Bug 219657 - security/heimdal: not marked vulnerable, below 7.3 vulnerable - CVE-2017-6594
Summary: security/heimdal: not marked vulnerable, below 7.3 vulnerable - CVE-2017-6594
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Mark Felder
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-30 15:42 UTC by Phillip R. Jaenke
Modified: 2017-06-10 17:39 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (hrs)
feld: merge-quarterly+


Attachments
Suggested Makefile + distinfo updates (1.24 KB, patch)
2017-05-30 15:44 UTC, Phillip R. Jaenke
no flags Details | Diff
Backported fix for CVE-2017-6594 to 7.1.0 (6.74 KB, patch)
2017-06-03 15:42 UTC, Marcin Cieślak
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Phillip R. Jaenke 2017-05-30 15:42:39 UTC
Heimdal 7.1 is vulnerable to CVE-2017-6594 - may permit bypass of capath policy. This has been addressed in Heimdal 7.3.0.
https://www.h5l.org/advisories.html?show=2017-04-13

Additionally, MASTER_SITES is now out of date - Heimdal is now distributed via github releases.
https://www.h5l.org/sources.html
https://github.com/heimdal/heimdal/releases

Attempted to pull it up straight, but patches are not applying cleanly, so additional work will be needed. Makefile and distinfo patch provided here (but I may have gotten MASTER_SITES wrong.)
Comment 1 Phillip R. Jaenke 2017-05-30 15:44:19 UTC
Created attachment 183072 [details]
Suggested Makefile + distinfo updates

First swing at Makefile/distinfo updates - NOT SAFE FOR APPLYING. FreeBSD patches do NOT apply to 7.3.0 cleanly.
Comment 2 Mark Felder freebsd_committer 2017-05-31 15:21:01 UTC
adding port-secteam
Comment 3 commit-hook freebsd_committer 2017-05-31 15:31:09 UTC
A commit references this bug:

Author: feld
Date: Wed May 31 15:30:03 UTC 2017
New revision: 442221
URL: https://svnweb.freebsd.org/changeset/ports/442221

Log:
  Document heimdal vulnerability

  PR:		219657
  Security:	CVE-2017-6594

Changes:
  head/security/vuxml/vuln.xml
Comment 4 Jung-uk Kim freebsd_committer 2017-05-31 20:09:50 UTC
If we cannot upgrade it to 7.3, I think we should add a patch, i.e.,

https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837
Comment 5 Mark Felder freebsd_committer 2017-06-01 15:23:38 UTC
(In reply to Jung-uk Kim from comment #4)

Do you have an environment in which you can test the current version with that backported patch? If someone can validate it's working as expected we could push the patch and update the vuxml.
Comment 6 Marcin Cieślak 2017-06-03 15:42:36 UTC
Created attachment 183175 [details]
Backported fix for CVE-2017-6594 to 7.1.0

Backported fix for CVE-2017-6594 to 7.1.0

I have compiled it and my kdc seems to work. 5 tests fail from the test suite but that seems to be unrelated.
Comment 7 commit-hook freebsd_committer 2017-06-09 15:58:25 UTC
A commit references this bug:

Author: feld
Date: Fri Jun  9 15:57:31 UTC 2017
New revision: 443016
URL: https://svnweb.freebsd.org/changeset/ports/443016

Log:
  security/heimdal: Backport security fix

  PR:		219657
  MFH:		2017Q2
  Security:	CVE-2017-6594

Changes:
  head/security/heimdal/Makefile
  head/security/heimdal/files/patch-CVE-2017-6594
Comment 8 commit-hook freebsd_committer 2017-06-09 15:58:28 UTC
A commit references this bug:

Author: feld
Date: Fri Jun  9 15:58:13 UTC 2017
New revision: 443017
URL: https://svnweb.freebsd.org/changeset/ports/443017

Log:
  MFH: r443016

  security/heimdal: Backport security fix

  PR:		219657
  Security:	CVE-2017-6594

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2017Q2/
  branches/2017Q2/security/heimdal/Makefile
  branches/2017Q2/security/heimdal/files/patch-CVE-2017-6594
Comment 9 Mark Felder freebsd_committer 2017-06-09 15:58:35 UTC
committed, thanks
Comment 10 commit-hook freebsd_committer 2017-06-10 06:13:37 UTC
A commit references this bug:

Author: woodsb02
Date: Sat Jun 10 06:12:56 UTC 2017
New revision: 443070
URL: https://svnweb.freebsd.org/changeset/ports/443070

Log:
  Correct vulnerable versions of security/heimdal after the security fix
  was backported in 7.1.0_3

