From unknown Sat Jun 14 16:16:44 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#46183] [PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE] Resent-From: Ryan Prior Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 30 Jan 2021 04:22:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 46183 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 46183@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Reply-To: Ryan Prior Received: via spool by submit@debbugs.gnu.org id=B.161198046623343 (code B ref -1); Sat, 30 Jan 2021 04:22:02 +0000 Received: (at submit) by debbugs.gnu.org; 30 Jan 2021 04:21:06 +0000 Received: from localhost ([127.0.0.1]:53307 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5hkv-00064P-U3 for submit@debbugs.gnu.org; Fri, 29 Jan 2021 23:21:06 -0500 Received: from lists.gnu.org ([209.51.188.17]:53804) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5hkq-00063J-I1 for submit@debbugs.gnu.org; Fri, 29 Jan 2021 23:21:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:51486) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l5hkq-0002jY-BY for guix-patches@gnu.org; Fri, 29 Jan 2021 23:21:00 -0500 Received: from mail-40134.protonmail.ch ([185.70.40.134]:30466) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l5hkn-0002ab-Dv for guix-patches@gnu.org; Fri, 29 Jan 2021 23:20:59 -0500 Date: Sat, 30 Jan 2021 04:20:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1611980452; bh=9/iHJ2V0lDK3sOdy99EZhsWUOWGoe+E2w1MuDqMWcFY=; h=Date:To:From:Reply-To:Subject:From; b=wW8sSQTas6BCyVONHCCW+RJwpHiswoeBPOqgBjDPM7XZgcI+OuwCAqnLpj6ARDBJK eHTp00MbSMjr8GSDbfDxKP8FlDnJHU3zxvQlbaoe+0GH/49io21b96TDANoU6HylpQ 4qEWRaoHTrHRQshvhM132tOLsBvic8+6ecQgbapo= From: Ryan Prior Message-ID: <20210130042045.16727-1-rprior@protonmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch Received-SPF: pass client-ip=185.70.40.134; envelope-from=rprior@protonmail.com; helo=mail-40134.protonmail.ch X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.2 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hi Guix! Please review ASAP. This update fixes an exploitable heap overflow= . ## Info https://dev.gnupg.org/T5275 https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html Ryan Prior (1): gnu: libgcrypt: Update to 1.9.1. gnu/packages/gnupg.scm | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --=20 2.30.0 From unknown Sat Jun 14 16:16:44 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#46183] [PATCH 1/1] gnu: libgcrypt: Update to 1.9.1. References: <20210130042045.16727-1-rprior@protonmail.com> In-Reply-To: <20210130042045.16727-1-rprior@protonmail.com> Resent-From: Ryan Prior Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 30 Jan 2021 04:25:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46183 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 46183@debbugs.gnu.org Reply-To: Ryan Prior Received: via spool by 46183-submit@debbugs.gnu.org id=B46183.161198068524479 (code B ref 46183); Sat, 30 Jan 2021 04:25:01 +0000 Received: (at 46183) by debbugs.gnu.org; 30 Jan 2021 04:24:45 +0000 Received: from localhost ([127.0.0.1]:53316 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5hoS-0006Mk-L7 for submit@debbugs.gnu.org; Fri, 29 Jan 2021 23:24:44 -0500 Received: from mail-40134.protonmail.ch ([185.70.40.134]:17453) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5hoQ-0006M2-FY for 46183@debbugs.gnu.org; Fri, 29 Jan 2021 23:24:42 -0500 Date: Sat, 30 Jan 2021 04:24:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1611980675; bh=OscLaOapnVcgPcCcWlKYzZMrpf299BooehBDPRxnxHE=; h=Date:To:From:Reply-To:Subject:From; b=MyQf+Ja3RiDbzpPGIDygmp7yIA4N5uBVheQhZTT56IzR8rh3lBhrea2dYDAjIm5c+ /mnYBEfu8yM0o6FfFU9KP2G2FYs0oVqIaOV1Mj0eMRtOr62dF4N2uyZkc/IDkBaFfP T290YVN6C1zcRT0OxadIqP1nCAJfmXFAm5JrcyqQ= From: Ryan Prior Message-ID: <20210130042428.16873-1-rprior@protonmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/gnupg.scm (libcrypt): Update to 1.9.1. --- gnu/packages/gnupg.scm | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm index a2da166bb4..f226d092dc 100644 --- a/gnu/packages/gnupg.scm +++ b/gnu/packages/gnupg.scm @@ -131,14 +131,13 @@ Daemon and possibly more in the future.") (define-public libgcrypt (package (name "libgcrypt") - (version "1.8.5") + (version "1.9.1") (source (origin (method url-fetch) (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-" version ".tar.bz2")) (sha256 - (base32 - "1hvsazms1bfd769q0ngl0r9g5i4m9mpz9jmvvrdzyzk3rfa2ljiv")))) + (base32 "1nb50bgzp83q6r5cz4v40y1mcbhpqwqyxlay87xp1lrbkf5pm9n= 5")))) (build-system gnu-build-system) (propagated-inputs `(("libgpg-error-host" ,libgpg-error))) --=20 2.30.0 From unknown Sat Jun 14 16:16:44 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#46183] [PATCH 1/1] gnu: libgcrypt: Update to 1.9.1. Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 30 Jan 2021 08:09:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46183 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ryan Prior Cc: 46183@debbugs.gnu.org X-Debbugs-Original-Cc: 46183@debbugs.gnu.org, guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161199412423484 (code B ref -1); Sat, 30 Jan 2021 08:09:01 +0000 Received: (at submit) by debbugs.gnu.org; 30 Jan 2021 08:08:44 +0000 Received: from localhost ([127.0.0.1]:53589 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5lJD-00066i-RI for submit@debbugs.gnu.org; Sat, 30 Jan 2021 03:08:44 -0500 Received: from lists.gnu.org ([209.51.188.17]:56972) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5lJ9-00066S-U5 for submit@debbugs.gnu.org; Sat, 30 Jan 2021 03:08:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:44388) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l5lJ9-0006S7-PZ for guix-patches@gnu.org; Sat, 30 Jan 2021 03:08:39 -0500 Received: from tobias.gr ([2a02:c205:2020:6054::1]:42656) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l5lJ7-0003mQ-Mu for guix-patches@gnu.org; Sat, 30 Jan 2021 03:08:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=joZJKUas+nkLfKSzeTdvLEp1/7z6OPeumzLTHXdSYAc=; h=date:in-reply-to: references:subject:cc:to:from; b=P/wFysAR28jVNlOoTWD2FFVcgj9Wrd99aq5/E Bm8jfM2k0xEM/q32xpFARzNEXH2fXKYvzfqlnXZrLMWKbZl8zEqKggd/sRbMNKSos4/UQF KooiLUwIHfrOvuT4Op+BLMuHoG5TTywsDDNwavKQu/0vv/qSOOgaFB7wwK4w3iDS0SOTrw 2DxZSvljbT/23jxS8G2LYBQ6FDlHmyH0lEExRHvGe/N99Q4GtJnIEq0Q+KP9EA8UijrbSU WAQk4pTd5wbQwdTWOgodBfp0+Vmfbp3dIxP1TPKATJ62uyY/GVHawmmm7vLeg8Nbu9TBU4 hPBzIvkgPQrPka80YV6L97g2A== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 4b119b98 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); Sat, 30 Jan 2021 08:09:14 +0000 (UTC) BIMI-Selector: v=BIMI1; s=default; From: Tobias Geerinckx-Rice References: <20210130042045.16727-1-rprior@protonmail.com> <20210130042428.16873-1-rprior@protonmail.com> In-reply-to: <20210130042428.16873-1-rprior@protonmail.com> Date: Sat, 30 Jan 2021 09:08:31 +0100 Message-ID: <87h7myc0e8.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Ryan, guix-patches--- via =E5=86=99=E9=81=93=EF=BC=9A > * gnu/packages/gnupg.scm (libcrypt): Update to 1.9.1. Thanks. > - (version "1.8.5") > + (version "1.9.1") libgcrypt has 12119(!) dependent packages. Can we use a graft=20 here? This nongrafted version can then go to core-updates. Grafting means we keep these packages built against 1.8.5 and=20 force-feed them 1.9.1 instead, which might not work reliably=20 across minor versions but needs to be tried before rebuilding the=20 world. