDEWEM6GS7XBUh3JDgsnm
 KlpGm6KG3yYpUmnHrzqlvjozYClrXsMJLdSyztr4EWQt9HbbfNY+3gTzitAC3pOgFzvZ
 eYfaeiZ+ZH4vh6XW/w1bhSDsf3CcLwkE+KltdwLujbbhq+hrWGJRoW44UkR9wnEMnETO
 gxDALaL/6bJqyhjcx23uuPPVRx7g+vPOCP3GqG67leoTrKILpfaOAE10m5R8Fowl2gOC
 mCvw==
X-Gm-Message-State: AAQBX9fwWJZT5n3nqJ9yT74HvB6O/VHMCCxnZB7ndZT9F252enRNnl0v
 +m+fWVCWGc9OHNT+3bYBd0I=
X-Google-Smtp-Source: AKy350YgYd558KcxWDmM3WO0KaYrqMD5r8bs8nHD+IT6RFAB5LS21XhFhfzoHg0sJGYSVFaLnX7AkA==
X-Received: by 2002:a05:622a:1a83:b0:3d2:a927:21b8 with SMTP id
 s3-20020a05622a1a8300b003d2a92721b8mr25143748qtc.11.1681227267651; 
 Tue, 11 Apr 2023 08:34:27 -0700 (PDT)
Received: from hurd (dsl-152-224.b2b2c.ca. [66.158.152.224])
 by smtp.gmail.com with ESMTPSA id
 jr38-20020a05622a802600b003e6a1bf26a4sm1455223qtb.64.2023.04.11.08.34.27
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 11 Apr 2023 08:34:27 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Felix Lechner <felix.lechner@lease-up.com>
Subject: Re: bug#62760: [PATCH 0/3] Two serious vulnerabilities in Heimdal
 Kerberos
References: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com>
 <6458bcfc33fec031de1a1574a8e073ac04d1ea3e.1681186993.git.felix.lechner@lease-up.com>
Date: Tue, 11 Apr 2023 11:34:26 -0400
In-Reply-To: <6458bcfc33fec031de1a1574a8e073ac04d1ea3e.1681186993.git.felix.lechner@lease-up.com>
 (Felix Lechner's message of "Mon, 10 Apr 2023 21:23:12 -0700")
Message-ID: <87sfd6mnzx.fsf_-_@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 62760
Cc: 62760@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

Felix Lechner <felix.lechner@lease-up.com> writes:

> Several recent Heimdal releases are affected by the serious vulnerability
> CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]
>
> At the time of writing, the upstream developers had not yet cut any releases
> post-7.8.0, which is why the patch is being applied here.
>
> The patch was extracted from Helmut Grohne's public vulnerability
> disclosure. [2]
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
> [2] https://www.openwall.com/lists/oss-security/2023/02/08/1
>
> * gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for
> CVE-2022-45142.

I've fixed the change log commit message like so:

--8<---------------cut here---------------start------------->8---
* gnu/packages/patches/heimdal-CVE-2022-45142.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/kerberos.scm (heimdal)[source]: Apply it.
--8<---------------cut here---------------end--------------->8---
    
> ---
>  gnu/local.mk                                  |  1 +
>  gnu/packages/kerberos.scm                     |  2 +
>  .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
>  3 files changed, 52 insertions(+)
>  create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index b7e19b6bc2..f4cd3f448a 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1327,6 +1327,7 @@ dist_patch_DATA =						\
>    %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
>    %D%/packages/patches/hdf-eos5-fix-szip.patch			\
>    %D%/packages/patches/hdf-eos5-fortrantests.patch		\
> +  %D%/packages/patches/heimdal-CVE-2022-45142.patch		\
>    %D%/packages/patches/helm-fix-gcc-9-build.patch		\
>    %D%/packages/patches/http-parser-CVE-2020-8287.patch		\
>    %D%/packages/patches/htslib-for-stringtie.patch		\
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index ae4efcbc23..0faf879e35 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -176,6 +176,8 @@ (define-public heimdal
>                (sha256
>                 (base32
>                  "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
> +              (patches (search-patches
> +                        "heimdal-CVE-2022-45142.patch"))

Nitpick; I've used the more conventional indentation for patches:

--8<---------------cut here---------------start------------->8---
              (patches
               (search-patches "heimdal-CVE-2022-45142.patch"))
--8<---------------cut here---------------end--------------->8---

