From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)] Date: Thu, 29 Jun 2017 17:03:17 -0400 Message-ID: <20170629210317.GB19238@jasmine.lan> References: <20170620071857.GA2768@macbook42.flashner.co.il> <87shiumj05.fsf@netris.org> <20170621084134.GA2870@macbook42.flashner.co.il> <20170621095045.GB2870@macbook42.flashner.co.il> <20170621235227.GA4510@jasmine.lan> <20170622000336.GB4510@jasmine.lan> <87zid0iksk.fsf@netris.org> <87mv8rqcuu.fsf@gnu.org> <87h8yyn696.fsf@netris.org> <87wp7ulftb.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="mvpLiMfbWzRoNl4x" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33981) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dQhOz-0005YH-JP for bug-guix@gnu.org; Thu, 29 Jun 2017 17:55:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dQhOw-00083C-G0 for bug-guix@gnu.org; Thu, 29 Jun 2017 17:55:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:42438) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dQhOw-00082z-Bc for bug-guix@gnu.org; Thu, 29 Jun 2017 17:55:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87wp7ulftb.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 27429@debbugs.gnu.org --mvpLiMfbWzRoNl4x Content-Type: multipart/mixed; boundary="uQr8t48UFsdbeI+V" Content-Disposition: inline --uQr8t48UFsdbeI+V Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 29, 2017 at 10:06:08PM +0200, Ludovic Court=E8s wrote: > Leo, let me know when you feel that we should start a new evaluation. First I want to ungraft today's libgcrypt and poppler replacements. I also want to apply the attached patch so we can stop using libgcrypt-1.5 with Shishi, and instead use the latest libgcrypt. This patch does require us to re-bootstrap Shishi, but I think it's worth it if it means we can drop the older libgcrypt package. Does anyone have feedback on this patch? I'll do some local testing of this change in the next few hours and then start the evaluation. --uQr8t48UFsdbeI+V Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-shishi-Build-with-latest-libgcrypt.patch" Content-Transfer-Encoding: quoted-printable =46rom 83fcaa7aac05f499a985ec02db55458e2d719de3 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Thu, 29 Jun 2017 04:11:18 -0400 Subject: [PATCH] gnu: shishi: Build with latest libgcrypt. * gnu/packages/patches/shishi-fix-libgcrypt-detection.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/kerberos.scm (shishi)[source]: Use it. [inputs]: Replace libgcrypt-1.5 with libgcrypt. [native-inputs]: Add bootstrapping inputs. [arguments]: Add a 'bootstrap' phase. * gnu/packages/gnupg.scm (libgcrypt-1.5): Remove variable. --- gnu/local.mk | 1 + gnu/packages/gnupg.scm | 12 -------- gnu/packages/kerberos.scm | 28 ++++++++++++------- .../patches/shishi-fix-libgcrypt-detection.patch | 32 ++++++++++++++++++= ++++ 4 files changed, 51 insertions(+), 22 deletions(-) create mode 100644 gnu/packages/patches/shishi-fix-libgcrypt-detection.pat= ch diff --git a/gnu/local.mk b/gnu/local.mk index b0690eda5..133eb977c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -986,6 +986,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/scotch-test-threading.patch \ %D%/packages/patches/sdl-libx11-1.6.patch \ %D%/packages/patches/seq24-rename-mutex.patch \ + %D%/packages/patches/shishi-fix-libgcrypt-detection.patch \ %D%/packages/patches/slim-session.patch \ %D%/packages/patches/slim-config.patch \ %D%/packages/patches/slim-sigusr1.patch \ diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm index 9efd32a3f..c5a9a8954 100644 --- a/gnu/packages/gnupg.scm +++ b/gnu/packages/gnupg.scm @@ -115,18 +115,6 @@ generation.") (properties '((ftp-server . "ftp.gnupg.org") (ftp-directory . "/gcrypt/libgcrypt"))))) =20 -(define-public libgcrypt-1.5 - (package (inherit libgcrypt) - (version "1.5.6") - (source - (origin - (method url-fetch) - (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-" - version ".tar.bz2")) - (sha256 - (base32 - "0ydy7bgra5jbq9mxl5x031nif3m6y3balc6ndw2ngj11wnsjc61h")))))) - (define-public libassuan (package (name "libassuan") diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index 6be7c82bc..20f36d11d 100644 --- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -23,8 +23,10 @@ =20 (define-module (gnu packages