From patchwork Tue Apr 11 15:37:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxim Cournoyer X-Patchwork-Id: 49099 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 953D617497; Tue, 11 Apr 2023 16:39:27 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 60F161748A for ; Tue, 11 Apr 2023 16:39:26 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pmG5I-0004hp-PN; Tue, 11 Apr 2023 11:39:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pmG5H-0004fg-3r for guix-patches@gnu.org; Tue, 11 Apr 2023 11:39:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pmG5G-0000vL-Ro for guix-patches@gnu.org; Tue, 11 Apr 2023 11:39:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pmG5G-0000e8-FU for guix-patches@gnu.org; Tue, 11 Apr 2023 11:39:02 -0400 Subject: bug#62760: [PATCH 0/3] Two serious vulnerabilities in Heimdal Kerberos Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-To: guix-patches@gnu.org Resent-Date: Tue, 11 Apr 2023 15:39:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: cc-closed 62760 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Felix Lechner Cc: 62760-done@debbugs.gnu.org, Leo Famulari Mail-Followup-To: 62760@debbugs.gnu.org, maxim.cournoyer@gmail.com, felix.lechner@lease-up.com Received: via spool by 62760-done@debbugs.gnu.org id=D62760.16812274892411 (code D ref 62760); Tue, 11 Apr 2023 15:39:02 +0000 Received: (at 62760-done) by debbugs.gnu.org; 11 Apr 2023 15:38:09 +0000 Received: from localhost ([127.0.0.1]:38007 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pmG4O-0000co-RJ for submit@debbugs.gnu.org; Tue, 11 Apr 2023 11:38:09 -0400 Received: from mail-qv1-f54.google.com ([209.85.219.54]:37807) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pmG4M-0000cF-0P for 62760-done@debbugs.gnu.org; Tue, 11 Apr 2023 11:38:07 -0400 Received: by mail-qv1-f54.google.com with SMTP id l1so8860742qvv.4 for <62760-done@debbugs.gnu.org>; Tue, 11 Apr 2023 08:38:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681227480; x=1683819480; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=q2/fyS1LKyEhh+UT4pV8ZKrxFJEPLNOs7+ypZCO9J+w=; b=SQyMAkp8pTNHIflfaU11QOlj+5J2hPKYdwtcrfrHYoOHX3jOFyr3Abj4bivyQzU63i uQ0rWBwsj/rY30J+RzoPFjCvRkLpknaKIDYvIsxkccbQmVUnVOmAR1fiUSJDFxGIZ3YQ /9IEk8i3A2iky9tlyuudKeXRwmC4q4gI7pCpoZ3IrfoIkSHqpDs10SB4YM8yIhvSo8Pp l4yLBBotzZsHs6xTxQ8WiMX7KdCAcvthp3iQGTQoVKG/tjPHASosI3mT3ySjs6K1yqUr m81b89BUGxYfvpoRNAic3jPIlJEEF6ufkP6nca9+X7GW93PjgqbDJQzbd/IDOZFTiq/m LKZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681227480; x=1683819480; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=q2/fyS1LKyEhh+UT4pV8ZKrxFJEPLNOs7+ypZCO9J+w=; b=hKJniZRyTVyjyVmRQs1+7Wu7lqjfkCRJrSN3ObkwZ0jy3zncetd1sed0hXo5t8p0we hoXTKYslD7RY+i4jVLmXAveSlJHfbWbiGeoTnq0GwoLSI5eY/yR+GD3L33hukLH/8Bxy J90Uu4/KlHzRAk611gc/oD95FlN76HOXBGDAKr2sUUMq4NbE/u+iXBDe7WFQS7OhhWvH Ua1Qbn6veODSEzL07RwFtECz66vCMrkuEekTbk6GPkGGtka5zCE0oNFF6MePEkUV9uOu /pWm0ln3aCrgo/9cCAYyii195551QEqaPXjNS86+tgRyu9A1+DvT8SkVVdaMGWpI7XbF +Mjg== X-Gm-Message-State: AAQBX9fz0/vB+TF8wkTKC/WxpPceLl0AOeNCB+RNkynM0/MbVqCgDT1+ 9IURYEAcXzLtGQeMtxVIYEo= X-Google-Smtp-Source: AKy350Ykk1pYWLa488sRsfljqv9CbKwUFrb4GBrgLCmrb3NyzUE8qmJf+SpRDdbhDXBbC5LuHPwFSQ== X-Received: by 2002:ad4:5ba6:0:b0:5ed:ca29:22f9 with SMTP id 6-20020ad45ba6000000b005edca2922f9mr7466241qvq.26.1681227480432; Tue, 11 Apr 2023 08:38:00 -0700 (PDT) Received: from hurd (dsl-152-224.b2b2c.ca. [66.158.152.224]) by smtp.gmail.com with ESMTPSA id r23-20020ae9d617000000b007464fcca543sm4001377qkk.50.2023.04.11.08.37.