Thank you!
-- 
Maxim




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 11 11:38:09 2023
Received: (at 62760-done) by debbugs.gnu.org; 11 Apr 2023 15:38:09 +0000
Received: from localhost ([127.0.0.1]:38007 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pmG4O-0000co-RJ
	for submit@debbugs.gnu.org; Tue, 11 Apr 2023 11:38:09 -0400
Received: from mail-qv1-f54.google.com ([209.85.219.54]:37807)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1pmG4M-0000cF-0P
 for 62760-done@debbugs.gnu.org; Tue, 11 Apr 2023 11:38:07 -0400
Received: by mail-qv1-f54.google.com with SMTP id l1so8860742qvv.4
 for <62760-done@debbugs.gnu.org>; Tue, 11 Apr 2023 08:38:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1681227480; x=1683819480;
 h=mime-version:user-agent:message-id:in-reply-to:date:references
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=q2/fyS1LKyEhh+UT4pV8ZKrxFJEPLNOs7+ypZCO9J+w=;
 b=SQyMAkp8pTNHIflfaU11QOlj+5J2hPKYdwtcrfrHYoOHX3jOFyr3Abj4bivyQzU63i
 uQ0rWBwsj/rY30J+RzoPFjCvRkLpknaKIDYvIsxkccbQmVUnVOmAR1fiUSJDFxGIZ3YQ
 /9IEk8i3A2iky9tlyuudKeXRwmC4q4gI7pCpoZ3IrfoIkSHqpDs10SB4YM8yIhvSo8Pp
 l4yLBBotzZsHs6xTxQ8WiMX7KdCAcvthp3iQGTQoVKG/tjPHASosI3mT3ySjs6K1yqUr
 m81b89BUGxYfvpoRNAic3jPIlJEEF6ufkP6nca9+X7GW93PjgqbDJQzbd/IDOZFTiq/m
 LKZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1681227480; x=1683819480;
 h=mime-version:user-agent:message-id:in-reply-to:date:references
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=q2/fyS1LKyEhh+UT4pV8ZKrxFJEPLNOs7+ypZCO9J+w=;
 b=hKJniZRyTVyjyVmRQs1+7Wu7lqjfkCRJrSN3ObkwZ0jy3zncetd1sed0hXo5t8p0we
 hoXTKYslD7RY+i4jVLmXAveSlJHfbWbiGeoTnq0GwoLSI5eY/yR+GD3L33hukLH/8Bxy
 J90Uu4/KlHzRAk611gc/oD95FlN76HOXBGDAKr2sUUMq4NbE/u+iXBDe7WFQS7OhhWvH
 Ua1Qbn6veODSEzL07RwFtECz66vCMrkuEekTbk6GPkGGtka5zCE0oNFF6MePEkUV9uOu
 /pWm0ln3aCrgo/9cCAYyii195551QEqaPXjNS86+tgRyu9A1+DvT8SkVVdaMGWpI7XbF
 +Mjg==
X-Gm-Message-State: AAQBX9fz0/vB+TF8wkTKC/WxpPceLl0AOeNCB+RNkynM0/MbVqCgDT1+
 9IURYEAcXzLtGQeMtxVIYEo=
X-Google-Smtp-Source: AKy350Ykk1pYWLa488sRsfljqv9CbKwUFrb4GBrgLCmrb3NyzUE8qmJf+SpRDdbhDXBbC5LuHPwFSQ==
X-Received: by 2002:ad4:5ba6:0:b0:5ed:ca29:22f9 with SMTP id
 6-20020ad45ba6000000b005edca2922f9mr7466241qvq.26.1681227480432; 
 Tue, 11 Apr 2023 08:38:00 -0700 (PDT)
Received: from hurd (dsl-152-224.b2b2c.ca. [66.158.152.224])
 by smtp.gmail.com with ESMTPSA id
 r23-20020ae9d617000000b007464fcca543sm4001377qkk.50.2023.04.11.08.37.59
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 11 Apr 2023 08:37:59 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Felix Lechner <felix.lechner@lease-up.com>
Subject: Re: bug#62760: [PATCH 0/3] Two serious vulnerabilities in Heimdal
 Kerberos
References: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com>
 <e20d2f3ee51ca4a284ab519bcd56dd6f24fe3922.1681186993.git.felix.lechner@lease-up.com>
Date: Tue, 11 Apr 2023 11:37:58 -0400
In-Reply-To: <e20d2f3ee51ca4a284ab519bcd56dd6f24fe3922.1681186993.git.felix.lechner@lease-up.com>
 (Felix Lechner's message of "Mon, 10 Apr 2023 21:23:13 -0700")
Message-ID: <87o7numnu1.fsf_-_@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 62760-done
Cc: 62760-done@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hello,

