--- Begin Message ---
|
Subject: |
[PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos |
|
Date: |
Mon, 10 Apr 2023 12:50:06 -0700 |
Hi,
This patch series addresses two serious vulnerabilities in Heimdal, which is
an implementation of the Kerberos protocol and therefore a security-relevant
package.
First, the version being shipped currently in Guix suffers from "a severe
vulnerability, possibly a 10.0 on the Common Vulnerability Scoring System
(CVSS) v3." The upstream developers "believe it should be possible to get an
RCE [remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [1]
Second, all recent upstream releases (but not the development branch) suffer
from a serious backporting error that NIST scored at a "7.5 HIGH". That issue
is being patched here. [2]
Finally, we enabled OpenLDAP support for the principals database (which is
different from using LDAP for user authorization) and modified the inputs to
be more in line with Debian packaging.
The packaging presented here passed some cursory testing for basic client and
server functionality locally, but that version did not include the patch for
CVE-2022-45142 because I did not know how to add it to my custom channel.
Kind regards
Felix Lechner
[1] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
[2] https://www.openwall.com/lists/oss-security/2023/02/08/1
* * *
Felix Lechner (3):
gnu: heimdal: Update to 7.8.0.
gnu: heimdal: Patch for CVE-2022-45142.
gnu: heimdal: Enable OpenLDAP support; converge inputs toward Debian
packaging.
gnu/packages/kerberos.scm | 25 +++++++---
.../patches/heimdal-CVE-2022-45142.patch | 49 +++++++++++++++++++
2 files changed, 68 insertions(+), 6 deletions(-)
create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch
base-commit: b08cdfc6d363e9ca63118303b4628542c54a612d
--
2.39.2
--- End Message ---
--- Begin Message ---
|
Subject: |
Re: bug#62760: [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos |
|
Date: |
Tue, 11 Apr 2023 11:37:58 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Hello,
Felix Lechner <felix.lechner@lease-up.com> writes:
> This commit took several cues for the inputs from the Debian packaging for
> Heimdal. [1]
>
> First, it was not clear why the alternative implementation mit-krb5 should be
> supplied as an input to Heimdal. It was dropped.
I'm not sure why I needed to add it in the past; I think the build was
broken then without it.
> The other inputs were added to address detection attempts in ./configure that
> failed. They were evident from the build log.
>
> Also enables support for the OpenLDAP backend for the principals database.
> [1]
> https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2
> * gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable
> OpenLDAP; converge inputs toward Debian packaging.
I've fixed the change log to read as:
--8<---------------cut here---------------start------------->8---
gnu: heimdal: Enable OpenLDAP support.
* gnu/packages/kerberos.scm (heimdal)[native-inputs]:
Add flex, libcap-ng, openldap and pkg-config.
[inputs]: Remove mit-krb5. Add libcap-ng and openldap.
--8<---------------cut here---------------end--------------->8---
But then noticed that libcap-ng and openldap needed not be added to
native-inputs, so I removed those. These are run time libraries.
> ---
> gnu/packages/kerberos.scm | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
> index 0faf879e35..c9c86f9541 100644
> --- a/gnu/packages/kerberos.scm
> +++ b/gnu/packages/kerberos.scm
> @@ -30,10 +30,12 @@
>
> (define-module (gnu packages kerberos)
> #:use-module (gnu packages)
> + #:use-module (gnu packages admin)
> #:use-module (gnu packages autotools)
> #:use-module (gnu packages bash)
> #:use-module (gnu packages bison)
> #:use-module (gnu packages dbm)
> + #:use-module (gnu packages flex)
> #:use-module (gnu packages perl)
> #:use-module (gnu packages python)
> #:use-module (gnu packages gettext)
> @@ -41,6 +43,7 @@ (define-module (gnu packages kerberos)
> #:use-module (gnu packages libidn)
> #:use-module (gnu packages hurd)
> #:use-module (gnu packages linux)
> + #:use-module (gnu packages openldap)
> #:use-module (gnu packages pkg-config)
> #:use-module (gnu packages compression)
> #:use-module (gnu packages readline)
> @@ -249,16 +252,22 @@ (define-public heimdal
> (format #t "#!~a~%exit 1~%" (which "sh")))))))
> ;; Tests fail when run in parallel.
> #:parallel-tests? #f))
> - (native-inputs (list e2fsprogs ;for 'compile_et'
> + (native-inputs (list bison
> + e2fsprogs ;for 'compile_et'
> + flex
> + libcap-ng
> texinfo
> unzip ;for tests
> + openldap
> perl
> + pkg-config
> python))
> (inputs (list readline
> bash-minimal
> bdb
> e2fsprogs ;for libcom_err
> - mit-krb5
> + libcap-ng
> + openldap
> sqlite))
> (home-page "http://www.h5l.org/";)
> (synopsis "Kerberos 5 network authentication")
Modified like:
--8<---------------cut here---------------start------------->8---
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index a97c2ac87b..9e2f6acd56 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -253,18 +253,16 @@ (define-public heimdal
;; Tests fail when run in parallel.
#:parallel-tests? #f))
(native-inputs (list bison
- e2fsprogs ;for 'compile_et'
+ e2fsprogs ;for 'compile_et'
flex
- libcap-ng
texinfo
- unzip ;for tests
- openldap
+ unzip ;for tests
pkg-config
python))
(inputs (list readline
bash-minimal
bdb
- e2fsprogs ;for libcom_err
+ e2fsprogs ;for libcom_err
libcap-ng
openldap
sqlite))
--8<---------------cut here---------------end--------------->8---
And installed!
--
Thanks,
Maxim
--- End Message ---