GNU bug report logs - #74035
[PATCH 00/24] [security fixes] for near-leaf packages

Previous Next

Package: guix-patches;

Reported by: Nicolas Graves <ngraves <at> ngraves.fr>

Date: Sat, 26 Oct 2024 22:34:02 UTC

Severity: normal

Tags: patch

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Nicolas Graves <ngraves <at> ngraves.fr>
Cc: 74035 <at> debbugs.gnu.org
Subject: [bug#74035] [PATCH v4 8/8] gnu: rnp: Update to 0.17.1. [security fixes]
Date: Tue, 12 Nov 2024 23:12:13 +0900

Hi,

Nicolas Graves <ngraves <at> ngraves.fr> writes:

> This fixes CVE-2023-29479 and CVE-2023-29480.
>
> * gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
> [arguments]: Improve style using gexps.
> <#:phases>: Add phase 'inject-sexpp-source.
> [inputs]: Add sexpp.

I could work it out with this:

--8<---------------cut here---------------start------------->8---
modified   gnu/packages/openpgp.scm
@@ -117,6 +117,9 @@ (define-public rnp
        (list
         #:configure-flags
         ''("-DBUILD_SHARED_LIBS=on"
+           ;; Lower the minimum tuning ratio from 6 to 4, as suggested
+           ;; upstream to avoid the s2k_iteration_tuning failing.
+           "-DS2K_MINIMUM_TUNING_RATIO=4"
            "-DBUILD_TESTING=on"
            "-DDOWNLOAD_GTEST=off"
            "-DDOWNLOAD_RUBYRNP=off")
@@ -129,22 +132,27 @@ (define-public rnp
             (add-after 'unpack 'inject-sexpp-source
               (lambda _
                 (rmdir "src/libsexpp")
-                (symlink #$(package-source (this-package-input "sexpp"))
+                (symlink #$(package-source (this-package-native-input "sexpp"))
                          "src/libsexpp")))
             (replace 'check
-              (lambda* (#:key tests? #:allow-other-keys)
+              (lambda* (#:key tests? parallel-tests? #:allow-other-keys)
                 (when tests?
                   ;; Some OpenPGP certificates used by the tests expire.
                   ;; To work around that, set the time to roughly the
                   ;; release date.
-                  (invoke "faketime" #$day-of-release "make" "test")))))))
+                  (setenv "CTEST_OUTPUT_ON_FAILURE" "1")
+                  (invoke "faketime" #$day-of-release "ctest"
+                          "-j" (if parallel-tests?
+                                   (number->string (parallel-job-count))
+                                   "1"))))))))
       (native-inputs
-       (list gnupg       ; for tests
-             googletest  ; for tests
-             libfaketime ; for tests
+       (list gnupg                      ;for tests
+             googletest                 ;for tests
+             libfaketime                ;for tests
              pkg-config
-             python))
-      (inputs (list botan bzip2 json-c sexpp zlib))
+             python
+             sexpp))                    ;sexpp is used as source only
+      (inputs (list botan bzip2 json-c zlib))
       (synopsis
        "RFC4880-compliant OpenPGP library written in C++")
       (description
--8<---------------cut here---------------end--------------->8---

Thanks to upstream's extreme responsiveness (answered in seconds!)

Nitpick: inline comments shouldn't have a space between the ';' and the text.

I've also made the test suite run in parallel and restored the
CTEST_OUTPUT_ON_FAILURE behavior of the stock check phase, as that's
very useful in case of problems.

-- 
Thanks,
Maxim
This bug report was last modified 192 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.