From 5566bf97e56e483e3bb3678c419c2fd37fae3361 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edward=20Tj=C3=B6rnhammar?= <ed@cflags.cc>
Date: Wed, 21 Mar 2018 21:12:39 +0100
Subject: [PATCH] libheimdal: 7.4.0 -> 7.5.0

In Heimdal 7.1 through 7.4, remote unauthenticated attackers are able to
crash the KDC by sending a crafted UDP packet containing empty data
fields for client name or realm.

Security: CVE-2017-17439
---
 .../kerberos/heimdal-make-missing-headers.patch        | 10 ++++++++++
 pkgs/development/libraries/kerberos/heimdal.nix        | 10 ++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 pkgs/development/libraries/kerberos/heimdal-make-missing-headers.patch

diff --git a/pkgs/development/libraries/kerberos/heimdal-make-missing-headers.patch b/pkgs/development/libraries/kerberos/heimdal-make-missing-headers.patch
new file mode 100644
index 00000000000..a0fa625538b
--- /dev/null
+++ b/pkgs/development/libraries/kerberos/heimdal-make-missing-headers.patch
@@ -0,0 +1,10 @@
+--- a/lib/hx509/Makefile.am 2018-03-21 15:41:38.622968809 +0100
++++ b/lib/hx509/Makefile.am 2018-03-21 15:41:32.655162197 +0100
+@@ -9,6 +9,8 @@
+	sel-gram.h			\
+	$(gen_files_ocsp:.x=.c)		\
+	$(gen_files_pkcs10:.x=.c)	\
++	ocsp_asn1.h			\
++	pkcs10_asn1.h			\
+	hx509_err.c			\
+	hx509_err.h
diff --git a/pkgs/development/libraries/kerberos/heimdal.nix b/pkgs/development/libraries/kerberos/heimdal.nix
index 81f878daaaa..b72a00d242e 100644
--- a/pkgs/development/libraries/kerberos/heimdal.nix
+++ b/pkgs/development/libraries/kerberos/heimdal.nix
@@ -12,15 +12,17 @@ in
 with stdenv.lib;
 stdenv.mkDerivation rec {
   name = "${type}heimdal-${version}";
-  version = "7.4.0";
+  version = "7.5.0";
 
   src = fetchFromGitHub {
     owner = "heimdal";
     repo = "heimdal";
     rev = "heimdal-${version}";
-    sha256 = "01ch6kqjrxi9fki54yjj2fhxhdkxijz161w2inh5k8mcixlf67vp";
+    sha256 = "1j38wjj4k0q8vx168k3d3k0fwa8j1q5q8f2688nnx1b9qgjd6w1d";
   };
 
+  patches = [ ./heimdal-make-missing-headers.patch ];
+
   nativeBuildInputs = [ autoreconfHook pkgconfig python2 perl yacc flex ]
     ++ (with perlPackages; [ JSON ])
     ++ optional (!libOnly) texinfo;
@@ -44,6 +46,10 @@ stdenv.mkDerivation rec {
     "--with-capng"
   ];
 
+  postUnpack = ''
+    sed -i '/^DEFAULT_INCLUDES/ s,$, -I..,' source/cf/Makefile.am.common
+  '';
+
   buildPhase = optionalString libOnly ''
     (cd include; make -j $NIX_BUILD_CORES)
     (cd lib; make -j $NIX_BUILD_CORES)