From 789554cb76e89e2bf4ca95953e7d5c23d8cae984 Mon Sep 17 00:00:00 2001 From: Felix Lechner Date: Mon, 10 Apr 2023 21:23:11 -0700 Subject: gnu: heimdal: Update to 7.8.0 [fixes CVE-2022-44640]. * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0. [source]: Adjust date in snippet. [native-inputs]: Add python. Remove perl. Signed-off-by: Maxim Cournoyer Modified-by: Maxim Cournoyer --- gnu/packages/kerberos.scm | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'gnu/packages/kerberos.scm') diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index 9454a5983e..6f3770db28 100644 --- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -35,6 +35,7 @@ #:use-module (gnu packages bison) #:use-module (gnu packages dbm) #:use-module (gnu packages perl) + #:use-module (gnu packages python) #:use-module (gnu packages gettext) #:use-module (gnu packages gnupg) #:use-module (gnu packages libidn) @@ -166,7 +167,7 @@ After installation, the system administrator should generate keys using (define-public heimdal (package (name "heimdal") - (version "7.7.0") + (version "7.8.0") (source (origin (method url-fetch) (uri (string-append @@ -174,14 +175,14 @@ After installation, the system administrator should generate keys using "heimdal-" version "/" "heimdal-" version ".tar.gz")) (sha256 (base32 - "06vx3cb01s4lv3lpv0qzbbj97cln1np1wjphkkmmbk1lsqa36bgh")) + "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx")) (modules '((guix build utils))) (snippet '(begin (substitute* "configure" (("User=.*$") "User=Guix\n") (("Host=.*$") "Host=GNU") - (("Date=.*$") "Date=2019\n")))))) + (("Date=.*$") "Date=2022\n")))))) (build-system gnu-build-system) (arguments `(#:configure-flags @@ -249,7 +250,7 @@ After installation, the system administrator should generate keys using (native-inputs (list e2fsprogs ;for 'compile_et' texinfo unzip ;for tests - perl)) + python)) (inputs (list readline bash-minimal bdb -- cgit v1.2.3 From 691f17a8cc6ba1c353ee65b41567e607ed3fcfae Mon Sep 17 00:00:00 2001 From: Felix Lechner Date: Mon, 10 Apr 2023 21:23:12 -0700 Subject: gnu: heimdal: Apply patch to fix CVE-2022-45142. Several recent Heimdal releases are affected by the serious vulnerability CVE-2022-45142, which NIST scored as "7.5 HIGH". [1] At the time of writing, the upstream developers had not yet cut any releases post-7.8.0, which is why the patch is being applied here. The patch was extracted from Helmut Grohne's public vulnerability disclosure. [2] [1] https://nvd.nist.gov/vuln/detail/CVE-2022-45142 [2] https://www.openwall.com/lists/oss-security/2023/02/08/1 * gnu/packages/patches/heimdal-CVE-2022-45142.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/kerberos.scm (heimdal)[source]: Apply it. Signed-off-by: Maxim Cournoyer --- gnu/local.mk | 1 + gnu/packages/kerberos.scm | 2 + gnu/packages/patches/heimdal-CVE-2022-45142.patch | 49 +++++++++++++++++++++++ 3 files changed, 52 insertions(+) create mode 100644 gnu/packages/patches/heimdal-CVE-2022-45142.patch (limited to 'gnu/packages/kerberos.scm') diff --git a/gnu/local.mk b/gnu/local.mk index f0a228f19f..8088e8170b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1328,6 +1328,7 @@ dist_patch_DATA = \ %D%/packages/patches/hdf-eos5-remove-gctp.patch \ %D%/packages/patches/hdf-eos5-fix-szip.patch \ %D%/packages/patches/hdf-eos5-fortrantests.patch \ + %D%/packages/patches/heimdal-CVE-2022-45142.patch \ %D%/packages/patches/helm-fix-gcc-9-build.patch \ %D%/packages/patches/http-parser-CVE-2020-8287.patch \ %D%/packages/patches/htslib-for-stringtie.patch \ diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index 6f3770db28..2035f16d71 100644 --- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -176,6 +176,8 @@ After installation, the system administrator should generate keys using (sha256 (base32 "0f4dblav859p5hn7b2jdj1akw6d8p32as6bj6zym19kghh3s51zx")) + (patches + (search-patches "heimdal-CVE-2022-45142.patch")) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/heimdal-CVE-2022-45142.patch b/gnu/packages/patches/heimdal-CVE-2022-45142.patch new file mode 100644 index 0000000000..a7258a937c --- /dev/null +++ b/gnu/packages/patches/heimdal-CVE-2022-45142.patch @@ -0,0 +1,49 @@ +From: Helmut Grohne +Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions + +The referenced commit attempted to fix miscompilations with gcc-9 and +gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately, +it also inverted the result of the comparison in two occasions. This +inversion happened during backporting the patch to 7.7.1 and 7.8.0. + +Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp() + for arcfour unwrap") +Signed-off-by: Helmut Grohne +--- + lib/gssapi/krb5/arcfour.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Changes since v1: + * Fix typo in commit message. + * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman. + +Changes since v2: + * Add CVE identifier. + +NB (Felix Lechner): The message above and the patch below were taken from the +disclosure here: https://www.openwall.com/lists/oss-security/2023/02/08/1 + +diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c +index e838d007a..eee6ad72f 100644 +--- a/lib/gssapi/krb5/arcfour.c ++++ b/lib/gssapi/krb5/arcfour.c +@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0); ++ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0); + if (cmp) { + *minor_status = 0; + return GSS_S_BAD_MIC; +@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */ ++ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */ + if (cmp) { + _gsskrb5_release_buffer(minor_status, output_message_buffer); + *minor_status = 0; +-- +2.38.1 -- cgit v1.2.3 From 5480ba2491c6f2c84f88e45f47a5ec7348c07e3a Mon Sep 17 00:00:00 2001 From: Felix Lechner Date: Mon, 10 Apr 2023 21:23:13 -0700 Subject: gnu: heimdal: Enable OpenLDAP support. * gnu/packages/kerberos.scm (heimdal) [native-inputs]: Add bison, flex and pkg-config. [inputs]: Remove mit-krb5. Add libcap-ng and openldap. Signed-off-by: Maxim Cournoyer Modified-by: Maxim Cournoyer --- gnu/packages/kerberos.scm | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'gnu/packages/kerberos.scm') diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index 2035f16d71..9e2f6acd56 100644 --- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -30,10 +30,12 @@ (define-module (gnu packages kerberos) #:use-module (gnu packages) + #:use-module (gnu packages admin) #:use-module (gnu packages autotools) #:use-module (gnu packages bash) #:use-module (gnu packages bison) #:use-module (gnu packages dbm) + #:use-module (gnu packages flex) #:use-module (gnu packages perl) #:use-module (gnu packages python) #:use-module (gnu packages gettext) @@ -41,6 +43,7 @@ #:use-module (gnu packages libidn) #:use-module (gnu packages hurd) #:use-module (gnu packages linux) + #:use-module (gnu packages openldap) #:use-module (gnu packages pkg-config) #:use-module (gnu packages compression) #:use-module (gnu packages readline) @@ -249,15 +252,19 @@ After installation, the system administrator should generate keys using (format #t "#!~a~%exit 1~%" (which "sh"))))))) ;; Tests fail when run in parallel. #:parallel-tests? #f)) - (native-inputs (list e2fsprogs ;for 'compile_et' + (native-inputs (list bison + e2fsprogs ;for 'compile_et' + flex texinfo - unzip ;for tests + unzip ;for tests + pkg-config python)) (inputs (list readline bash-minimal bdb - e2fsprogs ;for libcom_err - mit-krb5 + e2fsprogs ;for libcom_err + libcap-ng + openldap sqlite)) (home-page "http://www.h5l.org/") (synopsis "Kerberos 5 network authentication") -- cgit v1.2.3