GNU bug report logs -
#40475
[PATCH] gnu: GnuTLS: Fix CVE-2020-11501.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Mon, 6 Apr 2020 17:50:01 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 40475 in the body.
You can then email your comments to 40475 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#40475; Package
guix-patches.
(Mon, 06 Apr 2020 17:50:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Mon, 06 Apr 2020 17:50:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/gnutls-CVE-2020-11501.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/tls.scm (gnutls)[replacement]: New field.
(gnutls/fixed): New variable.
(gnutls/guile-2.0, gnutls/dane, gnutls-3.6.10, gnutls3.0-gnutls): Use
PACKAGE/INHERIT.
---
gnu/local.mk | 1 +
.../patches/gnutls-CVE-2020-11501.patch | 41 +++++++++++++++++++
gnu/packages/tls.scm | 21 ++++++----
3 files changed, 55 insertions(+), 8 deletions(-)
create mode 100644 gnu/packages/patches/gnutls-CVE-2020-11501.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 77f9de2440..9953754398 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -983,6 +983,7 @@ dist_patch_DATA = \
%D%/packages/patches/gnome-tweaks-search-paths.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnutls-skip-trust-store-test.patch \
+ %D%/packages/patches/gnutls-CVE-2020-11501.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
%D%/packages/patches/gobject-introspection-girepository.patch \
diff --git a/gnu/packages/patches/gnutls-CVE-2020-11501.patch b/gnu/packages/patches/gnutls-CVE-2020-11501.patch
new file mode 100644
index 0000000000..0d84b7d082
--- /dev/null
+++ b/gnu/packages/patches/gnutls-CVE-2020-11501.patch
@@ -0,0 +1,41 @@
+Fix CVE-2020-11501:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11501
+https://gitlab.com/gnutls/gnutls/issues/960
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/gnutls/gnutls/commit/c01011c2d8533dbbbe754e49e256c109cb848d0d
+
+From c01011c2d8533dbbbe754e49e256c109cb848d0d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler <at> web.de>
+Date: Fri, 27 Mar 2020 17:17:57 +0100
+Subject: [PATCH] dtls client hello: fix zeroed random (fixes #960)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This broke with bcf4de03 "handshake: treat reply to HRR as a reply to
+hello verify request", which failed to "De Morgan" properly.
+
+Signed-off-by: Stefan Bühler <stbuehler <at> web.de>
+---
+ lib/handshake.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/handshake.c b/lib/handshake.c
+index 5739df213..84a0e5210 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -2167,7 +2167,7 @@ static int send_client_hello(gnutls_session_t session, int again)
+ /* Generate random data
+ */
+ if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&
+- !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) {
++ !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) {
+ ret = _gnutls_gen_client_random(session);
+ if (ret < 0) {
+ gnutls_assert();
+--
+2.26.0
+
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index bb80d86ba4..743d80a80f 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -162,6 +162,7 @@ living in the same process.")
(define-public gnutls
(package
(name "gnutls")
+ (replacement gnutls/fixed)
(version "3.6.9")
(source (origin
(method url-fetch)
@@ -244,10 +245,17 @@ required structures.")
(properties '((ftp-server . "ftp.gnutls.org")
(ftp-directory . "/gcrypt/gnutls")))))
-(define-public gnutls/guile-2.0
- ;; GnuTLS for Guile 2.0.
+(define gnutls/fixed
(package
(inherit gnutls)
+ (source (origin
+ (inherit (package-source gnutls))
+ (patches (append (origin-patches (package-source gnutls))
+ (search-patches "gnutls-CVE-2020-11501.patch")))))))
+
+(define-public gnutls/guile-2.0
+ ;; GnuTLS for Guile 2.0.
+ (package/inherit gnutls
(name "guile2.0-gnutls")
(inputs `(("guile" ,guile-2.0)
,@(alist-delete "guile" (package-inputs gnutls))))))
@@ -257,8 +265,7 @@ required structures.")
;; Authentication of Named Entities. This is required for GNS functionality
;; by GNUnet and gnURL. This is done in an extra package definition
;; to have the choice between GnuTLS with Dane and without Dane.
- (package
- (inherit gnutls)
+ (package/inherit gnutls
(name "gnutls-dane")
(inputs `(("unbound" ,unbound)
,@(package-inputs gnutls)))))
@@ -266,8 +273,7 @@ required structures.")
