Bug 686034

Summary:	<app-crypt/heimdal-7.6.0: S4U2Self with unkeyed checksum (CVE-2018-16860)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	kerberos, mgorny
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=710666
Whiteboard:	B3 [noglsa]
Package list:	app-crypt/heimdal-7.6.0	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	686032

Description GLSAMaker/CVETool Bot gentoo-dev

2019-05-15 15:09:49 UTC

See tracker bug for more information.

Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2019-05-16 08:36:07 UTC

heimdal-7.6.0 has been released addressing this issue...

Comment 2 Larry the Git Cow gentoo-dev

2019-05-17 07:48:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c8fbea00ec59fad9583f6b815e89dcd33271faa

commit 5c8fbea00ec59fad9583f6b815e89dcd33271faa
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2019-05-17 07:47:28 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2019-05-17 07:47:55 +0000

    app-crypt/heimdal: security bump to 7.6.0
    
    Bug: https://bugs.gentoo.org/686034
    Closes: https://bugs.gentoo.org/649492
    Closes: https://bugs.gentoo.org/647880
    Closes: https://bugs.gentoo.org/641762
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 app-crypt/heimdal/Manifest                         |   1 +
 .../files/heimdal_build-headers-before-use.patch   |  29 ++++
 app-crypt/heimdal/files/heimdal_fix-db60.patch     |  11 ++
 app-crypt/heimdal/files/heimdal_hcrypto.patch      |  45 +++++
 app-crypt/heimdal/heimdal-7.6.0.ebuild             | 185 +++++++++++++++++++++
 app-crypt/heimdal/metadata.xml                     |   3 +
 6 files changed, 274 insertions(+)

Comment 3 Eray Aslan gentoo-dev

2019-05-17 07:56:08 UTC

Arches, please test and mark stable
=app-crypt/heimdal-7.6.0

Target Keywords = alpha amd64 arm arm64 hppa ia64 ~mips ppc ppc64 s390 ~sh ~sparc x86 ~amd64-fbsd

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2019-05-18 15:40:29 UTC

arm64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2019-05-19 13:17:39 UTC

x86 stable

Comment 6 Mikle Kolyada (RETIRED) archtester

2019-05-19 20:32:11 UTC

amd64 stable

Comment 7 Mikle Kolyada (RETIRED) archtester

2019-05-23 13:19:11 UTC

arm stable

Comment 8 Mikle Kolyada (RETIRED) archtester

2019-05-26 09:48:07 UTC

s390 stable

Comment 9 Rolf Eike Beer archtester

2019-05-31 21:03:52 UTC

hppa stable

Comment 10 Agostino Sarubbo gentoo-dev

2019-06-06 06:46:34 UTC

alpha stable

Comment 11 Agostino Sarubbo gentoo-dev

2019-06-07 10:05:29 UTC

ia64 stable

Comment 12 Eray Aslan gentoo-dev

2019-08-08 06:07:55 UTC

ping ppc ppc64

Comment 13 Agostino Sarubbo gentoo-dev

2019-08-13 10:31:23 UTC

ppc stable

Comment 14 Rolf Eike Beer archtester

2020-04-17 15:38:12 UTC

sparc stable

Comment 15 Aaron Bauman (RETIRED) gentoo-dev

2020-07-28 20:05:01 UTC

GLSA Vote: no

Comment 16 Michał Górny archtester

2020-08-13 20:21:33 UTC

ppc64, ping.

Comment 17 ernsteiswuerfel archtester

2020-08-20 13:05:03 UTC

heimdal-7.6.0 passes tests on ppc64 but certain USE-flag combinations fail to build, e.g. bug #738190.

Comment 18 Sergei Trofimovich (RETIRED) gentoo-dev

2020-09-07 18:27:22 UTC

ppc64 stable

Comment 19 Sam James archtester

2020-09-07 19:31:21 UTC

Please cleanup.

Comment 20 Larry the Git Cow gentoo-dev

2020-09-08 06:36:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1a86a0c8b561fdd8a53e91ed7f8b2334e40b98c

commit c1a86a0c8b561fdd8a53e91ed7f8b2334e40b98c
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-09-08 06:35:35 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-09-08 06:35:35 +0000

    app-crypt/heimdal: cleanup
    
    Bug: https://bugs.gentoo.org/686034
    Package-Manager: Portage-3.0.6, Repoman-3.0.1
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 app-crypt/heimdal/Manifest             |   1 -
 app-crypt/heimdal/heimdal-7.5.0.ebuild | 173 ---------------------------------
 app-crypt/heimdal/metadata.xml         |   3 -
 3 files changed, 177 deletions(-)

Comment 21 Sam James archtester

2020-09-17 23:55:04 UTC

Thanks!