GNU bug report logs - #48648
[PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305].

Previous Next

Full log

View this message in rfc822 format

From: Leo Famulari <leo <at> famulari.name>
To: 48648 <at> debbugs.gnu.org
Subject: [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305].
Date: Tue, 25 May 2021 11:49:54 -0400

On Tue, May 25, 2021 at 12:36:04PM +0200, Solene Rapenne via Guix-patches via wrote:
> I removed the 2 patches for previous CVEs that are now merged within
> gnutls sources.

Thanks for this patch!

> I deliberately committed it to master branch despite
> guix refresh --list-dependent gnutls returns 5287 packages and that
> https://guix.gnu.org/manual/en/guix.html#Submitting-Patches says such
> packages with more than 3000 impacted packages should be committed
> on core-updates. I did this because it's a minor update to fix a CVE
> so this would be weird to wait 6 months for this update.

Whether or not the update is minor, we still have to use a "graft" [0]
to change packages with this many dependents on the master branch.

Due to the "functional packaging model" of Guix, every dependent of
GnuTLS must be recompiled when the GnuTLS package is changed. We would
constantly be rebuilding nearly every single package if we did not use
grafts for security updates, and that would be infeasible and
inefficient.

Grafts effectively rewrite binary references in compiled software, so
it's kind of a kludge. The binary interface of the new grafted
replacement must be compatible with the original package, and if it's
not, the problems can be hidden and subtle.

For that reason, it's important to make the smallest change possible
when grafting, to reduce the chance of breakage.

So, the question is, does 3.6.16 include only the fix for
CVE-2021-20305? Or does it also include other changes? If the former, we
should instead cherry-pick the CVE bug fix instead of updating.

Can you look into that and let us know?

> --- a/gnu/packages/patches/gnutls-CVE-2021-20231.patch
> +++ /dev/null

If we do decide to update to 3.6.16, it's also necessary to deregister
the removed patch files in 'gnu/local.mk'. Check this commit for an
example:

https://git.savannah.gnu.org/cgit/guix.git/commit/?id=7c4c781aa40c42d4cd10b8d9482199f3db345e1b

Finally, here is an example of setting up a graft that includes a single
new patch file:

https://git.savannah.gnu.org/cgit/guix.git/commit/?id=7c4c781aa40c42d4cd10b8d9482199f3db345e1b

And here is an example of a graft that "updates" a package:

https://git.savannah.gnu.org/cgit/guix.git/commit/?id=250a216cdc2d5425ee0053f3e614d54e0fb6aa90

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.