GNU bug report logs -
#46183
[PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE]
Previous Next
Reported by: Ryan Prior <rprior <at> protonmail.com>
Date: Sat, 30 Jan 2021 04:22:02 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 46183 in the body.
You can then email your comments to 46183 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#46183; Package
guix-patches.
(Sat, 30 Jan 2021 04:22:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ryan Prior <rprior <at> protonmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 30 Jan 2021 04:22:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi Guix! Please review ASAP. This update fixes an exploitable heap overflow.
## Info
https://dev.gnupg.org/T5275
https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html
Ryan Prior (1):
gnu: libgcrypt: Update to 1.9.1.
gnu/packages/gnupg.scm | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--
2.30.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#46183; Package
guix-patches.
(Sat, 30 Jan 2021 04:25:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 46183 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/gnupg.scm (libcrypt): Update to 1.9.1.
---
gnu/packages/gnupg.scm | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index a2da166bb4..f226d092dc 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -131,14 +131,13 @@ Daemon and possibly more in the future.")
(define-public libgcrypt
(package
(name "libgcrypt")
- (version "1.8.5")
+ (version "1.9.1")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
version ".tar.bz2"))
(sha256
- (base32
- "1hvsazms1bfd769q0ngl0r9g5i4m9mpz9jmvvrdzyzk3rfa2ljiv"))))
+ (base32 "1nb50bgzp83q6r5cz4v40y1mcbhpqwqyxlay87xp1lrbkf5pm9n5"))))
(build-system gnu-build-system)
(propagated-inputs
`(("libgpg-error-host" ,libgpg-error)))
--
2.30.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#46183; Package
guix-patches.
(Sat, 30 Jan 2021 08:09:01 GMT)
Full text and
rfc822 format available.
Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ryan,
guix-patches--- via 写道:
> * gnu/packages/gnupg.scm (libcrypt): Update to 1.9.1.
Thanks.
> - (version "1.8.5")
> + (version "1.9.1")
libgcrypt has 12119(!) dependent packages. Can we use a graft
here? This nongrafted version can then go to core-updates.
Grafting means we keep these packages built against 1.8.5 and
force-feed them 1.9.1 instead, which might not work reliably
across minor versions but needs to be tried before rebuilding the
world.
Kind regards,
T G-R
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#46183; Package
guix-patches.
(Sat, 30 Jan 2021 08:09:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#46183; Package
guix-patches.
(Sat, 30 Jan 2021 08:40:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 46183 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
guix-patches--- via <guix-patches <at> gnu.org> skribis:
> Ryan,
>
> guix-patches--- via 写道:
>> * gnu/packages/gnupg.scm (libcrypt): Update to 1.9.1.
>
> Thanks.
>
>> - (version "1.8.5")
>> + (version "1.9.1")
>
> libgcrypt has 12119(!) dependent packages. Can we use a graft here? This
> nongrafted version can then go to core-updates.
>
> Grafting means we keep these packages built against 1.8.5 and force-feed them
> 1.9.1 instead, which might not work reliably across minor versions but needs to
> be tried before rebuilding the world.
>
> Kind regards,
>
> T G-R
According to the news at https://gnupg.org:
--8<---------------cut here---------------start------------->8---
Libgcrypt 1.9.1 released (2021-01-29) important
Unfortunately we introduced a severe bug in Libgcrypt 1.9.0 released 10 days ago.
If you already started to use version 1.9.0 please update immediately to 1.9.1.
--8<---------------cut here---------------end--------------->8---
Currently the master and staging branch are using libgcrypt 1.8.5 and
core-updates is using 1.8.7. These versions don't have the critical bug
as it was introduced in version 1.9.0. So I think updating libgcrypt on
master is not an emergency, we just have to remember to never use
version 1.9.0.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#46183; Package
guix-patches.
(Sat, 30 Jan 2021 08:41:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 46183 <at> debbugs.gnu.org (full text, mbox):
Hi Ryan,
Am Samstag, den 30.01.2021, 04:20 +0000 schrieb Ryan Prior:
> Hi Guix! Please review ASAP. This update fixes an exploitable heap
> overflow.
>
> https://dev.gnupg.org/T5275
>
> https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html
I have some good news and some bad news. The good news is, that
according to your sources this affects only version 1.9.0, so master is
currently safe. The bad news is, that libgcrypt has more than 10000
dependants, so an update for it should go to core-updates.
Regards,
Leo
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Mon, 01 Feb 2021 11:51:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ryan Prior <rprior <at> protonmail.com>:
bug acknowledged by developer.
(Mon, 01 Feb 2021 11:51:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 46183-done <at> debbugs.gnu.org (full text, mbox):
Hi,
Guillaume Le Vaillant <glv <at> posteo.net> skribis:
> According to the news at https://gnupg.org:
>
> Libgcrypt 1.9.1 released (2021-01-29) important
>
> Unfortunately we introduced a severe bug in Libgcrypt 1.9.0 released 10 days ago.
> If you already started to use version 1.9.0 please update immediately to 1.9.1.
>
> Currently the master and staging branch are using libgcrypt 1.8.5 and
> core-updates is using 1.8.7. These versions don't have the critical bug
> as it was introduced in version 1.9.0. So I think updating libgcrypt on
> master is not an emergency, we just have to remember to never use
> version 1.9.0.
Indeed. So closing this bug. That said, we can update libgcrypt in
‘core-updates’.
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 01 Mar 2021 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 105 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.