  PR:		219657
  Security:	CVE-2017-6594

Changes:
  head/security/vuxml/vuln.xml
Comment 11 Ben Woods freebsd_committer 2017-06-10 06:19:16 UTC
This patch breaks the build of security/heimdal on FreeBSD 11amd64.
I have proposed a fix here: https://reviews.freebsd.org/D11125

The build error I am seeing:
Making all in kdc
cd . && perl ../cf/make-proto.pl -q -P comment -o kdc-protos.h default_config.c 	 set_dbinfo.c	 	 digest.c		 fast.c			 kdc_locl.h		 kerberos5.c		 krb5tgs.c		 pkinit.c		 pkinit-ec.c		 log.c			 misc.c			 kx509.c			 process.c		 windc.c			 rx.h || rm -f kdc-protos.h
Can't locate JSON.pm in @INC (you may need to install the JSON module) (@INC contains: /usr/local/lib/perl5/site_perl/mach/5.24 /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/5.24/mach /usr/local/lib/perl5/5.24 .) at ../cf/make-proto.pl line 7.
BEGIN failed--compilation aborted at ../cf/make-proto.pl line 7.
cd . && perl ../cf/make-proto.pl -q -P comment -p kdc-private.h default_config.c 	 set_dbinfo.c	 	 digest.c		 fast.c			 kdc_locl.h		 kerberos5.c		 krb5tgs.c		 pkinit.c		 pkinit-ec.c		 log.c			 misc.c			 kx509.c			 process.c		 windc.c			 rx.h || rm -f kdc-private.h
Can't locate JSON.pm in @INC (you may need to install the JSON module) (@INC contains: /usr/local/lib/perl5/site_perl/mach/5.24 /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/5.24/mach /usr/local/lib/perl5/5.24 .) at ../cf/make-proto.pl line 7.
BEGIN failed--compilation aborted at ../cf/make-proto.pl line 7.
/bin/sh ../libtool  --tag=CC    --mode=compile cc -DHAVE_CONFIG_H  -I. -I. -I../include -I../include  -I../lib/roken -I../lib/roken -I/usr/local/include  -I/usr/local/include -I./../lib/krb5 -I/usr/local/include -isystem /usr/local/include -D_LARGE_FILES=  -Wall -Wextra -Wno-sign-compare -Wno-unused-parameter -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -Wshadow -DINET6 -O2 -pipe  -fstack-protector -isystem /usr/local/include -fno-strict-aliasing -MT default_config.lo -MD -MP -MF .deps/default_config.Tpo -c -o default_config.lo default_config.c
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I. -I../include -I../include -I../lib/roken -I../lib/roken -I/usr/local/include -I/usr/local/include -I./../lib/krb5 -I/usr/local/include -isystem /usr/local/include -D_LARGE_FILES= -Wall -Wextra -Wno-sign-compare -Wno-unused-parameter -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -Wshadow -DINET6 -O2 -pipe -fstack-protector -isystem /usr/local/include -fno-strict-aliasing -MT default_config.lo -MD -MP -MF .deps/default_config.Tpo -c default_config.c  -fPIC -DPIC -o .libs/default_config.o
In file included from default_config.c:36:
./kdc_locl.h:48:10: fatal error: 'kdc-private.h' file not found
#include <kdc-private.h>
         ^~~~~~~~~~~~~~~
1 error generated.
Comment 12 commit-hook freebsd_committer 2017-06-10 17:38:46 UTC
A commit references this bug:

Author: feld
Date: Sat Jun 10 17:38:14 UTC 2017
New revision: 443103
URL: https://svnweb.freebsd.org/changeset/ports/443103

Log:
  security/heimdal: Fix build

  Previous backported patch for CVE requires a new build dependency.

  PR:		219657
  Reported by:	Benjamin Woods
  MFH:		2017Q2
  Differential Revision:	https://reviews.freebsd.org/D11125

Changes:
  head/security/heimdal/Makefile
Comment 13 commit-hook freebsd_committer 2017-06-10 17:39:50 UTC
A commit references this bug:

Author: feld
Date: Sat Jun 10 17:38:49 UTC 2017
New revision: 443104
URL: https://svnweb.freebsd.org/changeset/ports/443104

Log:
  MFH: r443103

  security/heimdal: Fix build

  Previous backported patch for CVE requires a new build dependency.

  PR:		219657
  Reported by:	Benjamin Woods
  Differential Revision:	https://reviews.freebsd.org/D11125

Changes:
_U  branches/2017Q2/
  branches/2017Q2/security/heimdal/Makefile