From patchwork Fri May 28 17:06:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Solene Rapenne X-Patchwork-Id: 29638 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 645BE27BC81; Fri, 28 May 2021 18:09:23 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 0ECA127BC78 for ; Fri, 28 May 2021 18:09:23 +0100 (BST) Received: from localhost ([::1]:59418 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lmfz8-0004mp-4N for patchwork@mira.cbaines.net; Fri, 28 May 2021 13:09:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53338) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lmfxq-0002tZ-4a for guix-patches@gnu.org; Fri, 28 May 2021 13:08:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:43709) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lmfxp-0007cD-MD for guix-patches@gnu.org; Fri, 28 May 2021 13:08:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lmfxp-0008Cw-Hc for guix-patches@gnu.org; Fri, 28 May 2021 13:08:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]. Resent-From: Solene Rapenne Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 28 May 2021 17:08:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48648 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Leo Famulari Cc: 48648@debbugs.gnu.org, Marius Bakke Received: via spool by 48648-submit@debbugs.gnu.org id=B48648.162222163631492 (code B ref 48648); Fri, 28 May 2021 17:08:01 +0000 Received: (at 48648) by debbugs.gnu.org; 28 May 2021 17:07:16 +0000 Received: from localhost ([127.0.0.1]:55255 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmfx2-0008Bp-Fp for submit@debbugs.gnu.org; Fri, 28 May 2021 13:07:16 -0400 Received: from perso.pw ([163.172.223.238]:47355) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmfwy-0008Bc-0M for 48648@debbugs.gnu.org; Fri, 28 May 2021 13:07:11 -0400 Received: from perso.pw (localhost [127.0.0.1]) by perso.pw (OpenSMTPD) with ESMTP id c9b65bcb; Fri, 28 May 2021 19:07:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=perso.pw; h=date:from:to :cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=1337; bh=YfGaK5v1UCSq JA6GtAna9zRV26I=; b=hglR5l5ue2VJWrnxaTZR5+zXFx+YKnAOTkU0/J7ueGz7 iG8UtU45MEBN72kfkBM74VNro+JI4mU3b3QbLXVMXWfgMOcdQVTMaSQcFwcKIxa2 TZkrTuh3q6fU1Dnv1b83UYmxqBUPebojyI9SUI484pbra5y9peKyInbful9xW1c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=perso.pw; h=date:from:to:cc :subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; q=dns; s=1337; b=pv6GNX bVpg0vmWVDwtk0uodcPgcUXF/ZWNhpppORdYIcq/ANNJs+qSHUme+ENeU8xAZ22z JMXlZ7v6cza2HpMTw47UKIn4Cze4TbJMpGARWNhtofy1q5CH2H+LeTym8QUlYy5O sDHo0pntjyKSXUcfPc7ojvlKc+bg2LyHGSPGE= Received: from localhost (176-154-164-34.abo.bbox.fr [176.154.164.34]) by perso.pw (OpenSMTPD) with ESMTPSA id 1f88bede (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Fri, 28 May 2021 19:06:59 +0200 (CEST) Date: Fri, 28 May 2021 19:06:52 +0200 Message-ID: <20210528190652.5eb6753c@perso.pw> In-Reply-To: References: <20210525123604.2dc745b3@perso.pw> <87o8cyppfh.fsf@gnu.org> <20210525224757.5e28ca79@perso.pw> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" Reply-to: Solene Rapenne X-ACL-Warn: , Solene Rapenne via Guix-patches X-Patchwork-Original-From: Solene Rapenne via Guix-patches via From: Solene Rapenne X-getmail-retrieved-from-mailbox: Patches Le Thu, 27 May 2021 10:28:54 -0400, Leo Famulari a écrit : > On Tue, May 25, 2021 at 10:47:57PM +0200, Solene Rapenne wrote: > > I understand from the output that there is no ABI change. > > Great! So, what's left for this patch is to set up the graft. > > Concretely, that means creating a new variable 'gnutls-3.6.16' that > inherits from 'gnutls' and adjusts the version and source fields. Then, > add a replacement field to the new 'gnutls' package that uses > 'gnutls-3.6.16'. > > Can you send a revised patch? here is the new patch From 086ebe0c9e2a8999d1ce46ffa75291ea5a25f2ed Mon Sep 17 00:00:00 2001 From: Solene Rapenne Date: Fri, 28 May 2021 19:05:23 +0200 Subject: [PATCH] gnu: gnutls: Replace with 3.6.16 [fixes CVE-2021-20305]. --- gnu/packages/tls.scm | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 174438ad87..55410f3911 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -15,6 +15,7 @@ ;;; Copyright © 2018 Clément Lassieur ;;; Copyright © 2019 Mathieu Othacehe ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen +;;; Copyright © 2021 Solene Rapenne ;;; ;;; This file is part of GNU Guix. ;;; @@ -165,6 +166,7 @@ living in the same process.") (package (name "gnutls") (version "3.6.15") + (replacement gnutls-3.6.16) (source (origin (method url-fetch) ;; Note: Releases are no longer on ftp.gnu.org since the @@ -258,6 +260,22 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) +;; Replacement package to fix CVE-2021-20305. +(define gnutls-3.6.16 + (package + (inherit gnutls) + (version "3.6.16") + (source (origin + (method url-fetch) + (uri (string-append "mirror://gnupg/gnutls/v" + (version-major+minor version) + "/gnutls-" version ".tar.xz")) + (patches (search-patches "gnutls-skip-trust-store-test.patch" + "gnutls-cross.patch")) + (sha256 + (base32 + "1czk511pslz367shf32f2jvvkp7y1323bcv88c2qng98mj0v6y8v")))))) + (define-public gnutls/guile-2.0 ;; GnuTLS for Guile 2.0. (package/inherit gnutls