diff mbox series

[bug#62760,1/3] gnu: heimdal: Update to 7.8.0.

Message ID 754f9ad3afb378e4e0100b865ca81b28181e3054.1681155077.git.felix.lechner@lease-up.com
State New
Headers show
Series Two serious vulnerabilities in Heimdal Kerberos | expand

Commit Message

Felix Lechner April 10, 2023, 7:52 p.m. UTC 
Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
upstream release announcement calls it "a severe vulnerability, possibly a
10.0 on the Common Vulnerability Scoring System (CVSS) v3."

The upstream developers further "believe it should be possible to get an RCE
[remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
[2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0

* gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.
---
 gnu/packages/kerberos.scm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

Comments

Leo Famulari April 10, 2023, 11:05 p.m. UTC | #1 
On Mon, Apr 10, 2023 at 12:52:24PM -0700, Felix Lechner via Guix-patches via wrote:
> Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
> upstream release announcement calls it "a severe vulnerability, possibly a
> 10.0 on the Common Vulnerability Scoring System (CVSS) v3."
> 
> The upstream developers further "believe it should be possible to get an RCE
> [remote code execution] on a KDC, which means that credentials can be
> compromised that can be used to impersonate anyone in a realm or forest of
> realms." "While no zero-day exploit is known, such an exploit will likely be
> available soon after public disclosure." [2]
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
> [2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
> 
> * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.

Thanks for this!

> @@ -249,7 +250,8 @@ (define-public heimdal
>      (native-inputs (list e2fsprogs ;for 'compile_et'
>                           texinfo
>                           unzip ;for tests
> -                         perl))
> +                         perl
> +                         python))

Is this part intentional? It wasn't mentioned in the commit message.
Felix Lechner April 11, 2023, 4:15 a.m. UTC | #2 
Hi Leo,

On Mon, Apr 10, 2023 at 4:05 PM Leo Famulari <leo@famulari.name> wrote:
>
> > +                         python))
>
> Is this part intentional?

Yes, the sources for 7.8.0 failed to build without Python. I believe
it was due to that commit

    https://github.com/heimdal/heimdal/commit/6415a2032ec4b2ecc5917dae85b8f9e6f9e221d2

which fixed that issue:

    https://github.com/heimdal/heimdal/issues/696

Kind regards,
Felix Lechner
diff mbox series

Patch

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 9454a5983e..ae4efcbc23 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -35,6 +35,7 @@  (define-module (gnu packages kerberos)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
   #:use-module (gnu packages perl)
+  #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages libidn)
@@ -166,7 +167,7 @@  (define-public shishi
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "7.7.0")
+    (version "7.8.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -174,14 +175,14 @@  (define-public heimdal
                     "heimdal-" version "/" "heimdal-" version ".tar.gz"))
               (sha256
                (base32
-                "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
+                "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
               (modules '((guix build utils)))
               (snippet
                '(begin
                   (substitute* "configure"
                     (("User=.*$") "User=Guix\n")
                     (("Host=.*$") "Host=GNU")
-                    (("Date=.*$") "Date=2019\n"))))))
+                    (("Date=.*$") "Date=2022\n"))))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
@@ -249,7 +250,8 @@  (define-public heimdal
     (native-inputs (list e2fsprogs ;for 'compile_et'
                          texinfo
                          unzip ;for tests
-                         perl))
+                         perl
+                         python))
     (inputs (list readline
                   bash-minimal
                   bdb