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYBUT/w0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15HoEBAO5qZk9otr0C/79VdspHlRxQ2WyMpx8LFzo0csBO yZTcAQDjt5kNABLRO9sU3C9dPFk6Irqd4DUv5bwdO9VFXHU0Aw== =TD+1 -----END PGP SIGNATURE----- --=-=-=-- From unknown Sat Jun 14 16:16:44 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#46183] [PATCH 1/1] gnu: libgcrypt: Update to 1.9.1. Resent-From: Guillaume Le Vaillant Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 30 Jan 2021 08:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46183 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Tobias Geerinckx-Rice Cc: Ryan Prior , 46183@debbugs.gnu.org Received: via spool by 46183-submit@debbugs.gnu.org id=B46183.16119959722207 (code B ref 46183); Sat, 30 Jan 2021 08:40:02 +0000 Received: (at 46183) by debbugs.gnu.org; 30 Jan 2021 08:39:32 +0000 Received: from localhost ([127.0.0.1]:53618 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5ln0-0000ZW-Se for submit@debbugs.gnu.org; Sat, 30 Jan 2021 03:39:31 -0500 Received: from mout01.posteo.de ([185.67.36.65]:41700) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5lmw-0000Z8-DC for 46183@debbugs.gnu.org; Sat, 30 Jan 2021 03:39:29 -0500 Received: from submission (posteo.de [89.146.220.130]) by mout01.posteo.de (Postfix) with ESMTPS id 62AC616005C for <46183@debbugs.gnu.org>; Sat, 30 Jan 2021 09:39:19 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1611995959; bh=VOvxBavpfXn3iBRJtpRz8LZ5TKzW7jrJ/T6/aiqd+ag=; h=From:To:Cc:Subject:Date:From; b=PHJS9LWcsEj6yoEFzCrzAX02dz+JgENwrrUQKWr7PoGpdjqvA4v9mPvyMfgZbTZzY x+jHH4fZt4EqkyPdLviTVU4W9POKb635hnj1aONgZY9lPaPcnCkBGPPDJYvJOnkItE t7FxOthZ306aq6bpOxaOwkv/NKA6VCvKprPBGz3gpAHltwuErBZe8CWzewoAReXkYA yBoBEVV3IT7yQ/cQkpBxc6veIhn29EgnxC8p80hKIuFFY7LCs9elTgpGDUlVD77wRJ dHk/G81b2f3rxHXKy66oF/XYIPx9E8S+GaKPcbDzd3UcRdzaliwoQJgSkcrY721tUz cGZ6IHbRZwQBA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4DSSLG2dQYz6tmQ; Sat, 30 Jan 2021 09:39:18 +0100 (CET) References: <20210130042045.16727-1-rprior@protonmail.com> <20210130042428.16873-1-rprior@protonmail.com> <87h7myc0e8.fsf@nckx> User-agent: mu4e 1.4.14; emacs 27.1 From: Guillaume Le Vaillant In-reply-to: <87h7myc0e8.fsf@nckx> Date: Sat, 30 Jan 2021 09:39:16 +0100 Message-ID: <878s8astsb.fsf@yamatai> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable guix-patches--- via skribis: > Ryan, > > guix-patches--- via =E5=86=99=E9=81=93=EF=BC=9A >> * gnu/packages/gnupg.scm (libcrypt): Update to 1.9.1. > > Thanks. > >> - (version "1.8.5") >> + (version "1.9.1") > > libgcrypt has 12119(!) dependent packages. Can we use a graft here? This > nongrafted version can then go to core-updates. > > Grafting means we keep these packages built against 1.8.5 and force-feed = them > 1.9.1 instead, which might not work reliably across minor versions but ne= eds to > be tried before rebuilding the world. > > Kind regards, > > T G-R According to the news at https://gnupg.org: =2D-8<---------------cut here---------------start------------->8--- Libgcrypt 1.9.1 released (2021-01-29) important Unfortunately we introduced a severe bug in Libgcrypt 1.9.0 released 10 day= s ago. If you already started to use version 1.9.0 please update immediately to 1.= 9.1. =2D-8<---------------cut here---------------end--------------->8--- Currently the master and staging branch are using libgcrypt 1.8.5 and core-updates is using 1.8.7. These versions don't have the critical bug as it was introduced in version 1.9.0. So I think updating libgcrypt on master is not an emergency, we just have to remember to never use version 1.9.0. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIUEAREKAC0WIQTLxZxm7Ce5cXlAaz5r6CCK3yH+PwUCYBUbNA8cZ2x2QHBvc3Rl by5uZXQACgkQa+ggit8h/j8WIwD9E/jQFs9Q8VgXJ3qL8ZDeJj/nimq6rWg/mFZ8 wmqqbW8A/1Tv8+t61sQw77B2PL6FiFdHmD6WKK8/KieGf+ak3Z0X =dHQI -----END PGP SIGNATURE----- --=-=-=-- From unknown Sat Jun 14 16:16:44 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#46183] [PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE] Resent-From: lordyuuma@gmail.com Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 30 Jan 2021 08:41:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46183 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ryan Prior , 46183@debbugs.gnu.org Received: via spool by 46183-submit@debbugs.gnu.org id=B46183.16119960422373 (code B ref 46183); Sat, 30 Jan 2021 08:41:01 +0000 Received: (at 46183) by debbugs.gnu.org; 30 Jan 2021 08:40:42 +0000 