GNU bug report logs - #62760
[PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos

Previous Next

Package: guix-patches;

Reported by: Felix Lechner <felix.lechner <at> lease-up.com>

Date: Mon, 10 Apr 2023 19:51:02 UTC

Severity: normal

Tags: patch

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Felix Lechner <felix.lechner <at> lease-up.com>
Cc: 62760 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: [bug#62760] [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos
Date: Tue, 11 Apr 2023 11:32:43 -0400

Hello,

Felix Lechner <felix.lechner <at> lease-up.com> writes:

> Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
> upstream release announcement calls it "a severe vulnerability, possibly a
> 10.0 on the Common Vulnerability Scoring System (CVSS) v3."
>
> The upstream developers further "believe it should be possible to get an RCE
> [remote code execution] on a KDC, which means that credentials can be
> compromised that can be used to impersonate anyone in a realm or forest of
> realms." "While no zero-day exploit is known, such an exploit will likely be
> available soon after public disclosure." [2]
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
> [2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
>
> * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.

I've fixed the commit message to use the GNU ChangeLog style;
see: info '(standards) Style of Change Logs'.

> ---
>  gnu/packages/kerberos.scm | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index 9454a5983e..ae4efcbc23 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
>    #:use-module (gnu packages bison)
>    #:use-module (gnu packages dbm)
>    #:use-module (gnu packages perl)
> +  #:use-module (gnu packages python)
>    #:use-module (gnu packages gettext)
>    #:use-module (gnu packages gnupg)
>    #:use-module (gnu packages libidn)
> @@ -166,7 +167,7 @@ (define-public shishi
>  (define-public heimdal
>    (package
>      (name "heimdal")
> -    (version "7.7.0")
> +    (version "7.8.0")
>      (source (origin
>                (method url-fetch)
>                (uri (string-append
> @@ -174,14 +175,14 @@ (define-public heimdal
>                      "heimdal-" version "/" "heimdal-" version ".tar.gz"))
>                (sha256
>                 (base32
> -                "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
> +                "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
>                (modules '((guix build utils)))
>                (snippet
>                 '(begin
>                    (substitute* "configure"
>                      (("User=.*$") "User=Guix\n")
>                      (("Host=.*$") "Host=GNU")
> -                    (("Date=.*$") "Date=2019\n"))))))
> +                    (("Date=.*$") "Date=2022\n"))))))
>      (build-system gnu-build-system)
>      (arguments
>       `(#:configure-flags
> @@ -249,7 +250,8 @@ (define-public heimdal
>      (native-inputs (list e2fsprogs ;for 'compile_et'
>                           texinfo
>                           unzip ;for tests
> -                         perl))
> +                         perl
> +                         python))

Thanks!  I've dropped perl, which appears unnecessary to build/run the
test suite.

-- 
Thanks,
Maxim
This bug report was last modified 2 years and 102 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.