[bug#46183] [PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE]

[bug#46183] [PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE]

[guix-patches--- via]

Hi Guix! Please review ASAP. This update fixes an exploitable heap overflow.

 ## Info

https://dev.gnupg.org/T5275

https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html

Ryan Prior (1):
  gnu: libgcrypt: Update to 1.9.1.

 gnu/packages/gnupg.scm | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

-- 
2.30.0

[bug#46183] [PATCH 1/1] gnu: libgcrypt: Update to 1.9.1.

[guix-patches--- via]

* gnu/packages/gnupg.scm (libcrypt): Update to 1.9.1.
---
 gnu/packages/gnupg.scm | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index a2da166bb4..f226d092dc 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -131,14 +131,13 @@ Daemon and possibly more in the future.")
 (define-public libgcrypt
   (package
     (name "libgcrypt")
-    (version "1.8.5")
+    (version "1.9.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
-              (base32
-                "1hvsazms1bfd769q0ngl0r9g5i4m9mpz9jmvvrdzyzk3rfa2ljiv"))))
+              (base32 "1nb50bgzp83q6r5cz4v40y1mcbhpqwqyxlay87xp1lrbkf5pm9n5"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
-- 
2.30.0

[bug#46183] [PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE]

[lordyuuma]

Hi Ryan,

Am Samstag, den 30.01.2021, 04:20 +0000 schrieb Ryan Prior:
> Hi Guix! Please review ASAP. This update fixes an exploitable heap
> overflow.
> 
> https://dev.gnupg.org/T5275
> 
> https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html

I have some good news and some bad news.  The good news is, that
according to your sources this affects only version 1.9.0, so master is
currently safe.  The bad news is, that libgcrypt has more than 10000
dependants, so an update for it should go to core-updates.

Regards,
Leo

[bug#46183] [PATCH 1/1] gnu: libgcrypt: Update to 1.9.1.

[guix-patches--- via]

[-- Attachment #1: Type: text/plain, Size: 521 bytes --]

Ryan,

guix-patches--- via 写道：
> * gnu/packages/gnupg.scm (libcrypt): Update to 1.9.1.

Thanks.

> -    (version "1.8.5")
> +    (version "1.9.1")

libgcrypt has 12119(!) dependent packages.  Can we use a graft 
here?  This nongrafted version can then go to core-updates.

Grafting means we keep these packages built against 1.8.5 and 
force-feed them 1.9.1 instead, which might not work reliably 
across minor versions but needs to be tried before rebuilding the 
world.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

[bug#46183] [PATCH 1/1] gnu: libgcrypt: Update to 1.9.1.

[Guillaume Le Vaillant]

[-- Attachment #1: Type: text/plain, Size: 1303 bytes --]

guix-patches--- via <guix-patches@gnu.org> skribis:

> Ryan,
>
> guix-patches--- via 写道：
>> * gnu/packages/gnupg.scm (libcrypt): Update to 1.9.1.
>
> Thanks.
>
>> -    (version "1.8.5")
>> +    (version "1.9.1")
>
> libgcrypt has 12119(!) dependent packages.  Can we use a graft here?  This
> nongrafted version can then go to core-updates.
>
> Grafting means we keep these packages built against 1.8.5 and force-feed them
> 1.9.1 instead, which might not work reliably across minor versions but needs to
> be tried before rebuilding the world.
>
> Kind regards,
>
> T G-R

According to the news at https://gnupg.org:

--8<---------------cut here---------------start------------->8---
Libgcrypt 1.9.1 released (2021-01-29)   important

Unfortunately we introduced a severe bug in Libgcrypt 1.9.0 released 10 days ago.
If you already started to use version 1.9.0 please update immediately to 1.9.1.
--8<---------------cut here---------------end--------------->8---

Currently the master and staging branch are using libgcrypt 1.8.5 and
core-updates is using 1.8.7. These versions don't have the critical bug
as it was introduced in version 1.9.0. So I think updating libgcrypt on
master is not an emergency, we just have to remember to never use
version 1.9.0.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

bug#46183: [PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE]

[Ludovic Courtès]

Hi,

Guillaume Le Vaillant <glv@posteo.net> skribis:

> According to the news at https://gnupg.org:
>
> Libgcrypt 1.9.1 released (2021-01-29)   important
>
> Unfortunately we introduced a severe bug in Libgcrypt 1.9.0 released 10 days ago.
> If you already started to use version 1.9.0 please update immediately to 1.9.1.
>
> Currently the master and staging branch are using libgcrypt 1.8.5 and
> core-updates is using 1.8.7. These versions don't have the critical bug
> as it was introduced in version 1.9.0. So I think updating libgcrypt on
> master is not an emergency, we just have to remember to never use
> version 1.9.0.

Indeed.  So closing this bug.  That said, we can update libgcrypt in
‘core-updates’.

Ludo’.