Received: from localhost ([127.0.0.1]:53621 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5lo9-0000cC-2R for submit@debbugs.gnu.org; Sat, 30 Jan 2021 03:40:41 -0500 Received: from mail-wr1-f48.google.com ([209.85.221.48]:38752) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5l7A-0005mh-DR for 46183@debbugs.gnu.org; Sat, 30 Jan 2021 02:56:17 -0500 Received: by mail-wr1-f48.google.com with SMTP id s7so8080351wru.5 for <46183@debbugs.gnu.org>; Fri, 29 Jan 2021 23:56:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:date:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=lhviubRXPxbXOIJF+r/fsP7kdMiOcwPjFln0REmzhJQ=; b=nxu1lKbHOH+3h9CnhylAAJXnX4PSOk0y65581w7rauQsFwD3sRQF8i7x2RaXlO1CKP tP5kJpIsSh98JPCGizEDPSVQ6o8DJ7W9GNkcJA+Yi8c8mGtI7nHocqQOEyTk4+uzcRr8 JOB/wVajnW7zkyvor6S15ziL589r7ky3UeH95PuekiwxkWTzs1UGMwxJ4kU5yFOqyoRA Rm/l12y5pQz/ovc08IyXkMkUXISnhZdNdIPpKUQ4W/SFWemqaPChdYd90WSFzHn4m/lj T5RfCdz70nVc3eXJ/zt4UtNjHPUznTIhQ2p6R/Tnqsx0tVUIYHcbnkkYXat9FxaQNiR/ MvgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=lhviubRXPxbXOIJF+r/fsP7kdMiOcwPjFln0REmzhJQ=; b=XZe8DlXAbBl4bfIEx3dsY2AHzEw/+jUNepfXxGT5f6wt/ESuxDV1BAyu8BvccikbwV hBEMajkMlsNFOWR48CbjxrktWcXh9ZykhaJL25JitYLCu/myZD07fxkivv0VTk8wwW65 flSHXUv4kHl6oOoWJkC2pH3REwgyNk5AnDDlJH3Bp1Hs6Zz4WM5ZAWZ+B2YpnyBRq3wg xcA3wSpzWnv/WDxCdH88SIjF76G6kpiK4mSE0NhyA2CLu5wHD4m/SREM7t6x+pwvifA3 n8s3QkI5x8Q1GB8OSlOrrcI9TeJtbf80HQ/HR1oa6Zz7/N4not+2H/boQJ0WWBJxBkPk m0Vg== X-Gm-Message-State: AOAM530LpTc0wFwSRuWHEUkw0v27EJpUuO0mEv+o6xMeLmdGyJdW1DWl ZPZtJ+nxBJg8F4eW8pbBzts= X-Google-Smtp-Source: ABdhPJzxojn3kW5asSs2S1jnZbAqCbTZpsVmvq1HzwTRxev9SfrtqycZC3UK83OIpoukJrMsfk8ymg== X-Received: by 2002:adf:dfc7:: with SMTP id q7mr8388503wrn.153.1611993370222; Fri, 29 Jan 2021 23:56:10 -0800 (PST) Received: from nijino.local (217-149-173-242.nat.highway.telekom.at. [217.149.173.242]) by smtp.gmail.com with ESMTPSA id q2sm13139133wma.6.2021.01.29.23.56.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jan 2021 23:56:09 -0800 (PST) Message-ID: From: lordyuuma@gmail.com Date: Sat, 30 Jan 2021 08:56:08 +0100 In-Reply-To: <20210130042045.16727-1-rprior@protonmail.com> References: <20210130042045.16727-1-rprior@protonmail.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Mailman-Approved-At: Sat, 30 Jan 2021 03:40:39 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Ryan, Am Samstag, den 30.01.2021, 04:20 +0000 schrieb Ryan Prior: > Hi Guix! Please review ASAP. This update fixes an exploitable heap > overflow. > > https://dev.gnupg.org/T5275 > > https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html I have some good news and some bad news. The good news is, that according to your sources this affects only version 1.9.0, so master is currently safe. The bad news is, that libgcrypt has more than 10000 dependants, so an update for it should go to core-updates. Regards, Leo From unknown Sat Jun 14 16:16:44 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Ryan Prior Subject: bug#46183: closed (Re: bug#46183: [PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE]) Message-ID: References: <87k0rsgg6e.fsf_-_@gnu.org> <20210130042045.16727-1-rprior@protonmail.com> X-Gnu-PR-Message: they-closed 46183 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 46183@debbugs.gnu.org Date: Mon, 01 Feb 2021 11:51:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1612180262-28887-1" This is a multi-part message in MIME format... ------------=_1612180262-28887-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #46183: [PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE] which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 46183@debbugs.gnu.org. --=20 46183: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D46183 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1612180262-28887-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 46183-done) by debbugs.gnu.org; 1 Feb 2021 11:50:59 +0000 Received: from localhost ([127.0.0.1]:59199 