(define gnutls-3.6.10
;; This is for 'guile3.0-gnutls', below. Version 3.6.10 is the first to
;; introduce Guile 2.9/3.0 support.
- (package
- (inherit gnutls)
+ (package/inherit gnutls
(version "3.6.10")
(source (origin
(inherit (package-source gnutls))
@@ -286,8 +292,7 @@ required structures.")
("util-linux" ,util-linux)))))
(define-public guile3.0-gnutls
- (package
- (inherit gnutls-3.6.10)
+ (package/inherit gnutls-3.6.10
(name "guile3.0-gnutls")
(arguments
(substitute-keyword-arguments (package-arguments gnutls-3.6.10)
--
2.26.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#40475; Package
guix-patches.
(Mon, 06 Apr 2020 18:23:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 40475 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/tls.scm (gnutls)[replacement]: New field.
(gnutls-3.6.13): New variable.
(gnutls/guile-2.0, gnutls/dane, gnutls-3.6.10, gnutls3.0-gnutls): Use
PACKAGE/INHERIT.
---
gnu/packages/tls.scm | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index bb80d86ba4..e8b3d88944 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -162,6 +162,7 @@ living in the same process.")
(define-public gnutls
(package
(name "gnutls")
+ (replacement gnutls-3.6.13)
(version "3.6.9")
(source (origin
(method url-fetch)
@@ -244,10 +245,23 @@ required structures.")
(properties '((ftp-server . "ftp.gnutls.org")
(ftp-directory . "/gcrypt/gnutls")))))
-(define-public gnutls/guile-2.0
- ;; GnuTLS for Guile 2.0.
+(define gnutls-3.6.13
(package
(inherit gnutls)
+ (version "3.6.A")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://gnupg/gnutls/v"
+ (version-major+minor version)
+ "/gnutls-3.6.13.tar.xz"))
+ (patches (search-patches "gnutls-skip-trust-store-test.patch"))
+ (sha256
+ (base32
+ "0f1gnm0756qms5cpx6yn6xb8d3imc2gkqmygf12n9x6r8zs1s11j"))))))
+
+(define-public gnutls/guile-2.0
+ ;; GnuTLS for Guile 2.0.
+ (package/inherit gnutls
(name "guile2.0-gnutls")
(inputs `(("guile" ,guile-2.0)
,@(alist-delete "guile" (package-inputs gnutls))))))
@@ -257,8 +271,7 @@ required structures.")
;; Authentication of Named Entities. This is required for GNS functionality
;; by GNUnet and gnURL. This is done in an extra package definition
;; to have the choice between GnuTLS with Dane and without Dane.
- (package
- (inherit gnutls)
+ (package/inherit gnutls
(name "gnutls-dane")
(inputs `(("unbound" ,unbound)
,@(package-inputs gnutls)))))
@@ -266,8 +279,7 @@ required structures.")
(define gnutls-3.6.10
;; This is for 'guile3.0-gnutls', below. Version 3.6.10 is the first to
;; introduce Guile 2.9/3.0 support.
- (package
- (inherit gnutls)
+ (package/inherit gnutls
(version "3.6.10")
(source (origin
(inherit (package-source gnutls))
@@ -286,8 +298,7 @@ required structures.")
("util-linux" ,util-linux)))))
(define-public guile3.0-gnutls
- (package
- (inherit gnutls-3.6.10)
+ (package/inherit gnutls-3.6.10
(name "guile3.0-gnutls")
(arguments
(substitute-keyword-arguments (package-arguments gnutls-3.6.10)
--
2.26.0
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Mon, 06 Apr 2020 18:54:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Mon, 06 Apr 2020 18:54:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 40475-done <at> debbugs.gnu.org (full text, mbox):
On Mon, Apr 06, 2020 at 02:22:21PM -0400, Leo Famulari wrote:
> * gnu/packages/tls.scm (gnutls)[replacement]: New field.
> (gnutls-3.6.13): New variable.
> (gnutls/guile-2.0, gnutls/dane, gnutls-3.6.10, gnutls3.0-gnutls): Use
> PACKAGE/INHERIT.
Pushed as a270af317d60e3a9aec23b54952717fffa117bda after review by
mbakke on the #guix IRC channel.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 05 May 2020 11:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 43 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.