From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: GnuTLS security update
Date: Sun, 11 Sep 2016 22:54:09 +0200
Message-ID: <87zinei2dq.fsf@gnu.org>
References: <20160911154108.GA13920@jasmine>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39635)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1bjBlb-0007EX-C4
	for guix-devel@gnu.org; Sun, 11 Sep 2016 16:54:20 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1bjBlV-00073Y-HU
	for guix-devel@gnu.org; Sun, 11 Sep 2016 16:54:18 -0400
In-Reply-To: <20160911154108.GA13920@jasmine> (Leo Famulari's message of "Sun,
	11 Sep 2016 11:41:08 -0400")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

Hi,

Leo Famulari <leo@famulari.name> skribis:

> For master, the naive approach of cherry-picking the patch [1] did not
> work; the test 'system-prio-file' fails consistently with that change. I
> could instead try grafting the updated version.

These 3 GnuTLS commits appear to be related to this issue:

--8<---------------cut here---------------start------------->8---
commit 8469db9dbcdd6ec22094a4f095201d80d981b9f0
Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sun Aug 28 00:55:30 2016 +0200

    tests: added basic operational check of gnutls_ocsp_resp_get_single()

commit 8a0c9bbae25f75e30a913c6f4b29f468940398ca
Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sun Aug 28 00:40:49 2016 +0200

    gnutls_ocsp_resp_get_single: reorganized function to eliminate memory l=
eaks
=20=20=20=20
    Simplified and optimized the function operation, by removing
    unecessary memory allocations, as well as eliminate memory leaks
    on certain error cases.

commit 964632f37dfdfb914ebc5e49db4fa29af35b1de9
Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Aug 27 17:00:22 2016 +0200

    ocsp: corrected the comparison of the serial size in OCSP response
=20=20=20=20
    Previously the OCSP certificate check wouldn't verify the serial length
    and could succeed in cases it shouldn't.
=20=20=20=20
    Reported by Stefan Buehler.
--8<---------------cut here---------------end--------------->8---

If applying these patches on top of our current GnuTLS version (and then
using it as a graft) works, we could do that.

If not, using the later 3.5.x release should be OK (API- and
ABI-compatible).

Ludo=E2=80=99.