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l6XjP-0007Vg-JS for submit@debbugs.gnu.org; Mon, 01 Feb 2021 06:50:59 -0500 Received: from eggs.gnu.org ([209.51.188.92]:34752) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l6XjN-0007VR-LL for 46183-done@debbugs.gnu.org; Mon, 01 Feb 2021 06:50:58 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51016) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l6XjH-0002H7-Qt; Mon, 01 Feb 2021 06:50:51 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=54762 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1l6XjH-0001wc-DP; Mon, 01 Feb 2021 06:50:51 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Guillaume Le Vaillant Subject: Re: bug#46183: [PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE] References: <20210130042045.16727-1-rprior@protonmail.com> <20210130042428.16873-1-rprior@protonmail.com> <87h7myc0e8.fsf@nckx> <878s8astsb.fsf@yamatai> Date: Mon, 01 Feb 2021 12:50:49 +0100 In-Reply-To: <878s8astsb.fsf@yamatai> (Guillaume Le Vaillant's message of "Sat, 30 Jan 2021 09:39:16 +0100") Message-ID: <87k0rsgg6e.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 46183-done Cc: Tobias Geerinckx-Rice , 46183-done@debbugs.gnu.org, Ryan Prior X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi, Guillaume Le Vaillant skribis: > According to the news at https://gnupg.org: > > Libgcrypt 1.9.1 released (2021-01-29) important > > Unfortunately we introduced a severe bug in Libgcrypt 1.9.0 released 10 d= ays ago. > If you already started to use version 1.9.0 please update immediately to = 1.9.1. > > Currently the master and staging branch are using libgcrypt 1.8.5 and > core-updates is using 1.8.7. These versions don't have the critical bug > as it was introduced in version 1.9.0. So I think updating libgcrypt on > master is not an emergency, we just have to remember to never use > version 1.9.0. Indeed. So closing this bug. That said, we can update libgcrypt in =E2=80=98core-updates=E2=80=99. Ludo=E2=80=99. ------------=_1612180262-28887-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 30 Jan 2021 04:21:06 +0000 Received: from localhost ([127.0.0.1]:53307 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5hkv-00064P-U3 for submit@debbugs.gnu.org; Fri, 29 Jan 2021 23:21:06 -0500 Received: from lists.gnu.org ([209.51.188.17]:53804) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l5hkq-00063J-I1 for submit@debbugs.gnu.org; Fri, 29 Jan 2021 23:21:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:51486) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l5hkq-0002jY-BY for guix-patches@gnu.org; Fri, 29 Jan 2021 23:21:00 -0500 Received: from mail-40134.protonmail.ch ([185.70.40.134]:30466) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l5hkn-0002ab-Dv for guix-patches@gnu.org; Fri, 29 Jan 2021 23:20:59 -0500 Date: Sat, 30 Jan 2021 04:20:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1611980452; bh=9/iHJ2V0lDK3sOdy99EZhsWUOWGoe+E2w1MuDqMWcFY=; h=Date:To:From:Reply-To:Subject:From; b=wW8sSQTas6BCyVONHCCW+RJwpHiswoeBPOqgBjDPM7XZgcI+OuwCAqnLpj6ARDBJK eHTp00MbSMjr8GSDbfDxKP8FlDnJHU3zxvQlbaoe+0GH/49io21b96TDANoU6HylpQ 4qEWRaoHTrHRQshvhM132tOLsBvic8+6ecQgbapo= To: guix-patches@gnu.org From: Ryan Prior Subject: [PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE] Message-ID: <20210130042045.16727-1-rprior@protonmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch Received-SPF: pass client-ip=185.70.40.134; envelope-from=rprior@protonmail.com; helo=mail-40134.protonmail.ch X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Ryan Prior Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hi Guix! Please review ASAP. This update fixes an exploitable heap overflow= . ## Info https://dev.gnupg.org/T5275 https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html Ryan Prior (1): gnu: libgcrypt: Update to 1.9.1. gnu/packages/gnupg.scm | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --=20 2.30.0 ------------=_1612180262-28887-1--