From patchwork Mon Apr 10 19:52:24 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Felix Lechner <felix.lechner@lease-up.com>
X-Patchwork-Id: 49063
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 79D6C17483; Mon, 10 Apr 2023 20:53:32 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
	URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 50EB917483
	for <patchwork@mira.cbaines.net>; Mon, 10 Apr 2023 20:53:31 +0100 (BST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1plxZa-0000yN-MN; Mon, 10 Apr 2023 15:53:06 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1plxZX-0000xh-48
 for guix-patches@gnu.org; Mon, 10 Apr 2023 15:53:05 -0400
Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1plxZW-0006gY-S2
 for guix-patches@gnu.org; Mon, 10 Apr 2023 15:53:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1plxZW-0003O9-7j
 for guix-patches@gnu.org; Mon, 10 Apr 2023 15:53:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0.
Resent-From: Felix Lechner <felix.lechner@lease-up.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Mon, 10 Apr 2023 19:53:02 +0000
Resent-Message-ID: <handler.62760.B62760.168115635612964@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 62760
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 62760@debbugs.gnu.org
Cc: Felix Lechner <felix.lechner@lease-up.com>
Received: via spool by 62760-submit@debbugs.gnu.org id=B62760.168115635612964
 (code B ref 62760); Mon, 10 Apr 2023 19:53:02 +0000
Received: (at 62760) by debbugs.gnu.org; 10 Apr 2023 19:52:36 +0000
Received: from localhost ([127.0.0.1]:35992 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1plxZ6-0003N2-CO
 for submit@debbugs.gnu.org; Mon, 10 Apr 2023 15:52:36 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:39340)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1plxZ4-0003Mu-Fa
 for 62760@debbugs.gnu.org; Mon, 10 Apr 2023 15:52:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=uzSDAtQBQAbtihg
 DvoOF3DUz7whduu5DHBLE/6j73Ig=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=R0tldSr7YSPUfyMDW2YIta2iTAxwuxMN21zxpDhI
 57N6iob4og2F37Khi44U6u68bMTh61V21+/MRjm/UeugCSV/8c9NY0HNe/ulON1muRaZcZ
 ZkTGg/Y9t8ndYP425Li1hif8X4TK5JNtaVsTgz8+O+wSwfMKIoC5yT9m5I7Eo=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 263aef1b
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO);
 Mon, 10 Apr 2023 19:52:33 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id ff5eb31e;
 Mon, 10 Apr 2023 19:52:33 +0000 (UTC)
Date: Mon, 10 Apr 2023 12:52:24 -0700
Message-Id: 
 <754f9ad3afb378e4e0100b865ca81b28181e3054.1681155077.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <cover.1681155077.git.felix.lechner@lease-up.com>
References: <cover.1681155077.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Reply-to: Felix Lechner <felix.lechner@lease-up.com>
X-ACL-Warn: ,  Felix Lechner via Guix-patches <guix-patches@gnu.org>
X-Patchwork-Original-From: Felix Lechner via Guix-patches via
 <guix-patches@gnu.org>
From: Felix Lechner <felix.lechner@lease-up.com>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
upstream release announcement calls it "a severe vulnerability, possibly a
10.0 on the Common Vulnerability Scoring System (CVSS) v3."

The upstream developers further "believe it should be possible to get an RCE
[remote code execution] on a KDC, which means that credentials can be
compromised that can be used to impersonate anyone in a realm or forest of
realms." "While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure." [2]

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
[2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0

* gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.
---
 gnu/packages/kerberos.scm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 9454a5983e..ae4efcbc23 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -35,6 +35,7 @@ (define-module (gnu packages kerberos)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages dbm)
   #:use-module (gnu packages perl)
+  #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages libidn)
@@ -166,7 +167,7 @@ (define-public shishi
 (define-public heimdal
   (package
     (name "heimdal")
-    (version "7.7.0")
+    (version "7.8.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -174,14 +175,14 @@ (define-public heimdal
                     "heimdal-" version "/" "heimdal-" version ".tar.gz"))
               (sha256
                (base32
-                "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh"))
+                "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx"))
               (modules '((guix build utils)))
               (snippet
                '(begin
                   (substitute* "configure"
                     (("User=.*$") "User=Guix\n")
                     (("Host=.*$") "Host=GNU")
-                    (("Date=.*$") "Date=2019\n"))))))
+                    (("Date=.*$") "Date=2022\n"))))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
@@ -249,7 +250,8 @@ (define-public heimdal
     (native-inputs (list e2fsprogs ;for 'compile_et'
                          texinfo
                          unzip ;for tests
-                         perl))
+                         perl
+                         python))
     (inputs (list readline
                   bash-minimal
                   bdb