Re: GnuTLS security update

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

* Re: GnuTLS security update
       [not found]   ` <20160912015322.GA3951@jasmine>
@ 2016-09-12 12:56     ` Ludovic Courtès
  2016-09-12 16:34       ` Leo Famulari
                         ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Ludovic Courtès @ 2016-09-12 12:56 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel, bug-guix

Leo Famulari <leo@famulari.name> skribis:

> $ ./pre-inst-env guix build gnutls            
> /gnu/store/4x9r7rkinycxr7xda5a92knm8ikila6p-gnutls-3.5.2-debug
> /gnu/store/n93gb4n301rz46k9cm0d12hb26gq5lg5-gnutls-3.5.2-doc
> /gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2
>
> $ guix build gnutls # This Guix is from `guix pull`, not my Git repo.
> /gnu/store/7dy8xca0y8vz94af242cqnq9ddk2nwxn-gnutls-3.5.2-debug
> /gnu/store/q27cnlfkf8kc6gjl0cdw5nvq45lfllvx-gnutls-3.5.2-doc
> /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
>
> $ guix gc --references $(./pre-inst-env guix build msmtp) 
> /gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib
> /gnu/store/l1s4cw9g58hmcpd2qgbckfl228143qzx-glib-2.48.0
> /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23
> /gnu/store/nwzi32dmlrvqkfy5fplrh9ndnivxv851-libsecret-0.18.5
> /gnu/store/ppd0q1mwl6rz51y5bmmwz3x89hc561cw-msmtp-1.6.5
> /gnu/store/r60cjgawd6dqz3gfdmw4ihkvbcp27f3a-gsasl-1.8.0
> /gnu/store/ykzwykkvr2c80rw4l1qh3mvfdkl7jibi-bash-4.3.42
> /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
>
> The problem is that the msmtp package I have built using this patch does
> not refer to the grafted gnutls. I got the same result after building a
> fresh Git clone of Guix.

Indeed, there’s a bug.  :-/

With your patch, I get:

--8<---------------cut here---------------start------------->8---
$ git describe
v0.11.0-970-g8d4169a
$ guix gc --references $(./pre-inst-env guix build msmtp)|grep gnutls
/gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
$ ./pre-inst-env guix build gnutls
/gnu/store/4x9r7rkinycxr7xda5a92knm8ikila6p-gnutls-3.5.2-debug
/gnu/store/n93gb4n301rz46k9cm0d12hb26gq5lg5-gnutls-3.5.2-doc
/gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2
$ ./pre-inst-env guix build gnutls --no-grafts
/gnu/store/23vx0mdw6q96pakyps2cjjvcjng1mxqx-gnutls-3.5.2-debug
/gnu/store/p0zrk9424l0aljzsqyqx5zgh86x9glmi-gnutls-3.5.2-doc
/gnu/store/1qv5i6rfxjc4d0rg7z6r9dapmf85kzmy-gnutls-3.5.2
$ /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2/bin/gnutls-cli --version
gnutls-cli 3.5.2
Copyright (C) 2000-2016 Free Software Foundation, and others, all rights reserved.
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>


Please send bug reports to:  <bugs@gnutls.org>
$ /gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2/bin/gnutls-cli --version
gnutls-cli 3.5.4
Copyright (C) 2000-2016 Free Software Foundation, and others, all rights reserved.
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>


Please send bug reports to:  <bugs@gnutls.org>
--8<---------------cut here---------------end--------------->8---

msmtp uses a GnuTLS that is different from from both other GnuTLS.

I think the bug has to do with the fact that GnuTLS has a replacement
and at the same time needs to be grafted (the libidn and libgcrypt
grafts apply to GnuTLS).

In the meantime, I suggest that you apply the patch anyway.

Ludo’.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: GnuTLS security update
  2016-09-12 12:56     ` GnuTLS security update Ludovic Courtès
@ 2016-09-12 16:34       ` Leo Famulari
  2016-10-14  7:57       ` bug#24418: Grafted item refers to a mixture of grafted and ungrafted outputs of the same derivation Ludovic Courtès
  2016-10-14 21:37       ` bug#24418: GnuTLS security update Ludovic Courtès
  2 siblings, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2016-09-12 16:34 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, bug-guix

[-- Attachment #1: Type: text/plain, Size: 598 bytes --]

On Mon, Sep 12, 2016 at 02:56:13PM +0200, Ludovic Courtès wrote:
> msmtp uses a GnuTLS that is different from from both other GnuTLS.

The GnuTLS being used [0] corresponds to the GnuTLS on the master branch
from before I pushed this graft.

> I think the bug has to do with the fact that GnuTLS has a replacement
> and at the same time needs to be grafted (the libidn and libgcrypt
> grafts apply to GnuTLS).
> 
> In the meantime, I suggest that you apply the patch anyway.

Okay, done as 974e2b297104d2de01632df1a56069b383e645f4

[0]
yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#24418: Grafted item refers to a mixture of grafted and ungrafted outputs of the same derivation
  2016-09-12 12:56     ` GnuTLS security update Ludovic Courtès
  2016-09-12 16:34       ` Leo Famulari
@ 2016-10-14  7:57       ` Ludovic Courtès
  2016-10-14 21:37       ` bug#24418: GnuTLS security update Ludovic Courtès
  2 siblings, 0 replies; 4+ messages in thread
From: Ludovic Courtès @ 2016-10-14  7:57 UTC (permalink / raw)
  To: 24418

Mark reported on IRC that gnome-session, as of v0.11.0-1639-g34f9582,
refers to the grafted “out” of glib, but at the same time refers to the
*ungrafted* “bin” output of glib:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix build gnome-session
/gnu/store/rchskrbc42yjlb85lq8zigpvynwc2zz7-gnome-session-3.20.2
$ guix gc -R /gnu/store/rchskrbc42yjlb85lq8zigpvynwc2zz7-gnome-session-3.20.2|grep glib-2
/gnu/store/l1s4cw9g58hmcpd2qgbckfl228143qzx-glib-2.48.0
/gnu/store/c4rjjznraqnw7wk7zwr8ndmq7bdmj51q-glib-2.48.0-bin
$ ./pre-inst-env guix build glib
/gnu/store/ya5d1r6bvph3m5nisjywrnkvffpdrjfn-glib-2.48.0-bin
/gnu/store/jav2d6c39k3amv4k1670845li7284a6q-glib-2.48.0-doc
/gnu/store/77f9q6kvgrrwhqbzxzc10bwdwq6kd690-glib-2.48.0
$ ./pre-inst-env guix build glib --no-grafts
/gnu/store/c4rjjznraqnw7wk7zwr8ndmq7bdmj51q-glib-2.48.0-bin
/gnu/store/ib12bfrx83aawhabpp0rijgmm61gi0wg-glib-2.48.0-doc
/gnu/store/l1s4cw9g58hmcpd2qgbckfl228143qzx-glib-2.48.0
--8<---------------cut here---------------end--------------->8---

Ludo’.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#24418: GnuTLS security update
  2016-09-12 12:56     ` GnuTLS security update Ludovic Courtès
  2016-09-12 16:34       ` Leo Famulari
  2016-10-14  7:57       ` bug#24418: Grafted item refers to a mixture of grafted and ungrafted outputs of the same derivation Ludovic Courtès
@ 2016-10-14 21:37       ` Ludovic Courtès
  2 siblings, 0 replies; 4+ messages in thread
From: Ludovic Courtès @ 2016-10-14 21:37 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel, 24418

[-- Attachment #1: Type: text/plain, Size: 2144 bytes --]

Hello!

ludo@gnu.org (Ludovic Courtès) skribis:

