[bug#74035,v4,8/8] gnu: rnp: Update to 0.17.1. [security fixes]
Commit Message
This fixes CVE-2023-29479 and CVE-2023-29480.
* gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
[arguments]: Improve style using gexps.
<#:phases>: Add phase 'inject-sexpp-source.
[inputs]: Add sexpp.
---
gnu/packages/openpgp.scm | 52 +++++++++++++++++++++++-----------------
1 file changed, 30 insertions(+), 22 deletions(-)
Comments
Hi,
Nicolas Graves <ngraves@ngraves.fr> writes:
> This fixes CVE-2023-29479 and CVE-2023-29480.
>
> * gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
> [arguments]: Improve style using gexps.
> <#:phases>: Add phase 'inject-sexpp-source.
> [inputs]: Add sexpp.
This one fails its test suite for me:
--8<---------------cut here---------------start------------->8---
Start 15: rnp_tests.s2k_iteration_tuning
16/263 Test #15: rnp_tests.s2k_iteration_tuning ................................................***Failed 8.02 sec
[...]
The following tests FAILED:
15 - rnp_tests.s2k_iteration_tuning (Failed)
--8<---------------cut here---------------end--------------->8---
It should probably be repoted upstream.
On 2024-11-11 22:14, Maxim Cournoyer wrote:
> Hi,
>
> Nicolas Graves <ngraves@ngraves.fr> writes:
>
>> This fixes CVE-2023-29479 and CVE-2023-29480.
>>
>> * gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
>> [arguments]: Improve style using gexps.
>> <#:phases>: Add phase 'inject-sexpp-source.
>> [inputs]: Add sexpp.
>
> This one fails its test suite for me:
>
> --8<---------------cut here---------------start------------->8---
> Start 15: rnp_tests.s2k_iteration_tuning
> 16/263 Test #15: rnp_tests.s2k_iteration_tuning ................................................***Failed 8.02 sec
> [...]
> The following tests FAILED:
> 15 - rnp_tests.s2k_iteration_tuning (Failed)
> --8<---------------cut here---------------end--------------->8---
>
> It should probably be repoted upstream.
Strange, it worked for me IIRC. Maybe tests are flaky and we should
exclude this one?
Hi Nicolas,
Nicolas Graves <ngraves@ngraves.fr> writes:
> On 2024-11-11 22:14, Maxim Cournoyer wrote:
>
>> Hi,
>>
>> Nicolas Graves <ngraves@ngraves.fr> writes:
>>
>>> This fixes CVE-2023-29479 and CVE-2023-29480.
>>>
>>> * gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
>>> [arguments]: Improve style using gexps.
>>> <#:phases>: Add phase 'inject-sexpp-source.
>>> [inputs]: Add sexpp.
>>
>> This one fails its test suite for me:
>>
>> --8<---------------cut here---------------start------------->8---
>> Start 15: rnp_tests.s2k_iteration_tuning
>> 16/263 Test #15: rnp_tests.s2k_iteration_tuning ................................................***Failed 8.02 sec
>> [...]
>> The following tests FAILED:
>> 15 - rnp_tests.s2k_iteration_tuning (Failed)
>> --8<---------------cut here---------------end--------------->8---
>>
>> It should probably be repoted upstream.
>
> Strange, it worked for me IIRC. Maybe tests are flaky and we should
> exclude this one?
The test appears to be sensitive to the CPU speed; upstream provided a
solution. I've now applied this series, culminating with commit
44b06b030d. Thank you!
Hi,
Nicolas Graves <ngraves@ngraves.fr> writes:
> This fixes CVE-2023-29479 and CVE-2023-29480.
>
> * gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
> [arguments]: Improve style using gexps.
> <#:phases>: Add phase 'inject-sexpp-source.
> [inputs]: Add sexpp.
I could work it out with this:
--8<---------------cut here---------------start------------->8---
modified gnu/packages/openpgp.scm
@@ -117,6 +117,9 @@ (define-public rnp
(list
#:configure-flags
''("-DBUILD_SHARED_LIBS=on"
+ ;; Lower the minimum tuning ratio from 6 to 4, as suggested
+ ;; upstream to avoid the s2k_iteration_tuning failing.
+ "-DS2K_MINIMUM_TUNING_RATIO=4"
"-DBUILD_TESTING=on"
"-DDOWNLOAD_GTEST=off"
"-DDOWNLOAD_RUBYRNP=off")
@@ -129,22 +132,27 @@ (define-public rnp
(add-after 'unpack 'inject-sexpp-source
(lambda _
(rmdir "src/libsexpp")
- (symlink #$(package-source (this-package-input "sexpp"))
+ (symlink #$(package-source (this-package-native-input "sexpp"))
"src/libsexpp")))
(replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
+ (lambda* (#:key tests? parallel-tests? #:allow-other-keys)
(when tests?
