diff mbox series

[bug#74035,v4,8/8] gnu: rnp: Update to 0.17.1. [security fixes]

Message ID 20241105231405.21806-8-ngraves@ngraves.fr
State New
Headers show
Series [bug#74035,v4,1/8] gnu: bart: Update to 0.9.00. [security fixes] | expand

Commit Message

Nicolas Graves Nov. 5, 2024, 11:13 p.m. UTC 
This fixes CVE-2023-29479 and CVE-2023-29480.

* gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
[arguments]: Improve style using gexps.
<#:phases>: Add phase 'inject-sexpp-source.
[inputs]: Add sexpp.
---
 gnu/packages/openpgp.scm | 52 +++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 22 deletions(-)

Comments

Maxim Cournoyer Nov. 11, 2024, 1:14 p.m. UTC | #1 
Hi,

Nicolas Graves <ngraves@ngraves.fr> writes:

> This fixes CVE-2023-29479 and CVE-2023-29480.
>
> * gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
> [arguments]: Improve style using gexps.
> <#:phases>: Add phase 'inject-sexpp-source.
> [inputs]: Add sexpp.

This one fails its test suite for me:

--8<---------------cut here---------------start------------->8---
        Start  15: rnp_tests.s2k_iteration_tuning
 16/263 Test  #15: rnp_tests.s2k_iteration_tuning ................................................***Failed    8.02 sec
[...]
The following tests FAILED:
	 15 - rnp_tests.s2k_iteration_tuning (Failed)
--8<---------------cut here---------------end--------------->8---

It should probably be repoted upstream.
Nicolas Graves Nov. 11, 2024, 3:23 p.m. UTC | #2 
On 2024-11-11 22:14, Maxim Cournoyer wrote:

> Hi,
>
> Nicolas Graves <ngraves@ngraves.fr> writes:
>
>> This fixes CVE-2023-29479 and CVE-2023-29480.
>>
>> * gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
>> [arguments]: Improve style using gexps.
>> <#:phases>: Add phase 'inject-sexpp-source.
>> [inputs]: Add sexpp.
>
> This one fails its test suite for me:
>
> --8<---------------cut here---------------start------------->8---
>         Start  15: rnp_tests.s2k_iteration_tuning
>  16/263 Test  #15: rnp_tests.s2k_iteration_tuning ................................................***Failed    8.02 sec
> [...]
> The following tests FAILED:
> 	 15 - rnp_tests.s2k_iteration_tuning (Failed)
> --8<---------------cut here---------------end--------------->8---
>
> It should probably be repoted upstream.

Strange, it worked for me IIRC.  Maybe tests are flaky and we should
exclude this one?
Maxim Cournoyer Nov. 12, 2024, 11:54 a.m. UTC | #3 
Hi Nicolas,

Nicolas Graves <ngraves@ngraves.fr> writes:

> On 2024-11-11 22:14, Maxim Cournoyer wrote:
>
>> Hi,
>>
>> Nicolas Graves <ngraves@ngraves.fr> writes:
>>
>>> This fixes CVE-2023-29479 and CVE-2023-29480.
>>>
>>> * gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
>>> [arguments]: Improve style using gexps.
>>> <#:phases>: Add phase 'inject-sexpp-source.
>>> [inputs]: Add sexpp.
>>
>> This one fails its test suite for me:
>>
>> --8<---------------cut here---------------start------------->8---
>>         Start  15: rnp_tests.s2k_iteration_tuning
>>  16/263 Test  #15: rnp_tests.s2k_iteration_tuning ................................................***Failed    8.02 sec
>> [...]
>> The following tests FAILED:
>> 	 15 - rnp_tests.s2k_iteration_tuning (Failed)
>> --8<---------------cut here---------------end--------------->8---
>>
>> It should probably be repoted upstream.
>
> Strange, it worked for me IIRC.  Maybe tests are flaky and we should
> exclude this one?

The test appears to be sensitive to the CPU speed; upstream provided a
solution.  I've now applied this series, culminating with commit
44b06b030d.  Thank you!
Maxim Cournoyer Nov. 12, 2024, 2:12 p.m. UTC | #4 
Hi,

Nicolas Graves <ngraves@ngraves.fr> writes:

> This fixes CVE-2023-29479 and CVE-2023-29480.
>
> * gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
> [arguments]: Improve style using gexps.
> <#:phases>: Add phase 'inject-sexpp-source.
> [inputs]: Add sexpp.

I could work it out with this:

--8<---------------cut here---------------start------------->8---
modified   gnu/packages/openpgp.scm
@@ -117,6 +117,9 @@ (define-public rnp
        (list
         #:configure-flags
         ''("-DBUILD_SHARED_LIBS=on"
+           ;; Lower the minimum tuning ratio from 6 to 4, as suggested
+           ;; upstream to avoid the s2k_iteration_tuning failing.
+           "-DS2K_MINIMUM_TUNING_RATIO=4"
            "-DBUILD_TESTING=on"
            "-DDOWNLOAD_GTEST=off"
            "-DDOWNLOAD_RUBYRNP=off")
@@ -129,22 +132,27 @@ (define-public rnp
             (add-after 'unpack 'inject-sexpp-source
               (lambda _
                 (rmdir "src/libsexpp")
-                (symlink #$(package-source (this-package-input "sexpp"))
+                (symlink #$(package-source (this-package-native-input "sexpp"))
                          "src/libsexpp")))
             (replace 'check
-              (lambda* (#:key tests? #:allow-other-keys)
+              (lambda* (#:key tests? parallel-tests? #:allow-other-keys)
                 (when tests?
                   ;; Some OpenPGP certificates used by the tests expire.
                   ;; To work around that, set the time to roughly the
                   ;; release date.
-                  (invoke "faketime" #$day-of-release "make" "test")))))))
+                  (setenv "CTEST_OUTPUT_ON_FAILURE" "1")
+                  (invoke "faketime" #$day-of-release "ctest"
+                          "-j" (if parallel-tests?
+                                   (number->string (parallel-job-count))
+                                   "1"))))))))
       (native-inputs
-       (list gnupg       ; for tests
-             googletest  ; for tests
-             libfaketime ; for tests
+       (list gnupg                      ;for tests
+             googletest                 ;for tests
+             libfaketime                ;for tests
              pkg-config
-             python))
-      (inputs (list botan bzip2 json-c sexpp zlib))
+             python
+             sexpp))                    ;sexpp is used as source only
+      (inputs (list botan bzip2 json-c zlib))
       (synopsis
        "RFC4880-compliant OpenPGP library written in C++")
       (description
--8<---------------cut here---------------end--------------->8---

Thanks to upstream's extreme responsiveness (answered in seconds!)

Nitpick: inline comments shouldn't have a space between the ';' and the text.

I've also made the test suite run in parallel and restored the
CTEST_OUTPUT_ON_FAILURE behavior of the stock check phase, as that's
very useful in case of problems.
diff mbox series

Patch

diff --git a/gnu/packages/openpgp.scm b/gnu/packages/openpgp.scm
index 356908ab1f..baf786c5ee 100644
--- a/gnu/packages/openpgp.scm
+++ b/gnu/packages/openpgp.scm
@@ -23,6 +23,7 @@  (define-module (gnu packages openpgp)
   #:use-module (guix git-download)
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
+  #:use-module (guix gexp)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (gnu packages)
   #:use-module (gnu packages check)
@@ -98,10 +99,10 @@  (define-public dkgpg
     (license license:gpl2+)))
 
 (define-public rnp
-  (let ((day-of-release "2022-09-22"))
+  (let ((day-of-release "2024-05-14"))
     (package
       (name "rnp")
-      (version "0.16.2")
+      (version "0.17.1")
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
@@ -110,33 +111,40 @@  (define-public rnp
                 (file-name (git-file-name name version))
                 (sha256
                  (base32
-                  "13z5kxm48a72w4m2crwgdjdng4a4pwxsd72r2z3a4pcakfp2swi8"))))
+                  "052872b6a88vkcc58alxcm532y6dra5qqd997jga41v72h3pnj4d"))))
       (build-system cmake-build-system)
-      (arguments `(#:configure-flags
-                   '("-DBUILD_SHARED_LIBS=on"
-                     "-DBUILD_TESTING=on"
-                     "-DDOWNLOAD_GTEST=off"
-                     "-DDOWNLOAD_RUBYRNP=off")
-                   #:phases
-                   (modify-phases %standard-phases
-                     (add-after 'unpack 'patch-tests
-                       (lambda _
-                         (substitute* "src/tests/support.cpp"
-                           (("\"cp\"") (search-input-file inputs "/bin/cp")))))
-                     (replace 'check
-                       (lambda* (#:key tests? #:allow-other-keys)
-                         (when tests?
-                           ;; Some OpenPGP certificates used by the tests expire.
-                           ;; To work around that, set the time to roughly the
-                           ;; release date.
-                           (invoke "faketime" ,day-of-release "make" "test")))))))
+      (arguments
+       (list
+        #:configure-flags
+        ''("-DBUILD_SHARED_LIBS=on"
+           "-DBUILD_TESTING=on"
+           "-DDOWNLOAD_GTEST=off"
+           "-DDOWNLOAD_RUBYRNP=off")
+        #:phases
+        #~(modify-phases %standard-phases
+            (add-after 'unpack 'patch-tests
+              (lambda _
+                (substitute* "src/tests/support.cpp"
+                  (("\"cp\"") (search-input-file inputs "/bin/cp")))))
+            (add-after 'unpack 'inject-sexpp-source
+              (lambda _
+                (rmdir "src/libsexpp")
+                (symlink #$(package-source (this-package-input "sexpp"))
+                         "src/libsexpp")))
+            (replace 'check
+              (lambda* (#:key tests? #:allow-other-keys)
+                (when tests?
+                  ;; Some OpenPGP certificates used by the tests expire.
+                  ;; To work around that, set the time to roughly the
+                  ;; release date.
+                  (invoke "faketime" #$day-of-release "make" "test")))))))
       (native-inputs
        (list gnupg       ; for tests
              googletest  ; for tests
              libfaketime ; for tests
              pkg-config
              python))
-      (inputs (list botan bzip2 json-c zlib))
+      (inputs (list botan bzip2 json-c sexpp zlib))
       (synopsis
        "RFC4880-compliant OpenPGP library written in C++")
       (description