From patchwork Tue May 25 10:36:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Solene Rapenne X-Patchwork-Id: 29588 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id B5D9627BC78; Tue, 25 May 2021 11:37:20 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id D120E27BC81 for ; Tue, 25 May 2021 11:37:19 +0100 (BST) Received: from localhost ([::1]:58716 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1llUR5-0005ng-0K for patchwork@mira.cbaines.net; Tue, 25 May 2021 06:37:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50188) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1llUQu-0005nW-M7 for guix-patches@gnu.org; Tue, 25 May 2021 06:37:08 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:33253) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1llUQo-0007PW-OV for guix-patches@gnu.org; Tue, 25 May 2021 06:37:07 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1llUQo-0005vt-LB for guix-patches@gnu.org; Tue, 25 May 2021 06:37:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]. Resent-From: Solene Rapenne Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 25 May 2021 10:37:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 48648 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 48648@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.162193898522737 (code B ref -1); Tue, 25 May 2021 10:37:02 +0000 Received: (at submit) by debbugs.gnu.org; 25 May 2021 10:36:25 +0000 Received: from localhost ([127.0.0.1]:44799 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llUQC-0005uf-PD for submit@debbugs.gnu.org; Tue, 25 May 2021 06:36:25 -0400 Received: from lists.gnu.org ([209.51.188.17]:46182) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llUQ9-0005uQ-9G for submit@debbugs.gnu.org; Tue, 25 May 2021 06:36:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50126) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1llUQ8-0005em-RA for guix-patches@gnu.org; Tue, 25 May 2021 06:36:21 -0400 Received: from perso.pw ([163.172.223.238]:31420) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1llUQ6-0006v6-7o for guix-patches@gnu.org; Tue, 25 May 2021 06:36:20 -0400 Received: from perso.pw (localhost [127.0.0.1]) by perso.pw (OpenSMTPD) with ESMTP id 6b3a5de1 for ; Tue, 25 May 2021 12:36:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=perso.pw; h=date:from:to :subject:message-id:mime-version:content-type :content-transfer-encoding; s=1337; bh=+++j+Gv3IbmgmsexjyS7SQju4 RU=; b=jb5CpFV8NA8OfJde7/ds4Ibsr4EYqHADkzuEEjoaed8EXcIX1TLGVMxif kQwSac4Wbhb1Ks1cYbI7nQge0hucA5bECQu+fI/19/MLaTMdCR0tH1CQdwdueIh/ KTUNrSfj2l4Nu6yhty53OP3fQDhIIP1uNr06M67mpv5zmxZtfc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=perso.pw; h=date:from:to :subject:message-id:mime-version:content-type :content-transfer-encoding; q=dns; s=1337; b=eFHNMNJ7vjvAW6HLApT VhkZUHwamgSwSp4X4cMX49C9tIyHNr9y/pMCY++Q2Ls2/0zaynIFmIiYQMNiSvDS /VJATuzITyF23AhVOsRSW29ZeVplKFPlhsxbHlbsQegrgsa77rieecO+EiVHODhR BnLHE5H5D79RRw1vNClR2t1k= Received: from localhost (176-154-164-34.abo.bbox.fr [176.154.164.34]) by perso.pw (OpenSMTPD) with ESMTPSA id 1180c87a (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Tue, 25 May 2021 12:36:06 +0200 (CEST) Date: Tue, 25 May 2021 12:36:04 +0200 Message-ID: <20210525123604.2dc745b3@perso.pw> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Received-SPF: pass client-ip=163.172.223.238; envelope-from=solene@perso.pw; helo=perso.pw X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" Reply-to: Solene Rapenne X-ACL-Warn: , Solene Rapenne via Guix-patches X-Patchwork-Original-From: Solene Rapenne via Guix-patches via From: Solene Rapenne X-getmail-retrieved-from-mailbox: Patches I removed the 2 patches for previous CVEs that are now merged within gnutls sources. I deliberately committed it to master branch despite guix refresh --list-dependent gnutls returns 5287 packages and that https://guix.gnu.org/manual/en/guix.html#Submitting-Patches says such packages with more than 3000 impacted packages should be committed on core-updates. I did this because it's a minor update to fix a CVE so this would be weird to wait 6 months for this update. --- .../patches/gnutls-CVE-2021-20231.patch | 62 ------------------- .../patches/gnutls-CVE-2021-20232.patch | 60 ------------------ gnu/packages/tls.scm | 9 ++- 3 files changed, 4 insertions(+), 127 deletions(-) delete mode 100644 gnu/packages/patches/gnutls-CVE-2021-20231.patch delete mode 100644 gnu/packages/patches/gnutls-CVE-2021-20232.patch diff --git a/gnu/packages/patches/gnutls-CVE-2021-20231.patch b/gnu/packages/patches/gnutls-CVE-2021-20231.patch deleted file mode 100644 index 5186522eee..0000000000 --- a/gnu/packages/patches/gnutls-CVE-2021-20231.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 29 Jan 2021 14:06:05 +0100 -Subject: [PATCH 1/2] key_share: avoid use-after-free around realloc - -Signed-off-by: Daiki Ueno ---- - lib/ext/key_share.c | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - -diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c -index ab8abf8fe..a8c4bb5cf 100644 ---- a/lib/ext/key_share.c -+++ b/lib/ext/key_share.c -@@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session, - { - unsigned i; - int ret; -- unsigned char *lengthp; -- unsigned int cur_length; - unsigned int generated = 0; - const gnutls_group_entry_st *group; - const version_entry_st *ver; - - /* this extension is only being sent on client side */ - if (session->security_parameters.entity == GNUTLS_CLIENT) { -+ unsigned int length_pos; -+ - ver = _gnutls_version_max(session); - if (unlikely(ver == NULL || ver->key_shares == 0)) - return 0; -@@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session, - if (!have_creds_for_tls13(session)) - return 0; - -- /* write the total length later */ -- lengthp = &extdata->data[extdata->length]; -+ length_pos = extdata->length; - - ret = - _gnutls_buffer_append_prefix(extdata, 16, 0); - if (ret < 0) - return gnutls_assert_val(ret); - -- cur_length = extdata->length; -- - if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */ - group = get_group(session); - if (unlikely(group == NULL)) -@@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session, - } - - /* copy actual length */ -- _gnutls_write_uint16(extdata->length - cur_length, lengthp); -+ _gnutls_write_uint16(extdata->length - length_pos - 2, -+ &extdata->data[length_pos]); - - } else { /* server */ - ver = get_version(session); --- -2.30.2 - diff --git a/gnu/packages/patches/gnutls-CVE-2021-20232.patch b/gnu/packages/patches/gnutls-CVE-2021-20232.patch deleted file mode 100644 index dc3a0be690..0000000000 --- a/gnu/packages/patches/gnutls-CVE-2021-20232.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 75a937d97f4fefc6f9b08e3791f151445f551cb3 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 29 Jan 2021 14:06:23 +0100 -Subject: [PATCH 2/2] pre_shared_key: avoid use-after-free around realloc - -Signed-off-by: Daiki Ueno ---- - lib/ext/pre_shared_key.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c -index a042c6488..380bf39ed 100644 ---- a/lib/ext/pre_shared_key.c -+++ b/lib/ext/pre_shared_key.c -@@ -267,7 +267,7 @@ client_send_params(gnutls_session_t session, - size_t spos; - gnutls_datum_t username = {NULL, 0}; - gnutls_datum_t user_key = {NULL, 0}, rkey = {NULL, 0}; -- gnutls_datum_t client_hello; -+ unsigned client_hello_len; - unsigned next_idx; - const mac_entry_st *prf_res = NULL; - const mac_entry_st *prf_psk = NULL; -@@ -428,8 +428,7 @@ client_send_params(gnutls_session_t session, - assert(extdata->length >= sizeof(mbuffer_st)); - assert(ext_offset >= (ssize_t)sizeof(mbuffer_st)); - ext_offset -= sizeof(mbuffer_st); -- client_hello.data = extdata->data+sizeof(mbuffer_st); -- client_hello.size = extdata->length-sizeof(mbuffer_st); -+ client_hello_len = extdata->length-sizeof(mbuffer_st); - - next_idx = 0; - -@@ -440,6 +439,11 @@ client_send_params(gnutls_session_t session, - } - - if (prf_res && rkey.size > 0) { -+ gnutls_datum_t client_hello; -+ -+ client_hello.data = extdata->data+sizeof(mbuffer_st); -+ client_hello.size = client_hello_len; -+ - ret = compute_psk_binder(session, prf_res, - binders_len, binders_pos, - ext_offset, &rkey, &client_hello, 1, -@@ -474,6 +478,11 @@ client_send_params(gnutls_session_t session, - } - - if (prf_psk && user_key.size > 0 && info) { -+ gnutls_datum_t client_hello; -+ -+ client_hello.data = extdata->data+sizeof(mbuffer_st); -+ client_hello.size = client_hello_len; -+ - ret = compute_psk_binder(session, prf_psk, - binders_len, binders_pos, - ext_offset, &user_key, &client_hello, 0, --- -2.30.2 - diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 174438ad87..ed8fc6532a 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -15,6 +15,7 @@ ;;; Copyright © 2018 Clément Lassieur ;;; Copyright © 2019 Mathieu Othacehe ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen +;;; Copyright © 2021 Solene Rapenne ;;; ;;; This file is part of GNU Guix. ;;; @@ -164,7 +165,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls") - (version "3.6.15") + (version "3.6.16") (source (origin (method url-fetch) ;; Note: Releases are no longer on ftp.gnu.org since the @@ -173,12 +174,10 @@ living in the same process.") (version-major+minor version) "/gnutls-" version ".tar.xz")) (patches (search-patches "gnutls-skip-trust-store-test.patch" - "gnutls-cross.patch" - "gnutls-CVE-2021-20231.patch" - "gnutls-CVE-2021-20232.patch")) + "gnutls-cross.patch")) (sha256 (base32 - "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f")))) + "1czk511pslz367shf32f2jvvkp7y1323bcv88c2qng98mj0v6y8v")))) (build-system gnu-build-system) (arguments `(#:tests? ,(not (or (%current-target-system)