> $ git describe
> v0.11.0-970-g8d4169a
> $ guix gc --references $(./pre-inst-env guix build msmtp)|grep gnutls
> /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
> $ ./pre-inst-env guix build gnutls
> /gnu/store/4x9r7rkinycxr7xda5a92knm8ikila6p-gnutls-3.5.2-debug
> /gnu/store/n93gb4n301rz46k9cm0d12hb26gq5lg5-gnutls-3.5.2-doc
> /gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2
> $ ./pre-inst-env guix build gnutls --no-grafts
> /gnu/store/23vx0mdw6q96pakyps2cjjvcjng1mxqx-gnutls-3.5.2-debug
> /gnu/store/p0zrk9424l0aljzsqyqx5zgh86x9glmi-gnutls-3.5.2-doc
> /gnu/store/1qv5i6rfxjc4d0rg7z6r9dapmf85kzmy-gnutls-3.5.2
> $ /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2/bin/gnutls-cli --version
> gnutls-cli 3.5.2
> Copyright (C) 2000-2016 Free Software Foundation, and others, all rights reserved.
> This is free software. It is licensed for use, modification and
> redistribution under the terms of the GNU General Public License,
> version 3 or later <http://gnu.org/licenses/gpl.html>
>
>
> Please send bug reports to:  <bugs@gnutls.org>
> $ /gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2/bin/gnutls-cli --version
> gnutls-cli 3.5.4
> Copyright (C) 2000-2016 Free Software Foundation, and others, all rights reserved.
> This is free software. It is licensed for use, modification and
> redistribution under the terms of the GNU General Public License,
> version 3 or later <http://gnu.org/licenses/gpl.html>

AFAICS this is fixed by these two patches:

b013c33 * grafts: 'graft-derivation' does now introduce grafts that shadow other grafts.
d0025d0 * packages: 'package-grafts' applies grafts on replacement.

Please let know if you notice anything wrong.

For debugging purposes, I found it easier to have the attached patch
applied, so that replacements are easily distinguishable from the
original packages.  You might want to use it too.  :-)

(I didn’t apply it to master because it would lead to merge conflicts in
core-updates, but feel free to apply it if that seems OK to you.)

Thanks,
Ludo’.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 1767 bytes --]

modified   gnu/packages/gnupg.scm
@@ -138,15 +138,14 @@ generation.")
 (define libgcrypt-1.5.6
   (package
     (inherit libgcrypt-1.5)
-    (source
-     (let ((version "1.5.6"))
-       (origin
-         (method url-fetch)
-         (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
-                             version ".tar.bz2"))
-         (sha256
-          (base32
-           "0ydy7bgra5jbq9mxl5x031nif3m6y3balc6ndw2ngj11wnsjc61h")))))))
+    (version "1.5.6")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
+                                  version ".tar.bz2"))
+              (sha256
+               (base32
+                "0ydy7bgra5jbq9mxl5x031nif3m6y3balc6ndw2ngj11wnsjc61h"))))))
 
 (define-public libassuan
   (package
modified   gnu/packages/tls.scm
@@ -215,16 +215,15 @@ required structures.")
 (define gnutls-3.5.4
   (package
     (inherit gnutls)
-    (source
-      (let ((version "3.5.4"))
-        (origin
-          (method url-fetch)
-          (uri (string-append "mirror://gnupg/gnutls/v"
-                              (version-major+minor version)
-                              "/gnutls-" version ".tar.xz"))
-          (sha256
-           (base32
-            "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f")))))))
+    (version "3.5.4")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnupg/gnutls/v"
+                                  (version-major+minor version)
+                                  "/gnutls-" version ".tar.xz"))
+              (sha256
+               (base32
+                "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f"))))))
 
 (define-public openssl

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-10-14 21:38 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20160911154108.GA13920@jasmine>
     [not found] ` <87zinei2dq.fsf@gnu.org>
     [not found]   ` <20160912015322.GA3951@jasmine>
2016-09-12 12:56     ` GnuTLS security update Ludovic Courtès
2016-09-12 16:34       ` Leo Famulari
2016-10-14  7:57       ` bug#24418: Grafted item refers to a mixture of grafted and ungrafted outputs of the same derivation Ludovic Courtès
2016-10-14 21:37       ` bug#24418: GnuTLS security update Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).