Bug 46590 - <=app-crypt/heimdal-0.6 - Cross-realm trust vulnerability
Bug#: 46590 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: blocker Priority: P1
Resolution: FIXED Assigned To: security@gentoo.org Reported By: lha@kth.se
Component: GLSA Errors
URL: 
Summary: <=app-crypt/heimdal-0.6 - Cross-realm trust vulnerability
Keywords:  
Status Whiteboard: 
Opened: 2004-04-02 05:41 0000
Description:   Opened: 2004-04-02 05:41 0000 
app-crypt/heimdal needs to be update to heimdal 0.6.1

see http://www.pdc.kth.se/heimdal/advisory/2004-04-01/

Reproducible: Always
Steps to Reproduce:
1. see http://www.pdc.kth.se/heimdal/advisory/2004-04-01/

------- Comment #1 From Aida Escriva-Sammer 2004-04-02 07:55:19 0000 ------- 
Aron - would you create an ebuild for 0.6.1? Thanks.

------- Comment #2 From solar 2004-04-07 11:43:41 0000 ------- 
heimdal-0.6.1 added to portage as
KEYWORDS="~x86 ~sparc ~ppc ~alpha ~ia64 ~amd64 ~hppa ~mips"

Every version below 0.6(currently stable) has been removed from the tree.

I don't have krb setup so I have no way of verifying if this package 
runtime environment works. One patch conflicted and seemed unneeded for 
gcc-3.3.x and was thus commented out.

From reading the .ebuild I fail to understand what this sed statement is 
doing other than wasting a few cpu cycles. 
(Maybe it should be sed -i -e)
sed -i "s:LIB_crypt = @LIB_crypt@:LIB_crypt = -lssl @LIB_crypt@:g" Makefile.in || die

Arch maintainers please test and mark stable if/when
ready. Please try test/verify the rumtime as well if you can.

------- Comment #3 From Mr. Bones. 2004-04-07 12:35:18 0000 ------- 
From the sed info page:

   "If no `-e', `-f', `--expression', or `--file' options are given on
the command-line, then the first non-option argument on the command
line is taken to be the SCRIPT to be executed."

I prefer to see the -e there myself, but the sed line probably works as intended
without the -e.

------- Comment #4 From Joshua Kinard 2004-04-07 22:09:17 0000 ------- 
Marked stable on mips.

------- Comment #5 From Kurt Lieber 2004-04-08 01:54:32 0000 ------- 
arches.  plztest.

------- Comment #6 From Bryan Østergaard (RETIRED) 2004-04-08 07:11:02 0000 ------- 
Marked stable on Alpha.

------- Comment #7 From Jon Portnoy (RETIRED) 2004-04-08 07:33:59 0000 ------- 
Stable on amd64

------- Comment #8 From Luca Barbato 2004-04-08 09:10:55 0000 ------- 
Stable on ppc

------- Comment #9 From Jason Wever (RETIRED) 2004-04-08 10:17:25 0000 ------- 
Stable on sparc

------- Comment #10 From solar 2004-04-09 01:39:25 0000 ------- 
Mr Bones (thanks)

Still waiting on x86 and a report that the runtime has been tested.

------- Comment #11 From Kurt Lieber 2004-04-09 02:33:09 0000 ------- 
I don't think we're going to get a report on the runtime -- not many individual
devs use kerberos for authentication.  Also, agriffis hasn't been responsive at
all regarding this issue, so I recommend we bump to stable on x86.

We've given folks the opportunity to test -- we need to get this security fix
out.

------- Comment #12 From solar 2004-04-09 03:00:15 0000 ------- 
pushed to stable on x86.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0371

------- Comment #13 From Kurt Lieber 2004-04-09 03:52:07 0000 ------- 
GLSA 200404-09

------- Comment #14 From Aron Griffis (RETIRED) 2004-04-09 07:23:54 0000 ------- 
"agriffis hasn't been responsive at all regarding this issue, so I recommend we
bump to stable on x86"

klieber, I don't use or maintain heimdal.  You asked me about it on IRC, I
said, yeah, go ahead and bump it since we don't know anybody to test...  so I
don't understand your comment.  :-(

------- Comment #15 From Kurt Lieber 2004-04-09 07:56:20 0000 ------- 
sorry -- came across wrong.  that's what I get for trying to respond to bugs
too quickly.  my apologies.

------- Comment #16 From SpanKY 2004-09-22 21:13:17 0000 ------- 
ia64 stable