From: Marius Bakke <marius@gnu.org>
To: Leo Famulari <leo@famulari.name>, 48648@debbugs.gnu.org
Cc: Solene Rapenne <solene@perso.pw>
Subject: [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305].
Date: Tue, 25 May 2021 21:46:10 +0200 [thread overview]
Message-ID: <87o8cyppfh.fsf@gnu.org> (raw)
In-Reply-To: <YK0cotMnzZangjHR@jasmine.lan>
[-- Attachment #1: Type: text/plain, Size: 1337 bytes --]
Leo Famulari <leo@famulari.name> skriver:
> Grafts effectively rewrite binary references in compiled software, so
> it's kind of a kludge. The binary interface of the new grafted
> replacement must be compatible with the original package, and if it's
> not, the problems can be hidden and subtle.
>
> For that reason, it's important to make the smallest change possible
> when grafting, to reduce the chance of breakage.
>
> So, the question is, does 3.6.16 include only the fix for
> CVE-2021-20305? Or does it also include other changes? If the former, we
> should instead cherry-pick the CVE bug fix instead of updating.
GnuTLS usually mention whether or not an update is ABI-compatible:
https://lists.gnupg.org/pipermail/gnutls-help/2021-May/004707.html
However it's good practice to verify that with something like 'abidiff'
(from the 'libabigail' package). I.e.:
abidiff $(guix build gnutls)/lib/libgnutls.so \
$(./pre-inst-env guix build gnutls)/lib/libgnutls.so
(this won't work because of multiple outputs, but you get the drill)
When there is no change, the graft _should_ be perfectly safe. If there
are changes, it becomes a judgement call. The 'abidiff' output is of
great assistance in that case.
Anyway, just some general notes on grafting. Thanks a lot for looking
after security issues Solene.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
next prev parent reply other threads:[~2021-05-25 19:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-25 10:36 [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305] Solene Rapenne via Guix-patches via
2021-05-25 15:49 ` Leo Famulari
2021-05-25 19:46 ` Marius Bakke [this message]
2021-05-25 20:00 ` Leo Famulari
2021-05-25 20:47 ` Solene Rapenne via Guix-patches via
2021-05-27 14:28 ` Leo Famulari
2021-05-28 17:06 ` Solene Rapenne via Guix-patches via
2021-05-28 18:57 ` bug#48648: " Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o8cyppfh.fsf@gnu.org \
--to=marius@gnu.org \
--cc=48648@debbugs.gnu.org \
--cc=leo@famulari.name \
--cc=solene@perso.pw \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).