A security issue in heimdal has been announced on February 8: https://www.openwall.com/lists/oss-security/2023/02/08/1 The fix for CVE-2022-3437 (Bug 31172) has a logic error. A patch to fix the issue is in the message linked above. Mageia 8 is also affected.
Debian has issued an advisory for this on February 8: https://www.debian.org/security/2023/dsa-5344
(In reply to David Walser from comment #1) > Debian has issued an advisory for this on February 8: > https://www.debian.org/security/2023/dsa-5344 as has Ubuntu: https://ubuntu.com/security/notices/USN-5849-1
Assigning to our registered heimdal maintainer.
CC: (none) => marja11Assignee: bugsquad => guillomovitch
Fixed in heimdal-7.8.0-2.mga9 by Guillaume.
Version: Cauldron => 8
Suggested advisory: ======================== The updated packages fix a security vulnerability: The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted. (CVE-2022-45142) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45142 https://www.openwall.com/lists/oss-security/2023/02/08/1 https://www.debian.org/security/2023/dsa-5344 https://ubuntu.com/security/notices/USN-5849-1 ======================== Updated packages in core/updates_testing: ======================== heimdal-devel-7.7.1-1.3.mga8 heimdal-devel-doc-7.7.1-1.3.mga8 heimdal-libs-7.7.1-1.3.mga8 heimdal-server-7.7.1-1.3.mga8 heimdal-workstation-7.7.1-1.3.mga8 from SRPM: heimdal-7.7.1-1.3.mga8.src.rpm
Source RPM: heimdal-7.8.0-1.mga9.src.rpm => heimdal-7.7.1-1.2.mga8.src.rpmStatus: NEW => ASSIGNEDAssignee: guillomovitch => qa-bugsCC: (none) => nicolas.salguero
MGA8-64 MATE on Acer Aspire 5253 On selecting heimdal-devel, I get The following packages have to be removed for others to be upgraded: curl-examples-7.74.0-1.11.mga8.noarch (due to unsatisfied curl-devel >= 1:7.74.0-1.11.mga8) lib64curl-devel-7.74.0-1.11.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) lib64dcmtk-devel-3.6.5-3.1.mga8.x86_64 (due to missing devel(libwrap(64bit))) lib64gsasl-devel-1.8.1-2.1.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) lib64krb53-devel-1.18.3-1.3.mga8.x86_64 (due to conflicts with heimdal-devel-7.7.1-1.3.mga8.x86_64) lib64nsl-devel-1.3.0-2.mga8.x86_64 (due to unsatisfied pkgconfig(libtirpc) >= 1.0.1) lib64qt5network-devel-5.15.2-4.8.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) lib64qt5positioning-devel-5.15.2-1.mga8.x86_64 (due to missing devel(libQt5Network(64bit)), due to missing pkgconfig(Qt5Qml), due to missing devel(libQt5Qml(64bit)), due to missing pkgconfig(Qt5Quick), due to missing devel(libQt5Quick(64bit))) lib64qt5qml-devel-5.15.2-1.mga8.x86_64 (due to missing devel(libQt5Network(64bit)), due to missing pkgconfig(Qt5Network)) lib64qt5qmlmodels-devel-5.15.2-1.mga8.x86_64 (due to missing pkgconfig(Qt5Qml), due to missing devel(libQt5Qml(64bit))) lib64qt5quick-devel-5.15.2-1.mga8.x86_64 (due to missing devel(libQt5Network(64bit)), due to missing pkgconfig(Qt5Qml), due to missing devel(libQt5Qml(64bit)), due to missing devel(libQt5QmlModels(64bit)), due to missing pkgconfig(Qt5QmlModels)) lib64qt5webchannel-devel-5.15.2-1.mga8.x86_64 (due to missing pkgconfig(Qt5Qml), due to missing devel(libQt5Qml(64bit))) lib64qt5webkit-devel-5.212.0-1.alpha4.6.mga8.x86_64 (due to missing devel(libQt5Network(64bit)), due to missing pkgconfig(Qt5Network), due to missing devel(libQt5Qml(64bit)), due to missing devel(libQt5Quick(64bit)), due to missing devel(libQt5Positioning(64bit)), due to missing devel(libQt5WebChannel(64bit))) lib64qt5webkitwidgets-devel-5.212.0-1.alpha4.6.mga8.x86_64 (due to missing devel(libQt5Network(64bit)), due to missing pkgconfig(Qt5Network), due to missing devel(libQt5WebKit(64bit)), due to missing pkgconfig(Qt5WebKit)) lib64soup-devel-2.72.0-1.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) lib64ssh-devel-0.9.6-1.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) lib64tirpc-devel-1.3.3-1.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) lib64webkit2-devel-2.38.5-1.mga8.x86_64 (due to missing pkgconfig(libsoup-2.4), due to missing devel(libsoup-2.4(64bit))) lib64wkhtmltox-devel-0.12.5-4.1.mga8.x86_64 (due to missing devel(libQt5Network(64bit)), due to missing devel(libQt5WebKit(64bit)), due to missing devel(libQt5WebKitWidgets(64bit))) lib64wrap-devel-7.6-51.mga8.x86_64 (due to missing devel(libnsl(64bit)))
CC: (none) => herman.viaene
Looks like you have a mix of other packages from updates_testing installed. Either downgrade those or enable updates_testing.
I use QARepo to load only the rpm's specified in the update bug. Thus the contents of QArepo is always small, I clear it before the next bug. What you suggest is that dependencies of other recent updates that I tested and are still pending, are causing this?
Normally devel packages are not installed as part of testing as they are used for compiling programs that use the packages being installed. The main exception is the kernel devel packages that are needed to compile dkms packages. Don't include the devel packages when using qa repo.
CC: (none) => davidwhodgins
OK, easy enough, that installs OK Ref bug 31172 for testing: systemctl start heimdal-kdc # systemctl -l status heimdal-kdc ● heimdal-kdc.service - Heimdal KDC is a Kerberos 5 Key Distribution Center ser> Loaded: loaded (/usr/lib/systemd/system/heimdal-kdc.service; disabled; ven> Active: active (running) since Thu 2023-03-16 15:56:56 CET; 59s ago Docs: man:kdc(8) info:heimdal http://www.h5l.org/ Main PID: 14393 (kdc) Tasks: 3 (limit: 4364) Memory: 1.7M CPU: 46ms CGroup: /system.slice/heimdal-kdc.service ├─14393 /usr/libexec/kdc ├─14395 /usr/libexec/kdc └─14396 /usr/libexec/kdc Mar 16 15:56:56 mach7.hviaene.thuis systemd[1]: Started Heimdal KDC is a Kerber> [root@mach7 ~]# kadmin kadmin: kadm5_init_with_password: No KDC found for realm HVIAENE.THUIS This makes sense. $ verify_krb5_conf verify_krb5_conf: krb5_config_parse_file: open /home/tester8/.krb5/config: No such file or directory verify_krb5_conf: krb5_config_parse_file: //etc/krb5.conf:3: binding before section Seems all OK
Whiteboard: (none) => MGA8-64-OK
(In reply to Herman Viaene from comment #8) > I use QARepo to load only the rpm's specified in the update bug. Thus the > contents of QArepo is always small, I clear it before the next bug. > What you suggest is that dependencies of other recent updates that I tested > and are still pending, are causing this? Yes, exactly.
Validating. Advisory in comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0098.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED