From debbugs-submit-bounces@debbugs.gnu.org Tue May 25 06:36:25 2021 Received: (at submit) by debbugs.gnu.org; 25 May 2021 10:36:25 +0000 Received: from localhost ([127.0.0.1]:44799 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llUQC-0005uf-PD for submit@debbugs.gnu.org; Tue, 25 May 2021 06:36:25 -0400 Received: from lists.gnu.org ([209.51.188.17]:46182) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llUQ9-0005uQ-9G for submit@debbugs.gnu.org; Tue, 25 May 2021 06:36:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50126) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1llUQ8-0005em-RA for guix-patches@gnu.org; Tue, 25 May 2021 06:36:21 -0400 Received: from perso.pw ([163.172.223.238]:31420) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1llUQ6-0006v6-7o for guix-patches@gnu.org; Tue, 25 May 2021 06:36:20 -0400 Received: from perso.pw (localhost [127.0.0.1]) by perso.pw (OpenSMTPD) with ESMTP id 6b3a5de1 for ; Tue, 25 May 2021 12:36:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=perso.pw; h=date:from:to :subject:message-id:mime-version:content-type :content-transfer-encoding; s=1337; bh=+++j+Gv3IbmgmsexjyS7SQju4 RU=; b=jb5CpFV8NA8OfJde7/ds4Ibsr4EYqHADkzuEEjoaed8EXcIX1TLGVMxif kQwSac4Wbhb1Ks1cYbI7nQge0hucA5bECQu+fI/19/MLaTMdCR0tH1CQdwdueIh/ KTUNrSfj2l4Nu6yhty53OP3fQDhIIP1uNr06M67mpv5zmxZtfc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=perso.pw; h=date:from:to :subject:message-id:mime-version:content-type :content-transfer-encoding; q=dns; s=1337; b=eFHNMNJ7vjvAW6HLApT VhkZUHwamgSwSp4X4cMX49C9tIyHNr9y/pMCY++Q2Ls2/0zaynIFmIiYQMNiSvDS /VJATuzITyF23AhVOsRSW29ZeVplKFPlhsxbHlbsQegrgsa77rieecO+EiVHODhR BnLHE5H5D79RRw1vNClR2t1k= X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on perso.pw X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.5 Received: from localhost (176-154-164-34.abo.bbox.fr [176.154.164.34]) by perso.pw (OpenSMTPD) with ESMTPSA id 1180c87a (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Tue, 25 May 2021 12:36:06 +0200 (CEST) Date: Tue, 25 May 2021 12:36:04 +0200 From: Solene Rapenne To: guix-patches@gnu.org Subject: [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]. Message-ID: <20210525123604.2dc745b3@perso.pw> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=163.172.223.238; envelope-from=solene@perso.pw; helo=perso.pw X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) I removed the 2 patches for previous CVEs that are now merged within gnutls sources. I deliberately committed it to master branch despite guix refresh --list-dependent gnutls returns 5287 packages and that https://guix.gnu.org/manual/en/guix.html#Submitting-Patches says such packages with more than 3000 impacted packages should be committed on core-updates. I did this because it's a minor update to fix a CVE so this would be weird to wait 6 months for this update. --- .../patches/gnutls-CVE-2021-20231.patch | 62 ------------------- .../patches/gnutls-CVE-2021-20232.patch | 60 ------------------ gnu/packages/tls.scm | 9 ++- 3 files changed, 4 insertions(+), 127 deletions(-) delete mode 100644 gnu/packages/patches/gnutls-CVE-2021-20231.patch delete mode 100644 gnu/packages/patches/gnutls-CVE-2021-20232.patch diff --git a/gnu/packages/patches/gnutls-CVE-2021-20231.patch b/gnu/package= s/patches/gnutls-CVE-2021-20231.patch deleted file mode 100644 index 5186522eee..0000000000 --- a/gnu/packages/patches/gnutls-CVE-2021-20231.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 29 Jan 2021 14:06:05 +0100 -Subject: [PATCH 1/2] key_share: avoid use-after-free around realloc - -Signed-off-by: Daiki Ueno ---- - lib/ext/key_share.c | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - -diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c -index ab8abf8fe..a8c4bb5cf 100644 ---- a/lib/ext/key_share.c -+++ b/lib/ext/key_share.c -@@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session, - { - unsigned i; - int ret; -- unsigned char *lengthp; -- unsigned int cur_length; - unsigned int generated =3D 0; - const gnutls_group_entry_st *group; - const version_entry_st *ver; -=20 - /* this extension is only being sent on client side */ - if (session->security_parameters.entity =3D=3D GNUTLS_CLIENT) { -+ unsigned int length_pos; -+ - ver =3D _gnutls_version_max(session); - if (unlikely(ver =3D=3D NULL || ver->key_shares =3D=3D 0)) - return 0; -@@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session, - if (!have_creds_for_tls13(session)) - return 0; -=20 -- /* write the total length later */ -- lengthp =3D &extdata->data[extdata->length]; -+ length_pos =3D extdata->length; -=20 - ret =3D - _gnutls_buffer_append_prefix(extdata, 16, 0); - if (ret < 0) - return gnutls_assert_val(ret); -=20 -- cur_length =3D extdata->length; -- - if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the g= roup */ - group =3D get_group(session); - if (unlikely(group =3D=3D NULL)) -@@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session, - } -=20 - /* copy actual length */ -- _gnutls_write_uint16(extdata->length - cur_length, lengthp); -+ _gnutls_write_uint16(extdata->length - length_pos - 2, -+ &extdata->data[length_pos]); -=20 - } else { /* server */ - ver =3D get_version(session); ---=20 -2.30.2 - diff --git a/gnu/packages/patches/gnutls-CVE-2021-20232.patch b/gnu/package= s/patches/gnutls-CVE-2021-20232.patch deleted file mode 100644 index dc3a0be690..0000000000 --- a/gnu/packages/patches/gnutls-CVE-2021-20232.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 75a937d97f4fefc6f9b08e3791f151445f551cb3 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 29 Jan 2021 14:06:23 +0100 -Subject: [PATCH 2/2] pre_shared_key: avoid use-after-free around realloc - -Signed-off-by: Daiki Ueno ---- - lib/ext/pre_shared_key.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c -index a042c6488..380bf39ed 100644 ---- a/lib/ext/pre_shared_key.c -+++ b/lib/ext/pre_shared_key.c -@@ -267,7 +267,7 @@ client_send_params(gnutls_session_t session, - size_t spos; - gnutls_datum_t username =3D {NULL, 0}; - gnutls_datum_t user_key =3D {NULL, 0}, rkey =3D {NULL, 0}; -- gnutls_datum_t client_hello; -+ unsigned client_hello_len; - unsigned next_idx; - const mac_entry_st *prf_res =3D NULL; - const mac_entry_st *prf_psk =3D NULL; -@@ -428,8 +428,7 @@ client_send_params(gnutls_session_t session, - assert(extdata->length >=3D sizeof(mbuffer_st)); - assert(ext_offset >=3D (ssize_t)sizeof(mbuffer_st)); - ext_offset -=3D sizeof(mbuffer_st); -- client_hello.data =3D extdata->data+sizeof(mbuffer_st); -- client_hello.size =3D extdata->length-sizeof(mbuffer_st); -+ client_hello_len =3D extdata->length-sizeof(mbuffer_st); -=20 - next_idx =3D 0; -=20 -@@ -440,6 +439,11 @@ client_send_params(gnutls_session_t session, - } -=20 - if (prf_res && rkey.size > 0) { -+ gnutls_datum_t client_hello; -+ -+ client_hello.data =3D extdata->data+sizeof(mbuffer_st); -+ client_hello.size =3D client_hello_len; -+ - ret =3D compute_psk_binder(session, prf_res, - binders_len, binders_pos, - ext_offset, &rkey, &client_hello, 1, -@@ -474,6 +478,11 @@ client_send_params(gnutls_session_t session, - } -=20 - if (prf_psk && user_key.size > 0 && info) { -+ gnutls_datum_t client_hello; -+ -+ client_hello.data =3D extdata->data+sizeof(mbuffer_st); -+ client_hello.size =3D client_hello_len; -+ - ret =3D compute_psk_binder(session, prf_psk, - binders_len, binders_pos, - ext_offset, &user_key, &client_hello, 0, ---=20 -2.30.2 - diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 174438ad87..ed8fc6532a 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -15,6 +15,7 @@ ;;; Copyright =C2=A9 2018 Cl=C3=A9ment Lassieur ;;; Copyright =C2=A9 2019 Mathieu Othacehe ;;; Copyright =C2=A9 2020 Jan (janneke) Nieuwenhuizen +;;; Copyright =C2=A9 2021 Solene Rapenne ;;; ;;; This file is part of GNU Guix. ;;; @@ -164,7 +165,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls") - (version "3.6.15") + (version "3.6.16") (source (origin (method url-fetch) ;; Note: Releases are no longer on ftp.gnu.org since the @@ -173,12 +174,10 @@ living in the same process.") (version-major+minor version) "/gnutls-" version ".tar.xz")) (patches (search-patches "gnutls-skip-trust-store-test.patch" - "gnutls-cross.patch" - "gnutls-CVE-2021-20231.patch" - "gnutls-CVE-2021-20232.patch")) + "gnutls-cross.patch")) (sha256 (base32 - "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f")))) + "1czk511pslz367shf32f2jvvkp7y1323bcv88c2qng98mj0v6y8v")))) (build-system gnu-build-system) (arguments `(#:tests? ,(not (or (%current-target-system) --=20 2.31.1 From debbugs-submit-bounces@debbugs.gnu.org Tue May 25 11:50:04 2021 Received: (at submit) by debbugs.gnu.org; 25 May 2021 15:50:04 +0000 Received: from localhost ([127.0.0.1]:46590 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llZJk-00027q-0d for submit@debbugs.gnu.org; Tue, 25 May 2021 11:50:04 -0400 Received: from lists.gnu.org ([209.51.188.17]:43656) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llZJg-00027M-TC for submit@debbugs.gnu.org; Tue, 25 May 2021 11:50:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41956) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1llZJg-0001o7-Je for guix-patches@gnu.org; Tue, 25 May 2021 11:50:00 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:55719) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1llZJe-0006O3-A7 for guix-patches@gnu.org; Tue, 25 May 2021 11:50:00 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 9AFEE5C0114; Tue, 25 May 2021 11:49:56 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 25 May 2021 11:49:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=Bh2BU7KwHQtQc5SvNxy7J3Tk FLEQb5FcejlvQSMkGhQ=; b=UPfqS+juwJEKLFbv5mO6avB3N54G40347Hh5GRl+ VvIG4nTPsPs0nU6ZCZowpa6YmsTQjMv92aZJMB5mxy43czhKpOpLUGV2ajJB4irS J25HM5X94jDA4fHJJHC5BH6tlItAtnjDUEPYEjOrfL61lhe9gPpnoDxsKl5tlY5t j8g= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=Bh2BU7 KwHQtQc5SvNxy7J3TkFLEQb5FcejlvQSMkGhQ=; b=mJKLcq9xSJzWzhEgw7m221 KRPwUQTVNO5AATTvTEtwAvJ73bA8ihy65yPzWqHIKXWzzD29HIqhk3ZEdlk3ZHUC HrV2L+pN4b/eCFe9nPig0NIPhiCY1Zn8+aNbsir0VyYxn9OONRcvwaWkZPKEFU8W AtL7YDV172OOf+iVFCnv/nosU0P+coXiATmjR1gyxnCP7P4sLLony6IZO6lK6xlW WCWh8p5jJSDxXdDVNBsMguc9uWZ42LZya6z0tdkTgOl1aUJ7G8BpdkiphZ2yZB6E rRgtGUvXDUg1vV7ix7tX/Afke+5Fj2RuHMElHH4ZeDOolYqerR8UVPSWxi2NapaA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdekuddgleeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpedvvddugefffeeitddthfefvdeuhffgkeeikeegkeevteeghfeftefggeeuudff ieenucffohhmrghinhepghhnuhdrohhrghenucfkphepuddttddruddurdduieelrdduud eknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgv ohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 25 May 2021 11:49:56 -0400 (EDT) Date: Tue, 25 May 2021 11:49:54 -0400 From: Leo Famulari To: Solene Rapenne via Guix-patches via Subject: Re: [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]. Message-ID: References: <20210525123604.2dc745b3@perso.pw> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210525123604.2dc745b3@perso.pw> Received-SPF: pass client-ip=66.111.4.27; envelope-from=leo@famulari.name; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: 48648@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) On Tue, May 25, 2021 at 12:36:04PM +0200, Solene Rapenne via Guix-patches via wrote: > I removed the 2 patches for previous CVEs that are now merged within > gnutls sources. Thanks for this patch! > I deliberately committed it to master branch despite > guix refresh --list-dependent gnutls returns 5287 packages and that > https://guix.gnu.org/manual/en/guix.html#Submitting-Patches says such > packages with more than 3000 impacted packages should be committed > on core-updates. I did this because it's a minor update to fix a CVE > so this would be weird to wait 6 months for this update. Whether or not the update is minor, we still have to use a "graft" [0] to change packages with this many dependents on the master branch. Due to the "functional packaging model" of Guix, every dependent of GnuTLS must be recompiled when the GnuTLS package is changed. We would constantly be rebuilding nearly every single package if we did not use grafts for security updates, and that would be infeasible and inefficient. Grafts effectively rewrite binary references in compiled software, so it's kind of a kludge. The binary interface of the new grafted replacement must be compatible with the original package, and if it's not, the problems can be hidden and subtle. For that reason, it's important to make the smallest change possible when grafting, to reduce the chance of breakage. So, the question is, does 3.6.16 include only the fix for CVE-2021-20305? Or does it also include other changes? If the former, we should instead cherry-pick the CVE bug fix instead of updating. Can you look into that and let us know? > --- a/gnu/packages/patches/gnutls-CVE-2021-20231.patch > +++ /dev/null If we do decide to update to 3.6.16, it's also necessary to deregister the removed patch files in 'gnu/local.mk'. Check this commit for an example: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=7c4c781aa40c42d4cd10b8d9482199f3db345e1b Finally, here is an example of setting up a graft that includes a single new patch file: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=7c4c781aa40c42d4cd10b8d9482199f3db345e1b And here is an example of a graft that "updates" a package: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=250a216cdc2d5425ee0053f3e614d54e0fb6aa90 From debbugs-submit-bounces@debbugs.gnu.org Tue May 25 15:46:28 2021 Received: (at 48648) by debbugs.gnu.org; 25 May 2021 19:46:28 +0000 Received: from localhost ([127.0.0.1]:46931 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lld0Q-0007aY-Ct for submit@debbugs.gnu.org; Tue, 25 May 2021 15:46:28 -0400 Received: from eggs.gnu.org ([209.51.188.92]:44410) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lld0N-0007Tx-BX for 48648@debbugs.gnu.org; Tue, 25 May 2021 15:46:21 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:32798) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lld0H-0006wo-7w; Tue, 25 May 2021 15:46:13 -0400 Received: from host-37-191-231-185.lynet.no ([37.191.231.185]:40632 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lld0G-0008KB-PG; Tue, 25 May 2021 15:46:13 -0400 From: Marius Bakke To: Leo Famulari , 48648@debbugs.gnu.org Subject: Re: [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]. In-Reply-To: References: <20210525123604.2dc745b3@perso.pw> Date: Tue, 25 May 2021 21:46:10 +0200 Message-ID: <87o8cyppfh.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 48648 Cc: Solene Rapenne X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain Leo Famulari skriver: > Grafts effectively rewrite binary references in compiled software, so > it's kind of a kludge. The binary interface of the new grafted > replacement must be compatible with the original package, and if it's > not, the problems can be hidden and subtle. > > For that reason, it's important to make the smallest change possible > when grafting, to reduce the chance of breakage. > > So, the question is, does 3.6.16 include only the fix for > CVE-2021-20305? Or does it also include other changes? If the former, we > should instead cherry-pick the CVE bug fix instead of updating. GnuTLS usually mention whether or not an update is ABI-compatible: https://lists.gnupg.org/pipermail/gnutls-help/2021-May/004707.html However it's good practice to verify that with something like 'abidiff' (from the 'libabigail' package). I.e.: abidiff $(guix build gnutls)/lib/libgnutls.so \ $(./pre-inst-env guix build gnutls)/lib/libgnutls.so (this won't work because of multiple outputs, but you get the drill) When there is no change, the graft _should_ be perfectly safe. If there are changes, it becomes a judgement call. The 'abidiff' output is of great assistance in that case. Anyway, just some general notes on grafting. Thanks a lot for looking after security issues Solene. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYK1UAg8cbWFyaXVzQGdu dS5vcmcACgkQ6HGLpZEUEHcwnAD7BGg0FF8lJ9lauP+ugd1YJxEboYj+sOiLGIt8 TQEfkL8A/iD6q9IbbquD/CWj6S4iyDFX7j3IJ7rwyu/2N374wPgC =u1yq -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue May 25 16:01:03 2021 Received: (at 48648) by debbugs.gnu.org; 25 May 2021 20:01:03 +0000 Received: from localhost ([127.0.0.1]:46967 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lldEd-0001Tp-1g for submit@debbugs.gnu.org; Tue, 25 May 2021 16:01:03 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:46833) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lldEa-0001Mx-TC for 48648@debbugs.gnu.org; Tue, 25 May 2021 16:01:02 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id BDA2F5C02A9; Tue, 25 May 2021 16:00:55 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Tue, 25 May 2021 16:00:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=b338BR41u3R0AakqJhDrjkOq /M256mjSeZqz/4gNrC4=; b=G1MtQTYo47uS7Dsc6PRo1QU8iuS6A/BU748m27BL hDU/lBo5EBr50K+vrfPKuwrueyFyh9g7ueAh2hyDRW2lreu+y4nkxINiud+tOhgl T11JTE0q9vXy7tQjEHwy5mBGX3TSS/QcSoDu0Ly/+jKM0K8g8UTBVWpvhxOh9ZAB 01g= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=b338BR 41u3R0AakqJhDrjkOq/M256mjSeZqz/4gNrC4=; b=bQzcBQQWTagUveYvCxJEe3 sqHRNQ84eAa0oUIp/OkXiksavfakMuxhn4baujuduFn4R0sVDM/7bLFF5tS78QaG vP6cYRRUUtfQEA7VTHMcBr/YyS8sUgle8WF/bPq7yDzyLjxZskiJdTOLaKn0dolH Cak2Anlxo1TdeplJJfEG+S7Y9MUo+7kVaxWKBOalg+Zacff9ThGwMnzmTZyyCqiG m5yXRiTFXvP5C6aWhYni0IUsFRb+I+rBCLTuIL25Z+3Fbh2PL+4Ji7bSN3foVPyt dQnn5OQSdQhcr8wtRaMmNE1VH4d2poom9ZpzTinW9sSp24lwQEqDZ/xqRqgOdfcQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdekuddgudegiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtvdenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnheptdejueduleefvdfghfduteeihfekhedufeeugfeuvdeggedukeffffejvdff ffeunecuffhomhgrihhnpehgnhhuphhgrdhorhhgnecukfhppedutddtrdduuddrudeile druddukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm pehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 25 May 2021 16:00:55 -0400 (EDT) Date: Tue, 25 May 2021 16:00:53 -0400 From: Leo Famulari To: Marius Bakke Subject: Re: [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]. Message-ID: References: <20210525123604.2dc745b3@perso.pw> <87o8cyppfh.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="faSD0g13MtHCS6Qu" Content-Disposition: inline In-Reply-To: <87o8cyppfh.fsf@gnu.org> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 48648 Cc: 48648@debbugs.gnu.org, Solene Rapenne X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --faSD0g13MtHCS6Qu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 25, 2021 at 09:46:10PM +0200, Marius Bakke wrote: > GnuTLS usually mention whether or not an update is ABI-compatible: >=20 > https://lists.gnupg.org/pipermail/gnutls-help/2021-May/004707.html Ah, that's great. They say it's compatible. > However it's good practice to verify that with something like 'abidiff' > (from the 'libabigail' package). I.e.: >=20 > abidiff $(guix build gnutls)/lib/libgnutls.so \ > $(./pre-inst-env guix build gnutls)/lib/libgnutls.so >=20 > (this won't work because of multiple outputs, but you get the drill) Solene, can you try it and let us know the result? --faSD0g13MtHCS6Qu Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmCtV3UACgkQJkb6MLrK fwgkcw//eQyFBuTstK4uSHap34Y/vHov+JwWXAjV449BIi54qxCRQmE8AmrRQtsZ KlByuWhg5mwBrW4NTjqxxyv4iBPncJ/8fCsxnA6KwO6KGeJ7oSTAoaJA3Mr2gbmB 9nJVAImpexm6XmhrcP3iEPsXPqfVZKsU6KMCSDCfdSjFVy+fUMaiggMIK6ThEovP DvmudtOV4ydjpnTHXnwc0oO6Vwu5KtVQZ/o15uZvZ/yIi4ZU0SL1M2PlaqHjrA04 2iXdzFMlaE4mpbuWwHByVczNYXgoE5GVOg1UsQQ2b9K/Jq3JyMC+MBAxCahsCju4 LKL73hB8ENTPW06YTX2doHUR+ScKxnlO/dPR5mhXSh9yY07WgcUM4WDFUIkm/Xhq jO8HGEKt+7syz9O+paxOQGdubkQWPaTT7hW1pVl626aFlJJ+0jlzr0VPSBB0sUgZ ntImaXMtZp9/nqGhJKppChe/kLhW3o7On8HAzDUeYdVl2pPe4fNeV4LcZrvCOnca 128sAUwFnmOIc9AGV1VlGm31G8K+8BeJFQAz7/0MC1DVUTMfNudStshHehSyE5FD CBak3Ym5M368XsoZQddVCplvmu/BpnLvpbf0bz5vqOGMoLijQzhrL/gJ0fqYAFtX 0Rs0pwvJw7ub+AUCD047PV+9Vtmacgp9hQa5MRpdMv0LmLAmejQ= =Oug9 -----END PGP SIGNATURE----- --faSD0g13MtHCS6Qu-- From debbugs-submit-bounces@debbugs.gnu.org Tue May 25 16:48:11 2021 Received: (at 48648) by debbugs.gnu.org; 25 May 2021 20:48:11 +0000 Received: from localhost ([127.0.0.1]:47160 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lldyF-0002Gi-FO for submit@debbugs.gnu.org; Tue, 25 May 2021 16:48:11 -0400 Received: from perso.pw ([163.172.223.238]:28956) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lldyC-0002GX-Cv for 48648@debbugs.gnu.org; Tue, 