;; Some OpenPGP certificates used by the tests expire.
;; To work around that, set the time to roughly the
;; release date.
- (invoke "faketime" #$day-of-release "make" "test")))))))
+ (setenv "CTEST_OUTPUT_ON_FAILURE" "1")
+ (invoke "faketime" #$day-of-release "ctest"
+ "-j" (if parallel-tests?
+ (number->string (parallel-job-count))
+ "1"))))))))
(native-inputs
- (list gnupg ; for tests
- googletest ; for tests
- libfaketime ; for tests
+ (list gnupg ;for tests
+ googletest ;for tests
+ libfaketime ;for tests
pkg-config
- python))
- (inputs (list botan bzip2 json-c sexpp zlib))
+ python
+ sexpp)) ;sexpp is used as source only
+ (inputs (list botan bzip2 json-c zlib))
(synopsis
"RFC4880-compliant OpenPGP library written in C++")
(description
--8<---------------cut here---------------end--------------->8---
Thanks to upstream's extreme responsiveness (answered in seconds!)
Nitpick: inline comments shouldn't have a space between the ';' and the text.
I've also made the test suite run in parallel and restored the
CTEST_OUTPUT_ON_FAILURE behavior of the stock check phase, as that's
very useful in case of problems.
@@ -23,6 +23,7 @@ (define-module (gnu packages openpgp)
#:use-module (guix git-download)
#:use-module (guix build-system cmake)
#:use-module (guix build-system gnu)
+ #:use-module (guix gexp)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (gnu packages)
#:use-module (gnu packages check)
@@ -98,10 +99,10 @@ (define-public dkgpg
(license license:gpl2+)))
(define-public rnp
- (let ((day-of-release "2022-09-22"))
+ (let ((day-of-release "2024-05-14"))
(package
(name "rnp")
- (version "0.16.2")
+ (version "0.17.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -110,33 +111,40 @@ (define-public rnp
(file-name (git-file-name name version))
(sha256
(base32
- "13z5kxm48a72w4m2crwgdjdng4a4pwxsd72r2z3a4pcakfp2swi8"))))
+ "052872b6a88vkcc58alxcm532y6dra5qqd997jga41v72h3pnj4d"))))
(build-system cmake-build-system)
- (arguments `(#:configure-flags
- '("-DBUILD_SHARED_LIBS=on"
- "-DBUILD_TESTING=on"
- "-DDOWNLOAD_GTEST=off"
- "-DDOWNLOAD_RUBYRNP=off")
- #:phases
- (modify-phases %standard-phases
- (add-after 'unpack 'patch-tests
- (lambda _
- (substitute* "src/tests/support.cpp"
- (("\"cp\"") (search-input-file inputs "/bin/cp")))))
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (when tests?
- ;; Some OpenPGP certificates used by the tests expire.
- ;; To work around that, set the time to roughly the
- ;; release date.
- (invoke "faketime" ,day-of-release "make" "test")))))))
+ (arguments
+ (list
+ #:configure-flags
+ ''("-DBUILD_SHARED_LIBS=on"
+ "-DBUILD_TESTING=on"
+ "-DDOWNLOAD_GTEST=off"
+ "-DDOWNLOAD_RUBYRNP=off")
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'patch-tests
+ (lambda _
+ (substitute* "src/tests/support.cpp"
+ (("\"cp\"") (search-input-file inputs "/bin/cp")))))
+ (add-after 'unpack 'inject-sexpp-source
+ (lambda _
+ (rmdir "src/libsexpp")
+ (symlink #$(package-source (this-package-input "sexpp"))
+ "src/libsexpp")))
+ (replace 'check
+ (lambda* (#:key tests? #:allow-other-keys)
+ (when tests?
+ ;; Some OpenPGP certificates used by the tests expire.
+ ;; To work around that, set the time to roughly the
+ ;; release date.
+ (invoke "faketime" #$day-of-release "make" "test")))))))
(native-inputs
(list gnupg ; for tests
googletest ; for tests
libfaketime ; for tests
pkg-config
python))
- (inputs (list botan bzip2 json-c zlib))
+ (inputs (list botan bzip2 json-c sexpp zlib))
(synopsis
"RFC4880-compliant OpenPGP library written in C++")
(description