From: Leo Famulari <leo@famulari.name>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 27429@debbugs.gnu.org
Subject: bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)]
Date: Thu, 29 Jun 2017 17:03:17 -0400 [thread overview]
Message-ID: <20170629210317.GB19238@jasmine.lan> (raw)
In-Reply-To: <87wp7ulftb.fsf@gnu.org>
[-- Attachment #1.1: Type: text/plain, Size: 613 bytes --]
On Thu, Jun 29, 2017 at 10:06:08PM +0200, Ludovic Courtès wrote:
> Leo, let me know when you feel that we should start a new evaluation.
First I want to ungraft today's libgcrypt and poppler replacements.
I also want to apply the attached patch so we can stop using
libgcrypt-1.5 with Shishi, and instead use the latest libgcrypt. This
patch does require us to re-bootstrap Shishi, but I think it's worth it
if it means we can drop the older libgcrypt package. Does anyone have
feedback on this patch?
I'll do some local testing of this change in the next few hours and then
start the evaluation.
[-- Attachment #1.2: 0001-gnu-shishi-Build-with-latest-libgcrypt.patch --]
[-- Type: text/plain, Size: 6450 bytes --]
From 83fcaa7aac05f499a985ec02db55458e2d719de3 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 29 Jun 2017 04:11:18 -0400
Subject: [PATCH] gnu: shishi: Build with latest libgcrypt.
* gnu/packages/patches/shishi-fix-libgcrypt-detection.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kerberos.scm (shishi)[source]: Use it.
[inputs]: Replace libgcrypt-1.5 with libgcrypt.
[native-inputs]: Add bootstrapping inputs.
[arguments]: Add a 'bootstrap' phase.
* gnu/packages/gnupg.scm (libgcrypt-1.5): Remove variable.
---
gnu/local.mk | 1 +
gnu/packages/gnupg.scm | 12 --------
gnu/packages/kerberos.scm | 28 ++++++++++++-------
.../patches/shishi-fix-libgcrypt-detection.patch | 32 ++++++++++++++++++++++
4 files changed, 51 insertions(+), 22 deletions(-)
create mode 100644 gnu/packages/patches/shishi-fix-libgcrypt-detection.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index b0690eda5..133eb977c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -986,6 +986,7 @@ dist_patch_DATA = \
%D%/packages/patches/scotch-test-threading.patch \
%D%/packages/patches/sdl-libx11-1.6.patch \
%D%/packages/patches/seq24-rename-mutex.patch \
+ %D%/packages/patches/shishi-fix-libgcrypt-detection.patch \
%D%/packages/patches/slim-session.patch \
%D%/packages/patches/slim-config.patch \
%D%/packages/patches/slim-sigusr1.patch \
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index 9efd32a3f..c5a9a8954 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -115,18 +115,6 @@ generation.")
(properties '((ftp-server . "ftp.gnupg.org")
(ftp-directory . "/gcrypt/libgcrypt")))))
-(define-public libgcrypt-1.5
- (package (inherit libgcrypt)
- (version "1.5.6")
- (source
- (origin
- (method url-fetch)
- (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
- version ".tar.bz2"))
- (sha256
- (base32
- "0ydy7bgra5jbq9mxl5x031nif3m6y3balc6ndw2ngj11wnsjc61h"))))))
-
(define-public libassuan
(package
(name "libassuan")
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 6be7c82bc..20f36d11d 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -23,8 +23,10 @@
(define-module (gnu packages kerberos)
#:use-module (gnu packages)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages bison)
#:use-module (gnu packages perl)
+ #:use-module (gnu packages gettext)
#:use-module (gnu packages gnupg)
#:use-module (gnu packages libidn)
#:use-module (gnu packages linux)
@@ -32,6 +34,7 @@
#:use-module (gnu packages compression)
#:use-module (gnu packages databases)
#:use-module (gnu packages readline)
+ #:use-module (gnu packages texinfo)
#:use-module (gnu packages tls)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
@@ -104,25 +107,30 @@ cryptography.")
(method url-fetch)
(uri (string-append "mirror://gnu/shishi/shishi-"
version ".tar.gz"))
+ (patches (search-patches "shishi-fix-libgcrypt-detection.patch"))
(sha256
(base32
"032qf72cpjdfffq1yq54gz3ahgqf2ijca4vl31sfabmjzq9q370d"))))
(build-system gnu-build-system)
- (native-inputs `(("pkg-config" ,pkg-config)))
+ (arguments
+ `(#:phases
+ (modify-phases %standard-phases
+ (add-before 'configure 'bootstrap
+ (lambda _ (zero? (system* "autoreconf" "-vfi")))))))
+ (native-inputs `(("pkg-config" ,pkg-config)
+ ;; XXX For bootstrapping. Remove for the next Shishi
+ ;; release after 1.0.2.
+ ("autoconf" ,autoconf)
+ ("automake" ,automake)
+ ("gettext" ,gnu-gettext)
+ ("libtool" ,libtool)
+ ("texinfo" ,texinfo)))
(inputs
`(("gnutls" ,gnutls)
("libidn" ,libidn)
("linux-pam" ,linux-pam-1.2)
("zlib" ,zlib)
- ;; libgcrypt 1.6 fails because of the following test:
- ;; #include <gcrypt.h>
- ;; /* GCRY_MODULE_ID_USER was added in 1.4.4 and gc-libgcrypt.c
- ;; will fail on startup if we don't have 1.4.4 or later, so
- ;; test for it early. */
- ;; #if !defined GCRY_MODULE_ID_USER
- ;; error too old libgcrypt
- ;; #endif
- ("libgcrypt" ,libgcrypt-1.5)
+ ("libgcrypt" ,libgcrypt)
("libtasn1" ,libtasn1)))
(home-page "https://www.gnu.org/software/shishi/")
(synopsis "Implementation of the Kerberos 5 network security system")
diff --git a/gnu/packages/patches/shishi-fix-libgcrypt-detection.patch b/gnu/packages/patches/shishi-fix-libgcrypt-detection.patch
new file mode 100644
index 000000000..3db42feac
--- /dev/null
+++ b/gnu/packages/patches/shishi-fix-libgcrypt-detection.patch
@@ -0,0 +1,32 @@
+Fix building of Shishi with libgcrypt 1.6 and later.
+
+Patch copied from Debian:
+
+https://anonscm.debian.org/cgit/collab-maint/shishi.git/tree/debian/patches/fix_gcrypt_detection.diff?id=948301ae648a542a408da250755aeed58a6e3542
+
+Description: Fix autoconf gnutls detection to also accept gcrypt 1.6.
+Author: Andreas Metzler <ametzler@debian.org>
+Bug-Debian: http://bugs.debian.org/753150
+Origin: vendor
+Forwarded: no
+Last-Update: 2014-07-18
+
+--- shishi-1.0.2.orig/gl/m4/gc.m4
++++ shishi-1.0.2/gl/m4/gc.m4
+@@ -12,10 +12,12 @@ AC_DEFUN([gl_GC],
+ if test "$libgcrypt" != no; then
+ AC_LIB_HAVE_LINKFLAGS([gcrypt], [gpg-error], [
+ #include <gcrypt.h>
+-/* GCRY_MODULE_ID_USER was added in 1.4.4 and gc-libgcrypt.c
+- will fail on startup if we don't have 1.4.4 or later, so
+- test for it early. */
+-#if !defined GCRY_MODULE_ID_USER
++/* gc-libgcrypt.c will fail on startup if we don't have libgcrypt 1.4.4 or
++ later, test for it early. by checking for either
++ - GCRY_MODULE_ID_USER which was added in 1.4.4 and dropped in 1.6 or
++ - GCRYPT_VERSION_NUMBER which was added in 1.6.
++ */
++#if !defined GCRY_MODULE_ID_USER && !defined GCRYPT_VERSION_NUMBER
+ error too old libgcrypt
+ #endif
+ ])
--
2.13.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-06-29 21:55 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 22:25 bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
2017-06-19 23:05 ` Leo Famulari
2017-06-20 0:42 ` Leo Famulari
2017-06-20 0:49 ` Leo Famulari
2017-06-20 7:18 ` Efraim Flashner
2017-06-20 13:16 ` Leo Famulari
2017-06-20 21:44 ` Mark H Weaver
2017-06-21 8:41 ` Efraim Flashner
2017-06-21 9:50 ` Efraim Flashner
2017-06-21 23:52 ` Leo Famulari
2017-06-22 0:03 ` Leo Famulari
2017-06-22 6:44 ` Mark H Weaver
2017-06-22 16:17 ` Leo Famulari
2017-06-22 18:34 ` Leo Famulari
2017-06-22 19:25 ` Leo Famulari
2017-06-29 10:58 ` Ludovic Courtès
2017-06-29 15:49 ` Mark H Weaver
2017-06-29 20:06 ` Ludovic Courtès
2017-06-29 21:03 ` Leo Famulari [this message]
2017-06-29 22:27 ` bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)] Ludovic Courtès
2017-06-30 6:47 ` Leo Famulari
2017-06-30 12:59 ` Ludovic Courtès
2017-06-23 17:20 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
2017-06-23 18:36 ` Mark H Weaver
2017-06-23 18:54 ` Leo Famulari
2017-06-23 20:03 ` Mark H Weaver
2017-06-24 7:11 ` Mark H Weaver
2017-06-26 8:41 ` Ludovic Courtès
2017-06-26 11:19 ` Mark H Weaver
2017-06-27 13:57 ` Ludovic Courtès
2017-06-28 21:55 ` Leo Famulari
2017-06-20 3:31 ` Mark H Weaver
2017-06-25 9:38 ` bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check Danny Milosavljevic
2017-06-25 10:41 ` Marius Bakke
2017-06-25 13:19 ` Leo Famulari
2017-07-20 15:54 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Ludovic Courtès
2017-07-20 19:13 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170629210317.GB19238@jasmine.lan \
--to=leo@famulari.name \
--cc=27429@debbugs.gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).