[bug#64982] [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical)

[bug#64982] [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical)

[Denis 'GNUtoo' Carikli]

Hi,

The patch that will follow updates LibreSSL to the last version to fix the
CVE-2023-35784[1]. That CVE consist of a double free and a use after free and
is considered critical according to the NIST.

[1]https://nvd.nist.gov/vuln/detail/CVE-2023-35784

While LibreSSL builds fine and that all its test pass on x86_64, it also has a
significant number of reverse dependencies (a bit more than 30) that need to
be rebuilt, so I would need help with testing:
* axel
* catgirl
* ceph
* clamav
* epic5
* gmid
* httrack
* litterbox
* openboard
* openntpd
* openscad
* opensmtpd-extras
* opensmtpd-filter-rspamd
* pam-u2f
* pounce
* python-astroalign
* python-duckdb
* python-feather-format
* python-ikarus
* python-jwst
* python-modin
* python-poliastro
* python-regions
* python-sunpy
* python-tslearn
* python-vaex-core
* r-chromunity
* r-cistopic
* r-cistopic-next
* seek
* telescope
* xarcan
* zbackup

Denis.

Denis 'GNUtoo' Carikli (1):
  gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].

 gnu/packages/tls.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


base-commit: 39fbc041f92489ec30075a85937c8a38723752dc
-- 
2.41.0

[bug#64982] [PATCH v1 1/1] gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].

[Denis 'GNUtoo' Carikli]

* gnu/packages/tls.scm (libressl): Update to 3.8.0.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
---
 gnu/packages/tls.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f51c47db04..deec73b43f 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -659,14 +659,14 @@ (define-public bearssl
 (define-public libressl
   (package
     (name "libressl")
-    (version "3.6.1")
+    (version "3.8.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://openbsd/LibreSSL/"
                                   "libressl-" version ".tar.gz"))
               (sha256
                (base32
-                "0x37037rb0zx34zp0kbbqj2xwd57gh1m6bfn52f92fz92q9wdymc"))))
+                "1b5c45gkrfcvjpf5dx288r6x1zhc9dk9j61ixfmwdi88r0g1qlqj"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
-- 
2.41.0

bug#64982: Closing

[Andreas Enge]

Hello Denis,

thanks for the patch! This was fixed in commit
commit 310b0f72d8749376832fa1f149837a83d8e74629
Author: Tobias Geerinckx-Rice <me@tobias.gr>
Date:   Sun Aug 13 02:00:00 2023 +0200
    gnu: libressl: Update to 3.7.3 [fixes CVE-2023-35784].
    Thanks to Dennis 'GNUtoo' Carikli for <https://issues.guix.gnu.org/64982>,
    but upgrading to 3.8.0 breaks (at least) OpenSMTPd.
    * gnu/packages/tls.scm (libressl): Update to 3.7.3.

Indeed QA shows that opensmtpd fails:
   https://qa.guix.gnu.org/issue/64982
   https://bordeaux.guix.gnu.org/build/16cbfca4-a0a3-4374-9ae4-6c1dad67494b/log

I am closing this bug, as updating libressl to the most recent version
is a different topic. Actually the 3.8.0 and 3.8.1 releases are called
"development releases" in the release notes:
   https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.0-relnotes.txt
   https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.1-relnotes.txt
while 3.7.3 does not have the "development" term:
   https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.7.3-relnotes.txt
so we may be better off sticking with 3.7.x for the moment.

Andreas