25 May 2021 16:48:10 -0400 Received: from perso.pw (localhost [127.0.0.1]) by perso.pw (OpenSMTPD) with ESMTP id 2a74255e; Tue, 25 May 2021 22:48:04 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=perso.pw; h=date:from:to :cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=1337; bh=OXGDtzctUoB1 G3QVn2O+iqEj4oI=; b=IEwA6O+4DykLxXRVDStvwGfA2UcwT1eAg8X7/Af+LQsX Q/VISmiPtQMusEDM6bAMteuQoGCUejMdFfoRf7tMeo/D4h4ynqUksb011ybspqct 4o/UfSHQ2XsAaUBWajrbC2E6aiLgbg/eYYRax7qY/z/O9LiKvzIyXrk1lG9TxKo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=perso.pw; h=date:from:to:cc :subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; q=dns; s=1337; b=Hl1rBm Cbut4Wxgs+rhrYEZu/ftQwbkbFWkY4jX1sP7zkE/Jwrs+FsmyU863qfFfPzcAQMu Pjsc2LoXHI8xS/E5QaLyMI07SpPZSBN4b5SkG3b4R4h8/3tmZAbh6nV6w9xwRL/C aDueBv5fpOBRg9+K1OY+JQAf3RUMUCXX6I410= X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on perso.pw X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.5 Received: from localhost (176-154-164-34.abo.bbox.fr [176.154.164.34]) by perso.pw (OpenSMTPD) with ESMTPSA id c6c69e68 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Tue, 25 May 2021 22:47:59 +0200 (CEST) Date: Tue, 25 May 2021 22:47:57 +0200 From: Solene Rapenne To: Leo Famulari Subject: Re: [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]. Message-ID: <20210525224757.5e28ca79@perso.pw> In-Reply-To: References: <20210525123604.2dc745b3@perso.pw> <87o8cyppfh.fsf@gnu.org> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 48648 Cc: 48648@debbugs.gnu.org, Marius Bakke X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Le Tue, 25 May 2021 16:00:53 -0400, Leo Famulari a =C3=A9crit : > On Tue, May 25, 2021 at 09:46:10PM +0200, Marius Bakke wrote: > > GnuTLS usually mention whether or not an update is ABI-compatible: > >=20 > > https://lists.gnupg.org/pipermail/gnutls-help/2021-May/004707.html =20 >=20 > Ah, that's great. They say it's compatible. >=20 > > However it's good practice to verify that with something like 'abidiff' > > (from the 'libabigail' package). I.e.: > >=20 > > abidiff $(guix build gnutls)/lib/libgnutls.so \ > > $(./pre-inst-env guix build gnutls)/lib/libgnutls.so > >=20 > > (this won't work because of multiple outputs, but you get the drill) =20 >=20 > Solene, can you try it and let us know the result? abidiff is an interesting program, very useful. $ abidiff \ /gnu/store/5yvzilh78996627i8avq532sl2c03i95-gnutls-3.6.15/lib/libgnutls.so \ /gnu/store/akc7l65z459pnifrr6bcm97cjvmpvp9k-gnutls-3.6.16/lib/libgnutls.so $ echo $? 0 I understand from the output that there is no ABI change. From debbugs-submit-bounces@debbugs.gnu.org Thu May 27 10:29:03 2021 Received: (at 48648) by debbugs.gnu.org; 27 May 2021 14:29:03 +0000 Received: from localhost ([127.0.0.1]:52513 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmH0Q-0005G8-O2 for submit@debbugs.gnu.org; Thu, 27 May 2021 10:29:02 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:38267) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmH0P-0005Fe-El for 48648@debbugs.gnu.org; Thu, 27 May 2021 10:29:01 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 633605C0124; Thu, 27 May 2021 10:28:56 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Thu, 27 May 2021 10:28:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=VTWcJEo8jgL8IbU7VU3yAwUl 6IKOkGHNn+rckA7eUu8=; b=YQdZS/Sp5mENFo4UwbaC24HghnRWysuK7w4Fogqo OgQPr/Hc5Jq7Euy2ybtRKN+0sR06AhR4IAbJHUG7hx8RkLFev7GqwQ9HFwCfJIpK GmHFzn3PSu8m9LdUE1/jT7/qtMEGgu9a+FYuZ3ERs1uhZJeDVfWzPmzqQuWCZaqH UMM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=VTWcJE o8jgL8IbU7VU3yAwUl6IKOkGHNn+rckA7eUu8=; b=vNPvK9MG71KuwP2NOggNYL cnJhV29E8otA7u93lCNuJXgBbVfXgi9zJ9W1yWmze1ot5Q7LcFq+uXBLBuMPVgfG GVQv3mOlwJ3IrrylzebxnJdfs/f8g0QtySWL/SqXsMj0IryyYJsc5lS2aQIpyyuo vaHsvBZAr5KKjPkWWxl1r9jEjSnE1GvA7DiBaTDnenMWE4gNsvZCuObISKJAyQm3 5K7/5+iB2GoANrhcoUWNrQa4gzNwZKWQXKFZjQtOVkeOu8p7ewdQWFC+flO++XNo WzfpaORT8XW+dN/YllajqgFVFM67Rs4ZQVr/7M+k/3iML4iyO3SbJ/+Adz1SEU0A == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdekhedgjeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpeeukeektdffvddtudegjeegtdevhfeufeeivdejiedtieegtdevjedvjeehffev gfenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 27 May 2021 10:28:55 -0400 (EDT) Date: Thu, 27 May 2021 10:28:54 -0400 From: Leo Famulari To: Solene Rapenne Subject: Re: [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]. Message-ID: References: <20210525123604.2dc745b3@perso.pw> <87o8cyppfh.fsf@gnu.org> <20210525224757.5e28ca79@perso.pw> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210525224757.5e28ca79@perso.pw> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 48648 Cc: 48648@debbugs.gnu.org, Marius Bakke X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Tue, May 25, 2021 at 10:47:57PM +0200, Solene Rapenne wrote: > I understand from the output that there is no ABI change. Great! So, what's left for this patch is to set up the graft. Concretely, that means creating a new variable 'gnutls-3.6.16' that inherits from 'gnutls' and adjusts the version and source fields. Then, add a replacement field to the new 'gnutls' package that uses 'gnutls-3.6.16'. Can you send a revised patch? From debbugs-submit-bounces@debbugs.gnu.org Fri May 28 13:07:16 2021 Received: (at 48648) by debbugs.gnu.org; 28 May 2021 17:07:16 +0000 Received: from localhost ([127.0.0.1]:55255 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmfx2-0008Bp-Fp for submit@debbugs.gnu.org; Fri, 28 May 2021 13:07:16 -0400 Received: from perso.pw ([163.172.223.238]:47355) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmfwy-0008Bc-0M for 48648@debbugs.gnu.org; Fri, 28 May 2021 13:07:11 -0400 Received: from perso.pw (localhost [127.0.0.1]) by perso.pw (OpenSMTPD) with ESMTP id c9b65bcb; Fri, 28 May 2021 19:07:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=perso.pw; h=date:from:to :cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=1337; bh=YfGaK5v1UCSq JA6GtAna9zRV26I=; b=hglR5l5ue2VJWrnxaTZR5+zXFx+YKnAOTkU0/J7ueGz7 iG8UtU45MEBN72kfkBM74VNro+JI4mU3b3QbLXVMXWfgMOcdQVTMaSQcFwcKIxa2 TZkrTuh3q6fU1Dnv1b83UYmxqBUPebojyI9SUI484pbra5y9peKyInbful9xW1c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=perso.pw; h=date:from:to:cc :subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; q=dns; s=1337; b=pv6GNX bVpg0vmWVDwtk0uodcPgcUXF/ZWNhpppORdYIcq/ANNJs+qSHUme+ENeU8xAZ22z JMXlZ7v6cza2HpMTw47UKIn4Cze4TbJMpGARWNhtofy1q5CH2H+LeTym8QUlYy5O sDHo0pntjyKSXUcfPc7ojvlKc+bg2LyHGSPGE= X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on perso.pw X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.5 Received: from localhost (176-154-164-34.abo.bbox.fr [176.154.164.34]) by perso.pw (OpenSMTPD) with ESMTPSA id 1f88bede (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Fri, 28 May 2021 19:06:59 +0200 (CEST) Date: Fri, 28 May 2021 19:06:52 +0200 From: Solene Rapenne To: Leo Famulari Subject: Re: [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]. Message-ID: <20210528190652.5eb6753c@perso.pw> In-Reply-To: References: <20210525123604.2dc745b3@perso.pw> <87o8cyppfh.fsf@gnu.org> <20210525224757.5e28ca79@perso.pw> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 48648 Cc: 48648@debbugs.gnu.org, Marius Bakke X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Le Thu, 27 May 2021 10:28:54 -0400, Leo Famulari a =C3=A9crit : > On Tue, May 25, 2021 at 10:47:57PM +0200, Solene Rapenne wrote: > > I understand from the output that there is no ABI change. =20 >=20 > Great! So, what's left for this patch is to set up the graft. >=20 > Concretely, that means creating a new variable 'gnutls-3.6.16' that > inherits from 'gnutls' and adjusts the version and source fields. Then, > add a replacement field to the new 'gnutls' package that uses > 'gnutls-3.6.16'. >=20 > Can you send a revised patch? here is the new patch =46rom 086ebe0c9e2a8999d1ce46ffa75291ea5a25f2ed Mon Sep 17 00:00:00 2001 From: Solene Rapenne Date: Fri, 28 May 2021 19:05:23 +0200 Subject: [PATCH] gnu: gnutls: Replace with 3.6.16 [fixes CVE-2021-20305]. --- gnu/packages/tls.scm | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 174438ad87..55410f3911 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -15,6 +15,7 @@ ;;; Copyright =C2=A9 2018 Cl=C3=A9ment Lassieur ;;; Copyright =C2=A9 2019 Mathieu Othacehe ;;; Copyright =C2=A9 2020 Jan (janneke) Nieuwenhuizen +;;; Copyright =C2=A9 2021 Solene Rapenne ;;; ;;; This file is part of GNU Guix. ;;; @@ -165,6 +166,7 @@ living in the same process.") (package (name "gnutls") (version "3.6.15") + (replacement gnutls-3.6.16) (source (origin (method url-fetch) ;; Note: Releases are no longer on ftp.gnu.org since the @@ -258,6 +260,22 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) =20 +;; Replacement package to fix CVE-2021-20305. +(define gnutls-3.6.16 + (package + (inherit gnutls) + (version "3.6.16") + (source (origin + (method url-fetch) + (uri (string-append "mirror://gnupg/gnutls/v" + (version-major+minor version) + "/gnutls-" version ".tar.xz")) + (patches (search-patches "gnutls-skip-trust-store-test.patch" + "gnutls-cross.patch")) + (sha256 + (base32 + "1czk511pslz367shf32f2jvvkp7y1323bcv88c2qng98mj0v6y8v"))))= )) + (define-public gnutls/guile-2.0 ;; GnuTLS for Guile 2.0. (package/inherit gnutls --=20 2.31.1 From debbugs-submit-bounces@debbugs.gnu.org Fri May 28 14:57:54 2021 Received: (at 48648-done) by debbugs.gnu.org; 28 May 2021 18:57:54 +0000 Received: from localhost ([127.0.0.1]:55364 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmhgA-0004iY-Ej for submit@debbugs.gnu.org; Fri, 28 May 2021 14:57:54 -0400 Received: from wout2-smtp.messagingengine.com ([64.147.123.25]:58243) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmhg7-0004iI-QZ for 48648-done@debbugs.gnu.org; Fri, 28 May 2021 14:57:52 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 06CE61D31; Fri, 28 May 2021 14:57:45 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Fri, 28 May 2021 14:57:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=4WYz01FHH4sg+zS7yoNGYWXS T8/EcHHsVWjUFQT485k=; b=yTxfTEV8PJSje6Y93Of0qTqMOAR6kbgnhlmBMyQN DJ1bQ+6bvCSzvTRoWsr9/0w08H5XFwg9j8OHCf0L/P2/0eC+ZolBvx6crBKE5moB QVdL8uyLNKhMiclk3t7Xp0+uoug0RKmw4EYrP/DcfnniefHvajBhPzJ7lvlIIBvI 7yE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=4WYz01 FHH4sg+zS7yoNGYWXST8/EcHHsVWjUFQT485k=; b=Mjp5thyPhhAMkYxpRVfaLH xC0HCRT76AgC8UHS6Odmkr5fJ33Al1aWY7RILxceTVNqDNm9lSAXZdh4dhsTKPja mg+xH/nxCpbMzqrLnL2xC1chFKXfMQ7bViZ5vC8VyfyMTIqD3zihhE0y/Pd5tMvX BuqTFACA3AChrsNxf3PiiUdvo2NJsmCNFD1QogLCF58qDxNEEfAl0NaEwy0GRZSl aKUaq5zDkHRYuVFQVGMSrE6/CmtMKwgs+qZnxbv5bY4OYiE9xHx4xV3WIdYO5TCU lGwjFft0kaLKfRbS3PPxw/fsadXeG8lGogiHYY0ZscTA4bWqdmlbmZxauAYpWQSw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdekjedgudefvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enfghrlhcuvffnffculddutddmnecujfgurhepfffhvffukfhfgggtuggjsehttdertddt tddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrih drnhgrmhgvqeenucggtffrrghtthgvrhhnpeeukeektdffvddtudegjeegtdevhfeufeei vdejiedtieegtdevjedvjeehffevgfenucfkphepuddttddruddurdduieelrdduudekne cuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohes fhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 28 May 2021 14:57:44 -0400 (EDT) Date: Fri, 28 May 2021 14:57:43 -0400 From: Leo Famulari To: Solene Rapenne Subject: Re: [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]. Message-ID: References: <20210525123604.2dc745b3@perso.pw> <87o8cyppfh.fsf@gnu.org> <20210525224757.5e28ca79@perso.pw> <20210528190652.5eb6753c@perso.pw> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210528190652.5eb6753c@perso.pw> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 48648-done Cc: 48648-done@debbugs.gnu.org, Marius Bakke X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Fri, May 28, 2021 at 07:06:52PM +0200, Solene Rapenne wrote: > From 086ebe0c9e2a8999d1ce46ffa75291ea5a25f2ed Mon Sep 17 00:00:00 2001 > From: Solene Rapenne > Date: Fri, 28 May 2021 19:05:23 +0200 > Subject: [PATCH] gnu: gnutls: Replace with 3.6.16 [fixes CVE-2021-20305]. Thank you! I wrote the commit message and pushed as 0b70eb03cbcf5df7de9f468d9e2a3b53379779fe From unknown Mon Jun 23 02:24:21 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 26 Jun 2021 11:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator