GNU bug report logs -
#48648
[PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305].
Previous Next
Reported by: Solene Rapenne <solene <at> perso.pw>
Date: Tue, 25 May 2021 10:37:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
Full log
Message #14 received at 48648 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> skriver:
> Grafts effectively rewrite binary references in compiled software, so
> it's kind of a kludge. The binary interface of the new grafted
> replacement must be compatible with the original package, and if it's
> not, the problems can be hidden and subtle.
>
> For that reason, it's important to make the smallest change possible
> when grafting, to reduce the chance of breakage.
>
> So, the question is, does 3.6.16 include only the fix for
> CVE-2021-20305? Or does it also include other changes? If the former, we
> should instead cherry-pick the CVE bug fix instead of updating.
GnuTLS usually mention whether or not an update is ABI-compatible:
https://lists.gnupg.org/pipermail/gnutls-help/2021-May/004707.html
However it's good practice to verify that with something like 'abidiff'
(from the 'libabigail' package). I.e.:
abidiff $(guix build gnutls)/lib/libgnutls.so \
$(./pre-inst-env guix build gnutls)/lib/libgnutls.so
(this won't work because of multiple outputs, but you get the drill)
When there is no change, the graft _should_ be perfectly safe. If there
are changes, it becomes a judgement call. The 'abidiff' output is of
great assistance in that case.
Anyway, just some general notes on grafting. Thanks a lot for looking
after security issues Solene.
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 362 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.