Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 46590 - <=app-crypt/heimdal-0.6 - Cross-realm trust vulnerability
Summary: <=app-crypt/heimdal-0.6 - Cross-realm trust vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Highest blocker (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-04-02 05:41 UTC by Love
Modified: 2005-04-10 08:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Love 2004-04-02 05:41:11 UTC 
app-crypt/heimdal needs to be update to heimdal 0.6.1

see http://www.pdc.kth.se/heimdal/advisory/2004-04-01/

Reproducible: Always
Steps to Reproduce:
1. see http://www.pdc.kth.se/heimdal/advisory/2004-04-01/
Comment 1 Aida Escriva-Sammer (RETIRED) gentoo-dev 2004-04-02 07:55:19 UTC 
Aron - would you create an ebuild for 0.6.1? Thanks.
Comment 2 solar (RETIRED) gentoo-dev 2004-04-07 11:43:41 UTC 
heimdal-0.6.1 added to portage as
KEYWORDS="~x86 ~sparc ~ppc ~alpha ~ia64 ~amd64 ~hppa ~mips"

Every version below 0.6(currently stable) has been removed from the tree.

I don't have krb setup so I have no way of verifying if this package 
runtime environment works. One patch conflicted and seemed unneeded for 
gcc-3.3.x and was thus commented out.

From reading the .ebuild I fail to understand what this sed statement is 
doing other than wasting a few cpu cycles. 
(Maybe it should be sed -i -e)
sed -i "s:LIB_crypt = @LIB_crypt@:LIB_crypt = -lssl @LIB_crypt@:g" Makefile.in || die

Arch maintainers please test and mark stable if/when
ready. Please try test/verify the rumtime as well if you can.
Comment 3 Mr. Bones. (RETIRED) gentoo-dev 2004-04-07 12:35:18 UTC 
From the sed info page:

   "If no `-e', `-f', `--expression', or `--file' options are given on
the command-line, then the first non-option argument on the command
line is taken to be the SCRIPT to be executed."

I prefer to see the -e there myself, but the sed line probably works as intended
without the -e.
Comment 4 Joshua Kinard gentoo-dev 2004-04-07 22:09:17 UTC 
Marked stable on mips.
Comment 5 Kurt Lieber (RETIRED) gentoo-dev 2004-04-08 01:54:32 UTC 
arches.  plztest.
Comment 6 Bryan Østergaard (RETIRED) gentoo-dev 2004-04-08 07:11:02 UTC 
Marked stable on Alpha.
Comment 7 Jon Portnoy (RETIRED) gentoo-dev 2004-04-08 07:33:59 UTC 
Stable on amd64
Comment 8 Luca Barbato gentoo-dev 2004-04-08 09:10:55 UTC 
Stable on ppc
Comment 9 Jason Wever (RETIRED) gentoo-dev 2004-04-08 10:17:25 UTC 
Stable on sparc
Comment 10 solar (RETIRED) gentoo-dev 2004-04-09 01:39:25 UTC 
Mr Bones (thanks)

Still waiting on x86 and a report that the runtime has been tested.
Comment 11 Kurt Lieber (RETIRED) gentoo-dev 2004-04-09 02:33:09 UTC 
I don't think we're going to get a report on the runtime -- not many individual devs use kerberos for authentication.  Also, agriffis hasn't been responsive at all regarding this issue, so I recommend we bump to stable on x86.

We've given folks the opportunity to test -- we need to get this security fix out.
Comment 12 solar (RETIRED) gentoo-dev 2004-04-09 03:00:15 UTC 
pushed to stable on x86.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0371
Comment 13 Kurt Lieber (RETIRED) gentoo-dev 2004-04-09 03:52:07 UTC 
GLSA 200404-09
Comment 14 Aron Griffis (RETIRED) gentoo-dev 2004-04-09 07:23:54 UTC 
"agriffis hasn't been responsive at all regarding this issue, so I recommend we bump to stable on x86"

klieber, I don't use or maintain heimdal.  You asked me about it on IRC, I said, yeah, go ahead and bump it since we don't know anybody to test...  so I don't understand your comment.  :-(
Comment 15 Kurt Lieber (RETIRED) gentoo-dev 2004-04-09 07:56:20 UTC 
sorry -- came across wrong.  that's what I get for trying to respond to bugs too quickly.  my apologies.
Comment 16 SpanKY gentoo-dev 2004-09-22 21:13:17 UTC 
ia64 stable