Heimdal 7.1 is vulnerable to CVE-2017-6594 - may permit bypass of capath policy. This has been addressed in Heimdal 7.3.0. https://www.h5l.org/advisories.html?show=2017-04-13 Additionally, MASTER_SITES is now out of date - Heimdal is now distributed via github releases. https://www.h5l.org/sources.html https://github.com/heimdal/heimdal/releases Attempted to pull it up straight, but patches are not applying cleanly, so additional work will be needed. Makefile and distinfo patch provided here (but I may have gotten MASTER_SITES wrong.)
Created attachment 183072 [details] Suggested Makefile + distinfo updates First swing at Makefile/distinfo updates - NOT SAFE FOR APPLYING. FreeBSD patches do NOT apply to 7.3.0 cleanly.
adding port-secteam
A commit references this bug: Author: feld Date: Wed May 31 15:30:03 UTC 2017 New revision: 442221 URL: https://svnweb.freebsd.org/changeset/ports/442221 Log: Document heimdal vulnerability PR: 219657 Security: CVE-2017-6594 Changes: head/security/vuxml/vuln.xml
If we cannot upgrade it to 7.3, I think we should add a patch, i.e., https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837
(In reply to Jung-uk Kim from comment #4) Do you have an environment in which you can test the current version with that backported patch? If someone can validate it's working as expected we could push the patch and update the vuxml.
Created attachment 183175 [details] Backported fix for CVE-2017-6594 to 7.1.0 Backported fix for CVE-2017-6594 to 7.1.0 I have compiled it and my kdc seems to work. 5 tests fail from the test suite but that seems to be unrelated.
A commit references this bug: Author: feld Date: Fri Jun 9 15:57:31 UTC 2017 New revision: 443016 URL: https://svnweb.freebsd.org/changeset/ports/443016 Log: security/heimdal: Backport security fix PR: 219657 MFH: 2017Q2 Security: CVE-2017-6594 Changes: head/security/heimdal/Makefile head/security/heimdal/files/patch-CVE-2017-6594
A commit references this bug: Author: feld Date: Fri Jun 9 15:58:13 UTC 2017 New revision: 443017 URL: https://svnweb.freebsd.org/changeset/ports/443017 Log: MFH: r443016 security/heimdal: Backport security fix PR: 219657 Security: CVE-2017-6594 Approved by: ports-secteam (with hat) Changes: _U branches/2017Q2/ branches/2017Q2/security/heimdal/Makefile branches/2017Q2/security/heimdal/files/patch-CVE-2017-6594
committed, thanks
A commit references this bug: Author: woodsb02 Date: Sat Jun 10 06:12:56 UTC 2017 New revision: 443070 URL: https://svnweb.freebsd.org/changeset/ports/443070 Log: Correct vulnerable versions of security/heimdal after the security fix was backported in 7.1.0_3 PR: 219657 Security: CVE-2017-6594 Changes: head/security/vuxml/vuln.xml
This patch breaks the build of security/heimdal on FreeBSD 11amd64. I have proposed a fix here: https://reviews.freebsd.org/D11125 The build error I am seeing: Making all in kdc cd . && perl ../cf/make-proto.pl -q -P comment -o kdc-protos.h default_config.c set_dbinfo.c digest.c fast.c kdc_locl.h kerberos5.c krb5tgs.c pkinit.c pkinit-ec.c log.c misc.c kx509.c process.c windc.c rx.h || rm -f kdc-protos.h Can't locate JSON.pm in @INC (you may need to install the JSON module) (@INC contains: /usr/local/lib/perl5/site_perl/mach/5.24 /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/5.24/mach /usr/local/lib/perl5/5.24 .) at ../cf/make-proto.pl line 7. BEGIN failed--compilation aborted at ../cf/make-proto.pl line 7. cd . && perl ../cf/make-proto.pl -q -P comment -p kdc-private.h default_config.c set_dbinfo.c digest.c fast.c kdc_locl.h kerberos5.c krb5tgs.c pkinit.c pkinit-ec.c log.c misc.c kx509.c process.c windc.c rx.h || rm -f kdc-private.h Can't locate JSON.pm in @INC (you may need to install the JSON module) (@INC contains: /usr/local/lib/perl5/site_perl/mach/5.24 /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/5.24/mach /usr/local/lib/perl5/5.24 .) at ../cf/make-proto.pl line 7. BEGIN failed--compilation aborted at ../cf/make-proto.pl line 7. /bin/sh ../libtool --tag=CC --mode=compile cc -DHAVE_CONFIG_H -I. -I. -I../include -I../include -I../lib/roken -I../lib/roken -I/usr/local/include -I/usr/local/include -I./../lib/krb5 -I/usr/local/include -isystem /usr/local/include -D_LARGE_FILES= -Wall -Wextra -Wno-sign-compare -Wno-unused-parameter -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -Wshadow -DINET6 -O2 -pipe -fstack-protector -isystem /usr/local/include -fno-strict-aliasing -MT default_config.lo -MD -MP -MF .deps/default_config.Tpo -c -o default_config.lo default_config.c libtool: compile: cc -DHAVE_CONFIG_H -I. -I. -I../include -I../include -I../lib/roken -I../lib/roken -I/usr/local/include -I/usr/local/include -I./../lib/krb5 -I/usr/local/include -isystem /usr/local/include -D_LARGE_FILES= -Wall -Wextra -Wno-sign-compare -Wno-unused-parameter -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -Wshadow -DINET6 -O2 -pipe -fstack-protector -isystem /usr/local/include -fno-strict-aliasing -MT default_config.lo -MD -MP -MF .deps/default_config.Tpo -c default_config.c -fPIC -DPIC -o .libs/default_config.o In file included from default_config.c:36: ./kdc_locl.h:48:10: fatal error: 'kdc-private.h' file not found #include <kdc-private.h> ^~~~~~~~~~~~~~~ 1 error generated.
A commit references this bug: Author: feld Date: Sat Jun 10 17:38:14 UTC 2017 New revision: 443103 URL: https://svnweb.freebsd.org/changeset/ports/443103 Log: security/heimdal: Fix build Previous backported patch for CVE requires a new build dependency. PR: 219657 Reported by: Benjamin Woods MFH: 2017Q2 Differential Revision: https://reviews.freebsd.org/D11125 Changes: head/security/heimdal/Makefile
A commit references this bug: Author: feld Date: Sat Jun 10 17:38:49 UTC 2017 New revision: 443104 URL: https://svnweb.freebsd.org/changeset/ports/443104 Log: MFH: r443103 security/heimdal: Fix build Previous backported patch for CVE requires a new build dependency. PR: 219657 Reported by: Benjamin Woods Differential Revision: https://reviews.freebsd.org/D11125 Changes: _U branches/2017Q2/ branches/2017Q2/security/heimdal/Makefile