GNU bug report logs - #62760
[PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos

Previous Next

Package: guix-patches;

Reported by: Felix Lechner <felix.lechner <at> lease-up.com>

Date: Mon, 10 Apr 2023 19:51:02 UTC

Severity: normal

Tags: patch

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #44 received at 62760 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Felix Lechner <felix.lechner <at> lease-up.com>
Cc: 62760 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: Re: bug#62760: [PATCH 0/3] Two serious vulnerabilities in Heimdal
 Kerberos
Date: Tue, 11 Apr 2023 11:34:26 -0400

Hi,

Felix Lechner <felix.lechner <at> lease-up.com> writes:

> Several recent Heimdal releases are affected by the serious vulnerability
> CVE-2022-45142, which NIST scored as "7.5 HIGH". [1]
>
> At the time of writing, the upstream developers had not yet cut any releases
> post-7.8.0, which is why the patch is being applied here.
>
> The patch was extracted from Helmut Grohne's public vulnerability
> disclosure. [2]
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142
> [2] https://www.openwall.com/lists/oss-security/2023/02/08/1
>
> * gnu/packages/kerberos.scm (heimdal)[patches]: Add patch for
> CVE-2022-45142.

I've fixed the change log commit message like so:

--8<---------------cut here---------------start------------->8---
* gnu/packages/patches/heimdal-CVE-2022-45142.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/kerberos.scm (heimdal)[source]: Apply it.
--8<---------------cut here---------------end--------------->8---
    
> ---
>  gnu/local.mk                                  |  1 +
>  gnu/packages/kerberos.scm                     |  2 +
>  .../patches/heimdal-CVE-2022-45142.patch      | 49 +++++++++++++++++++
>  3 files changed, 52 insertions(+)
>  create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index b7e19b6bc2..f4cd3f448a 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1327,6 +1327,7 @@ dist_patch_DATA =						\
>    %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
>    %D%/packages/patches/hdf-eos5-fix-szip.patch			\
>    %D%/packages/patches/hdf-eos5-fortrantests.patch		\
> +  %D%/packages/patches/heimdal-CVE-2022-45142.patch		\
>    %D%/packages/patches/helm-fix-gcc-9-build.patch		\
>    %D%/packages/patches/http-parser-CVE-2020-8287.patch		\
>    %D%/packages/patches/htslib-for-stringtie.patch		\
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index ae4efcbc23..0faf879e35 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -176,6 +176,8 @@ (define-public heimdal
>                (sha256
>                 (base32
>                  "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
> +              (patches (search-patches
> +                        "heimdal-CVE-2022-45142.patch"))

Nitpick; I've used the more conventional indentation for patches:

--8<---------------cut here---------------start------------->8---
              (patches
               (search-patches "heimdal-CVE-2022-45142.patch"))
--8<---------------cut here---------------end--------------->8---

Thank you!
-- 
Maxim
This bug report was last modified 2 years and 103 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.