[bug#64982,v1,0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical)

Message ID	cover.1690845769.git.GNUtoo@cyberdimension.org
Headers	show Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> Subject: [bug#64982] [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical) Resent-From: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 31 Jul 2023 23:34:02 +0000 Resent-Message-ID: <handler.64982.B.16908464202373@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org To: 64982@debbugs.gnu.org Cc: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> From: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> Date: Tue, 1 Aug 2023 01:33:17 +0200 Message-ID: <cover.1690845769.git.GNUtoo@cyberdimension.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2001:910:1314:ffff::1; envelope-from=GNUtoo@cyberdimension.org; helo=gnutoo.cyberdimension.org X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches
Series	Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical) \| expand [bug#64982,v1,0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical) [bug#64982,v1,1/1] gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].

Message ID

cover.1690845769.git.GNUtoo@cyberdimension.org

Headers

Subject: [bug#64982] [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8
 critical)
Resent-From: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Mon, 31 Jul 2023 23:34:02 +0000
Resent-Message-ID: <handler.64982.B.16908464202373@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
To: 64982@debbugs.gnu.org
Cc: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
From: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Date: Tue,  1 Aug 2023 01:33:17 +0200
Message-ID: <cover.1690845769.git.GNUtoo@cyberdimension.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2001:910:1314:ffff::1;
 envelope-from=GNUtoo@cyberdimension.org; helo=gnutoo.cyberdimension.org
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

Series

Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical) | expand

Message

Denis 'GNUtoo' Carikli July 31, 2023, 11:33 p.m. UTC

Hi,

The patch that will follow updates LibreSSL to the last version to fix the
CVE-2023-35784[1]. That CVE consist of a double free and a use after free and
is considered critical according to the NIST.

[1]https://nvd.nist.gov/vuln/detail/CVE-2023-35784

While LibreSSL builds fine and that all its test pass on x86_64, it also has a
significant number of reverse dependencies (a bit more than 30) that need to
be rebuilt, so I would need help with testing:
* axel
* catgirl
* ceph
* clamav
* epic5
* gmid
* httrack
* litterbox
* openboard
* openntpd
* openscad
* opensmtpd-extras
* opensmtpd-filter-rspamd
* pam-u2f
* pounce
* python-astroalign
* python-duckdb
* python-feather-format
* python-ikarus
* python-jwst
* python-modin
* python-poliastro
* python-regions
* python-sunpy
* python-tslearn
* python-vaex-core
* r-chromunity
* r-cistopic
* r-cistopic-next
* seek
* telescope
* xarcan
* zbackup

Denis.

Denis 'GNUtoo' Carikli (1):
  gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].

 gnu/packages/tls.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


base-commit: 39fbc041f92489ec30075a85937c8a38723752dc

Comments

Andreas Enge Sept. 7, 2023, 4:38 p.m. UTC | #1

Hello Denis,

thanks for the patch! This was fixed in commit
commit 310b0f72d8749376832fa1f149837a83d8e74629
Author: Tobias Geerinckx-Rice <me@tobias.gr>
Date:   Sun Aug 13 02:00:00 2023 +0200
    gnu: libressl: Update to 3.7.3 [fixes CVE-2023-35784].
    Thanks to Dennis 'GNUtoo' Carikli for <https://issues.guix.gnu.org/64982>,
    but upgrading to 3.8.0 breaks (at least) OpenSMTPd.
    * gnu/packages/tls.scm (libressl): Update to 3.7.3.

Indeed QA shows that opensmtpd fails:
   https://qa.guix.gnu.org/issue/64982
   https://bordeaux.guix.gnu.org/build/16cbfca4-a0a3-4374-9ae4-6c1dad67494b/log

I am closing this bug, as updating libressl to the most recent version
is a different topic. Actually the 3.8.0 and 3.8.1 releases are called
"development releases" in the release notes:
   https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.0-relnotes.txt
   https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.1-relnotes.txt
while 3.7.3 does not have the "development" term:
   https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.7.3-relnotes.txt
so we may be better off sticking with 3.7.x for the moment.

Andreas