In Heimdal 7.1 through 7.4, remote unauthenticated attackers are able to
crash the KDC by sending a crafted UDP packet containing empty data
fields for client name or realm.
Security: CVE-2017-17439
This reverts commit 6cfea50ad1.
I think the reason for the revert was because of patch dependencies. We really
need this patch to fix heimdal build.
Or else:
$ nix-build -A heimdal
...
/tmp/nix-build-heimdal-1.5.3.drv-0/heimdal-1.5.3/base/.libs/libheimbase.so: undefined reference to `pthread_getspecific'
/tmp/nix-build-heimdal-1.5.3.drv-0/heimdal-1.5.3/base/.libs/libheimbase.so: undefined reference to `pthread_key_create'
/tmp/nix-build-heimdal-1.5.3.drv-0/heimdal-1.5.3/base/.libs/libheimbase.so: undefined reference to `pthread_setspecific'
collect2: error: ld returned 1 exit status
Makefile:509: recipe for target 'tc' failed
make[2]: *** [tc] Error 1
A few more libraries were switched to using the kerberos attribute
instead of krb5 in 5fe7439. So those libraries are now built against
heimbal instead of MIT kerberos.
One of those libraries is libtirpc, which results in the following build
output:
http://hydra.nixos.org/build/18423661/nixlog/1/raw
The reason for this is, that "pkgconfig --libs" of heimdal lists
-lcrypto (which is part of OpenSSL), which is not propagated to
libtirpc.
See here (lines wrapped with backslash at the end of line):
$ nix-shell -p heimdal pkgconfig --command 'pkg-config --libs heimdal-gssapi'
-L/nix/store/cxjkl33j0mb4ilffaijl7gschbjzfv35-heimdal-1.5.3/lib -lgssapi \
-lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lwind -lroken -lcrypt \
-ldl -lresolv -pthread
Versus using MIT kerberos:
$ nix-shell -p krb5 pkgconfig --command 'pkg-config --libs krb5'
-L/nix/store/91vyw8yn89qnv8m8b35kgc4c4v7zp9as-krb5-1.13/lib -lkrb5 \
-lk5crypto -lcom_err
So the latter only lists libraries that are part of krb5 itself.
By adding openssh to propagatedBuildInputs, we should be able to build
any package that depends on either krb5/heimdal without any missing
dependencies.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>