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Apr 2023 08:37:59 -0700 (PDT) From: Maxim Cournoyer References: <754f9ad3afb378e4e0100b865ca81b28181e3054.1681186993.git.felix.lechner@lease-up.com> Date: Tue, 11 Apr 2023 11:37:58 -0400 In-Reply-To: (Felix Lechner's message of "Mon, 10 Apr 2023 21:23:13 -0700") Message-ID: <87o7numnu1.fsf_-_@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Hello, Felix Lechner writes: > This commit took several cues for the inputs from the Debian packaging for > Heimdal. [1] > > First, it was not clear why the alternative implementation mit-krb5 should be > supplied as an input to Heimdal. It was dropped. I'm not sure why I needed to add it in the past; I think the build was broken then without it. > The other inputs were added to address detection attempts in ./configure that > failed. They were evident from the build log. > > Also enables support for the OpenLDAP backend for the principals database. > [1] https://tracker.debian.org/media/packages/h/heimdal/control-7.8.git20221117.28daf24dfsg-2 > * gnu/packages/kerberos.scm (darktable)[inputs, native-inputs]: Enable > OpenLDAP; converge inputs toward Debian packaging. I've fixed the change log to read as: --8<---------------cut here---------------start------------->8--- gnu: heimdal: Enable OpenLDAP support. * gnu/packages/kerberos.scm (heimdal)[native-inputs]: Add flex, libcap-ng, openldap and pkg-config. [inputs]: Remove mit-krb5. Add libcap-ng and openldap. --8<---------------cut here---------------end--------------->8--- But then noticed that libcap-ng and openldap needed not be added to native-inputs, so I removed those. These are run time libraries. > --- > gnu/packages/kerberos.scm | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > > diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm > index 0faf879e35..c9c86f9541 100644 > --- a/gnu/packages/kerberos.scm > +++ b/gnu/packages/kerberos.scm > @@ -30,10 +30,12 @@ > > (define-module (gnu packages kerberos) > #:use-module (gnu packages) > + #:use-module (gnu packages admin) > #:use-module (gnu packages autotools) > #:use-module (gnu packages bash) > #:use-module (gnu packages bison) > #:use-module (gnu packages dbm) > + #:use-module (gnu packages flex) > #:use-module (gnu packages perl) > #:use-module (gnu packages python) > #:use-module (gnu packages gettext) > @@ -41,6 +43,7 @@ (define-module (gnu packages kerberos) > #:use-module (gnu packages libidn) > #:use-module (gnu packages hurd) > #:use-module (gnu packages linux) > + #:use-module (gnu packages openldap) > #:use-module (gnu packages pkg-config) > #:use-module (gnu packages compression) > #:use-module (gnu packages readline) > @@ -249,16 +252,22 @@ (define-public heimdal > (format #t "#!~a~%exit 1~%" (which "sh"))))))) > ;; Tests fail when run in parallel. > #:parallel-tests? #f)) > - (native-inputs (list e2fsprogs ;for 'compile_et' > + (native-inputs (list bison > + e2fsprogs ;for 'compile_et' > + flex > + libcap-ng > texinfo > unzip ;for tests > + openldap > perl > + pkg-config > python)) > (inputs (list readline > bash-minimal > bdb > e2fsprogs ;for libcom_err > - mit-krb5 > + libcap-ng > + openldap > sqlite)) > (home-page "http://www.h5l.org/") > (synopsis "Kerberos 5 network authentication") Modified like: --8<---------------cut here---------------start------------->8--- --8<---------------cut here---------------end--------------->8--- And installed! diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index a97c2ac87b..9e2f6acd56 100644 --- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -253,18 +253,16 @@ (define-public heimdal ;; Tests fail when run in parallel. #:parallel-tests? #f)) (native-inputs (list bison - e2fsprogs ;for 'compile_et' + e2fsprogs ;for 'compile_et' flex - libcap-ng texinfo - unzip ;for tests - openldap + unzip ;for tests pkg-config python)) (inputs (list readline bash-minimal bdb - e2fsprogs ;for libcom_err + e2fsprogs ;for libcom_err libcap-ng openldap sqlite))