Bug 12976 - heimdal embedded copy: delete or keep up to date
heimdal embedded copy: delete or keep up to date
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other
unspecified
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-20 15:51 UTC by Paul Wise
Modified: 2017-08-21 11:54 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Wise 2017-08-20 15:51:27 UTC
As noted in bug #12505, the embedded copy of heimdal in samba is outdated, at least in respect to the krb5_storage_free function and this seems to cause some crashes in samba at times. There are probably other bugs in samba's copy of heimdal that were fixed in heimdal upstream.

https://git.samba.org/?p=samba.git;a=blob;f=source4/heimdal/lib/krb5/store.c;hb=HEAD#l270
https://github.com/heimdal/heimdal/blob/master/lib/krb5/store.c#L289
https://bugzilla.samba.org/show_bug.cgi?id=11824
https://bugzilla.samba.org/show_bug.cgi?id=12505
https://www.spinics.net/lists/samba/msg133243.html

samba's copy of heimdal needs to either be deleted or constantly kept up to date with the latest upstream release. My personal preference would be to just delete it. Given the recent rate of heimdal upstream releases, deleting it would probably be less work in the long run. Given the recent security issue for heimdal (CVE-2017-11103), deleting it would probably result in less work for distro security teams, especially since samba builds take much longer than heimdal.

https://github.com/heimdal/heimdal/releases
https://orpheus-lyre.info/

If there are modifications to samba's copy of heimdal then it will need to be kept up to date instead. If possible, any such modifications should be sent upstream to heimdal. If they are not appropriate for upstream, then the release process for samba should be adjusted to include a check for the latest heimdal upstream release version.