Felix Lechner <felix.lechner@lease-up.com> writes:

> This commit took several cues for the inputs from the Debian packaging for
> Heimdal. [1]
>
> First, it was not clear why the alternative implementation mit-krb5 should be
> supplied as an input to Heimdal. It was dropped.

I'm not sure why I needed to add it in the past; I think the build was
broken then without it.

> The other inputs were added to address detection attempts in ./configure that
> failed. They were evident from the build log.
>
> Also enables support for the OpenLDAP backend for the principals database.

> [1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2

> * gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable
> OpenLDAP; converge inputs toward Debian packaging.

I've fixed the change log to read as:

--8<---------------cut here---------------start------------->8---
gnu: heimdal: Enable OpenLDAP support.

* gnu/packages/kerberos.scm (heimdal)[native-inputs]:
Add flex, libcap-ng,  openldap and pkg-config.
[inputs]: Remove mit-krb5.  Add libcap-ng and openldap.
--8<---------------cut here---------------end--------------->8---

But then noticed that libcap-ng and openldap needed not be added to
native-inputs, so I removed those.  These are run time libraries.

> ---
>  gnu/packages/kerberos.scm | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index 0faf879e35..c9c86f9541 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -30,10 +30,12 @@
>  
>  (define-module (gnu packages kerberos)
>    #:use-module (gnu packages)
> +  #:use-module (gnu packages admin)
>    #:use-module (gnu packages autotools)
>    #:use-module (gnu packages bash)
>    #:use-module (gnu packages bison)
>    #:use-module (gnu packages dbm)
> +  #:use-module (gnu packages flex)
>    #:use-module (gnu packages perl)
>    #:use-module (gnu packages python)
>    #:use-module (gnu packages gettext)
> @@ -41,6 +43,7 @@ (define-module (gnu packages kerberos)
>    #:use-module (gnu packages libidn)
>    #:use-module (gnu packages hurd)
>    #:use-module (gnu packages linux)
> +  #:use-module (gnu packages openldap)
>    #:use-module (gnu packages pkg-config)
>    #:use-module (gnu packages compression)
>    #:use-module (gnu packages readline)
> @@ -249,16 +252,22 @@ (define-public heimdal
>                            (format #t "#!~a~%exit 1~%" (which "sh")))))))
>         ;; Tests fail when run in parallel.
>         #:parallel-tests? #f))
> -    (native-inputs (list e2fsprogs ;for 'compile_et'
> +    (native-inputs (list bison
> +                         e2fsprogs ;for 'compile_et'
> +                         flex
> +                         libcap-ng
>                           texinfo
>                           unzip ;for tests
> +                         openldap
>                           perl
> +                         pkg-config
>                           python))
>      (inputs (list readline
>                    bash-minimal
>                    bdb
>                    e2fsprogs ;for libcom_err
> -                  mit-krb5
> +                  libcap-ng
> +                  openldap
>                    sqlite))
>      (home-page "http://www.h5l.org/")
>      (synopsis "Kerberos 5 network authentication")

Modified like:

--8<---------------cut here---------------start------------->8---
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index a97c2ac87b..9e2f6acd56 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -253,18 +253,16 @@ (define-public heimdal
        ;; Tests fail when run in parallel.
        #:parallel-tests? #f))
     (native-inputs (list bison
-                         e2fsprogs ;for 'compile_et'
+                         e2fsprogs      ;for 'compile_et'
                          flex
-                         libcap-ng
                          texinfo
-                         unzip ;for tests
-                         openldap
+                         unzip          ;for tests
                          pkg-config
                          python))
     (inputs (list readline
                   bash-minimal
                   bdb
-                  e2fsprogs ;for libcom_err
+                  e2fsprogs             ;for libcom_err
                   libcap-ng
                   openldap
                   sqlite))
--8<---------------cut here---------------end--------------->8---

And installed!

-- 
Thanks,
Maxim




From unknown Wed Aug 20 04:12:01 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Wed, 10 May 2023 11:24:09 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator