From: Leo Famulari <leo@famulari.name>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: GnuTLS security update
Date: Sun, 11 Sep 2016 21:53:22 -0400 [thread overview]
Message-ID: <20160912015322.GA3951@jasmine> (raw)
In-Reply-To: <87zinei2dq.fsf@gnu.org>
[-- Attachment #1.1: Type: text/plain, Size: 2330 bytes --]
On Sun, Sep 11, 2016 at 10:54:09PM +0200, Ludovic Courtès wrote:
> These 3 GnuTLS commits appear to be related to this issue:
[...]
> If applying these patches on top of our current GnuTLS version (and then
> using it as a graft) works, we could do that.
Unfortunately the test fails in the same way, even with all 3 commits.
> If not, using the later 3.5.x release should be OK (API- and
> ABI-compatible).
The release notes for 3.5.3 and 3.5.4 [0] only mention the addition of
new macros and functions, but no removals or modifications of existing
interfaces.
I've attached a patch that uses a graft to replace gnutls@3.5.2 with
gnutls-3.5.4, which is the latest release.
However, while testing the patch, I noticed something surprising:
$ git show
commit 2f6a667cfe87d13a878e7ca97e3f760771f22ce1
Author: Leo Famulari <leo@famulari.name>
Date: Sat Sep 10 18:09:20 2016 -0400
gnu: gnutls: Replace with 3.5.4 [fixes GNUTLS-SA-2016-3].
[...]
$ ./pre-inst-env guix build gnutls
/gnu/store/4x9r7rkinycxr7xda5a92knm8ikila6p-gnutls-3.5.2-debug
/gnu/store/n93gb4n301rz46k9cm0d12hb26gq5lg5-gnutls-3.5.2-doc
/gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2
$ guix build gnutls # This Guix is from `guix pull`, not my Git repo.
/gnu/store/7dy8xca0y8vz94af242cqnq9ddk2nwxn-gnutls-3.5.2-debug
/gnu/store/q27cnlfkf8kc6gjl0cdw5nvq45lfllvx-gnutls-3.5.2-doc
/gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
$ guix gc --references $(./pre-inst-env guix build msmtp)
/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib
/gnu/store/l1s4cw9g58hmcpd2qgbckfl228143qzx-glib-2.48.0
/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23
/gnu/store/nwzi32dmlrvqkfy5fplrh9ndnivxv851-libsecret-0.18.5
/gnu/store/ppd0q1mwl6rz51y5bmmwz3x89hc561cw-msmtp-1.6.5
/gnu/store/r60cjgawd6dqz3gfdmw4ihkvbcp27f3a-gsasl-1.8.0
/gnu/store/ykzwykkvr2c80rw4l1qh3mvfdkl7jibi-bash-4.3.42
/gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
The problem is that the msmtp package I have built using this patch does
not refer to the grafted gnutls. I got the same result after building a
fresh Git clone of Guix.
[0]
https://lists.gnupg.org/pipermail/gnutls-devel/2016-August/008126.html
https://lists.gnupg.org/pipermail/gnutls-devel/2016-September/008152.html
[-- Attachment #1.2: 0001-gnu-gnutls-Replace-with-3.5.4-fixes-GNUTLS-SA-2016-3.patch --]
[-- Type: text/plain, Size: 1464 bytes --]
From 2f6a667cfe87d13a878e7ca97e3f760771f22ce1 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sat, 10 Sep 2016 18:09:20 -0400
Subject: [PATCH] gnu: gnutls: Replace with 3.5.4 [fixes GNUTLS-SA-2016-3].
* gnu/packages/tls.scm (gnutls)[replacement]: New field.
(gnutls-3.5.4): New variable.
---
gnu/packages/tls.scm | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 4b04cac..ad9dee0 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -137,6 +137,7 @@ living in the same process.")
(define-public gnutls
(package
(name "gnutls")
+ (replacement gnutls-3.5.4)
(version "3.5.2")
(source (origin
(method url-fetch)
@@ -210,6 +211,20 @@ required structures.")
(properties '((ftp-server . "ftp.gnutls.org")
(ftp-directory . "/gcrypt/gnutls")))))
+(define gnutls-3.5.4
+ (package
+ (inherit gnutls)
+ (source
+ (let ((version "3.5.4"))
+ (origin
+ (method url-fetch)
+ (uri (string-append "mirror://gnupg/gnutls/v"
+ (version-major+minor version)
+ "/gnutls-" version ".tar.xz"))
+ (sha256
+ (base32
+ "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f")))))))
+
(define-public openssl
(package
(name "openssl")
--
2.10.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2016-09-12 1:53 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-11 15:41 GnuTLS security update Leo Famulari
2016-09-11 16:08 ` Vincent Legoll
2016-09-11 20:45 ` Ludovic Courtès
2016-09-11 20:54 ` Ludovic Courtès
2016-09-12 1:53 ` Leo Famulari [this message]
2016-09-12 3:28 ` Leo Famulari
2016-09-12 12:56 ` Ludovic Courtès
2016-09-12 16:34 ` Leo Famulari
2016-10-14 21:37 ` bug#24418: " Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160912015322.GA3951@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).