kerberos) #:use-module (gnu packages) + #:use-module (gnu packages autotools) #:use-module (gnu packages bison) #:use-module (gnu packages perl) + #:use-module (gnu packages gettext) #:use-module (gnu packages gnupg) #:use-module (gnu packages libidn) #:use-module (gnu packages linux) @@ -32,6 +34,7 @@ #:use-module (gnu packages compression) #:use-module (gnu packages databases) #:use-module (gnu packages readline) + #:use-module (gnu packages texinfo) #:use-module (gnu packages tls) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) @@ -104,25 +107,30 @@ cryptography.") (method url-fetch) (uri (string-append "mirror://gnu/shishi/shishi-" version ".tar.gz")) + (patches (search-patches "shishi-fix-libgcrypt-detection.patch")) (sha256 (base32 "032qf72cpjdfffq1yq54gz3ahgqf2ijca4vl31sfabmjzq9q370d")))) (build-system gnu-build-system) - (native-inputs `(("pkg-config" ,pkg-config))) + (arguments + `(#:phases + (modify-phases %standard-phases + (add-before 'configure 'bootstrap + (lambda _ (zero? (system* "autoreconf" "-vfi"))))))) + (native-inputs `(("pkg-config" ,pkg-config) + ;; XXX For bootstrapping. Remove for the next Shishi + ;; release after 1.0.2. + ("autoconf" ,autoconf) + ("automake" ,automake) + ("gettext" ,gnu-gettext) + ("libtool" ,libtool) + ("texinfo" ,texinfo))) (inputs `(("gnutls" ,gnutls) ("libidn" ,libidn) ("linux-pam" ,linux-pam-1.2) ("zlib" ,zlib) - ;; libgcrypt 1.6 fails because of the following test: - ;; #include - ;; /* GCRY_MODULE_ID_USER was added in 1.4.4 and gc-libgcrypt.c - ;; will fail on startup if we don't have 1.4.4 or later, so - ;; test for it early. */ - ;; #if !defined GCRY_MODULE_ID_USER - ;; error too old libgcrypt - ;; #endif - ("libgcrypt" ,libgcrypt-1.5) + ("libgcrypt" ,libgcrypt) ("libtasn1" ,libtasn1))) (home-page "https://www.gnu.org/software/shishi/") (synopsis "Implementation of the Kerberos 5 network security system") diff --git a/gnu/packages/patches/shishi-fix-libgcrypt-detection.patch b/gn= u/packages/patches/shishi-fix-libgcrypt-detection.patch new file mode 100644 index 000000000..3db42feac --- /dev/null +++ b/gnu/packages/patches/shishi-fix-libgcrypt-detection.patch @@ -0,0 +1,32 @@ +Fix building of Shishi with libgcrypt 1.6 and later. + +Patch copied from Debian: + +https://anonscm.debian.org/cgit/collab-maint/shishi.git/tree/debian/patche= s/fix_gcrypt_detection.diff?id=3D948301ae648a542a408da250755aeed58a6e3542 + +Description: Fix autoconf gnutls detection to also accept gcrypt 1.6. +Author: Andreas Metzler +Bug-Debian: http://bugs.debian.org/753150 +Origin: vendor +Forwarded: no +Last-Update: 2014-07-18 + +--- shishi-1.0.2.orig/gl/m4/gc.m4 ++++ shishi-1.0.2/gl/m4/gc.m4 +@@ -12,10 +12,12 @@ AC_DEFUN([gl_GC], + if test "$libgcrypt" !=3D no; then + AC_LIB_HAVE_LINKFLAGS([gcrypt], [gpg-error], [ + #include +-/* GCRY_MODULE_ID_USER was added in 1.4.4 and gc-libgcrypt.c +- will fail on startup if we don't have 1.4.4 or later, so +- test for it early. */ +-#if !defined GCRY_MODULE_ID_USER ++/* gc-libgcrypt.c will fail on startup if we don't have libgcrypt 1.4.4 or ++ later, test for it early. by checking for either ++ - GCRY_MODULE_ID_USER which was added in 1.4.4 and dropped in 1.6 or ++ - GCRYPT_VERSION_NUMBER which was added in 1.6. ++ */ ++#if !defined GCRY_MODULE_ID_USER && !defined GCRYPT_VERSION_NUMBER + error too old libgcrypt + #endif + ]) --=20 2.13.2 --uQr8t48UFsdbeI+V-- --mvpLiMfbWzRoNl4x Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllVaxUACgkQJkb6MLrK fwjndhAAujyAiKSOP/IVIiiSBGUqAfGz7KAZiDdehfUiUzzsi86wfQjTYfFAi3Ah nPC6cnssr0kH7xqjjJmjI+yH3NZFqD5k3W80Cbz4Gt1mcSnLEMD+2rrhVGByrPDr 66pr3IlpK0sXiQhFyk4RYxpt4fRv715qUCN0IbiO3Upqi2PZ7dPhiXKODA+Co7wv UXAvU8WS3mam2MIdmugkUtPgYNSblgz2vavYpCavlDPy+4kSO6Aclc5MFD6DHS3T oYwo4pKZHR0BNrj8bM2pWk8AdA4RsnVhST6p9NaeNxMNLm/wzV3aGiyOWAuQ0J6D lW+t+i7u6qL0NvyA9FxCHhNH16LuUD7OphAXPWP7bo63SqvJIDuwXvXvK2jeVLZx /8d9ig6tMhFrbpWmN3/KZ0blFOFdpXQpkYY+FF4HQ+KoROF2V0MOpSvToPsoFPDB 2btA19el93inYiRSZmlusDkeUGsbjw0njZCzFPFD+E7XiBT1F1fumG6NpYeX8DGu eU3QGRq+b6fPhTTinfUo+L43a6VKK97go2l69VvWIN0Jw4UZVA5nPPndpjXnZ5Zh fvAs70kzd6TFn7a5gZTBpHSoBurcsajNx1o1mnw8Whl5FD37ZMi+IOyD4SbzCudn rpHaNI9sNeL8/mfJEa2BXfX11GpxXpRxWx07uyq511mCGCi2Beo= =s2UX -----END PGP SIGNATURE----- --mvpLiMfbWzRoNl4x--