Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update)

[Christopher Allan Webber <cwebber@dustycloud.org>]

[-- Attachment #1: Type: text/plain, Size: 1754 bytes --]

Mark H Weaver writes:

> Hi Chris,
>
> Christopher Allan Webber <cwebber@dustycloud.org> writes:
>
>> Hello all,
>>
>> New security release of libgcrypt:
>>
>>> Hello!
>>> 
>>> The GNU project is pleased to announce the availability of Libgcrypt
>>> version 1.6.5.  This is a security fix release to mitigate a new side
>>> channel attack.
>>> 
>>> Noteworthy changes in version 1.6.5
>>> ===================================
>>> 
>>>  * Mitigate side-channel attack on ECDH with Weierstrass curves
>>>    [CVE-2015-7511].  See http://www.cs.tau.ac.IL/~tromer/ecdh/ for
>>>    details.
>>> 
>>>  * Fix build problem on Solaris.
>>
>> Here's a patch.  It seems to build fine.
>>
>> From f45b192c0e648fea95a98d681d8ecdff3dc15bdb Mon Sep 17 00:00:00 2001
>> From: Christopher Allan Webber <cwebber@dustycloud.org>
>> Date: Tue, 9 Feb 2016 11:49:06 -0800
>> Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5.
>>
>> * gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5.
>
> Thank you!  The summary line should include the CVE, like this:
>
>   gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511].

Okay!  I wasn't aware of that convention.

> Alas, this will require at least 7000 rebuilds.  After the current
> 'security-updates' branch is merged, this should go on the next
> 'security-updates' branch, together with more fixes for graphite2 and
> libsndfile.

Yes it's unfortunate... it seems like security researchers are upping
their game in the post-heartbleed world (whatever that means)?  I guess
that's good... better good security researchers do this stuff than some
other unspecified groups... but kind of a headache here? :)

Anyway, new patch!  I don't know what to do about the security-updates
branch so I'll let you apply/push it.

 - Chris


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-libgcrypt-Update-to-1.6.5-fixes-CVE-2015-7511.patch --]
[-- Type: text/x-patch, Size: 1192 bytes --]

From 6fec07507956efd6f7055d37d268c97ca5771d8c Mon Sep 17 00:00:00 2001
From: Christopher Allan Webber <cwebber@dustycloud.org>
Date: Tue, 9 Feb 2016 11:49:06 -0800
Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511].

* gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5.
---
 gnu/packages/gnupg.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index a35e8fc..608c437 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -70,14 +70,14 @@ Daemon and possibly more in the future.")
 (define-public libgcrypt
   (package
     (name "libgcrypt")
-    (version "1.6.4")
+    (version "1.6.5")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "09k06gs27gxfha07sa9rpf4xh6mvphj9sky7n09ymx75w9zjrg69"))))
+               "0959mwfzsxhallxdqlw359xg180ll2skxwyy35qawmfl89cbr7pl"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
-- 
2.6.3