From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: GnuTLS security update Date: Sun, 11 Sep 2016 21:53:22 -0400 Message-ID: <20160912015322.GA3951@jasmine> References: <20160911154108.GA13920@jasmine> <87zinei2dq.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="6sX45UoQRIJXqkqR" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51241) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bjGRN-0006Aj-7y for guix-devel@gnu.org; Sun, 11 Sep 2016 21:53:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bjGRJ-0005Sv-2g for guix-devel@gnu.org; Sun, 11 Sep 2016 21:53:44 -0400 Content-Disposition: inline In-Reply-To: <87zinei2dq.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org --6sX45UoQRIJXqkqR Content-Type: multipart/mixed; boundary="lrZ03NoBR/3+SXJZ" Content-Disposition: inline --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 11, 2016 at 10:54:09PM +0200, Ludovic Court=E8s wrote: > These 3 GnuTLS commits appear to be related to this issue: [...] > If applying these patches on top of our current GnuTLS version (and then > using it as a graft) works, we could do that. Unfortunately the test fails in the same way, even with all 3 commits. > If not, using the later 3.5.x release should be OK (API- and > ABI-compatible). The release notes for 3.5.3 and 3.5.4 [0] only mention the addition of new macros and functions, but no removals or modifications of existing interfaces. I've attached a patch that uses a graft to replace gnutls@3.5.2 with gnutls-3.5.4, which is the latest release. However, while testing the patch, I noticed something surprising: $ git show commit 2f6a667cfe87d13a878e7ca97e3f760771f22ce1 Author: Leo Famulari Date: Sat Sep 10 18:09:20 2016 -0400 gnu: gnutls: Replace with 3.5.4 [fixes GNUTLS-SA-2016-3]. [...] $ ./pre-inst-env guix build gnutls =20 /gnu/store/4x9r7rkinycxr7xda5a92knm8ikila6p-gnutls-3.5.2-debug /gnu/store/n93gb4n301rz46k9cm0d12hb26gq5lg5-gnutls-3.5.2-doc /gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2 $ guix build gnutls # This Guix is from `guix pull`, not my Git repo. /gnu/store/7dy8xca0y8vz94af242cqnq9ddk2nwxn-gnutls-3.5.2-debug /gnu/store/q27cnlfkf8kc6gjl0cdw5nvq45lfllvx-gnutls-3.5.2-doc /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2 $ guix gc --references $(./pre-inst-env guix build msmtp)=20 /gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib /gnu/store/l1s4cw9g58hmcpd2qgbckfl228143qzx-glib-2.48.0 /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23 /gnu/store/nwzi32dmlrvqkfy5fplrh9ndnivxv851-libsecret-0.18.5 /gnu/store/ppd0q1mwl6rz51y5bmmwz3x89hc561cw-msmtp-1.6.5 /gnu/store/r60cjgawd6dqz3gfdmw4ihkvbcp27f3a-gsasl-1.8.0 /gnu/store/ykzwykkvr2c80rw4l1qh3mvfdkl7jibi-bash-4.3.42 /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2 The problem is that the msmtp package I have built using this patch does not refer to the grafted gnutls. I got the same result after building a fresh Git clone of Guix. [0] https://lists.gnupg.org/pipermail/gnutls-devel/2016-August/008126.html https://lists.gnupg.org/pipermail/gnutls-devel/2016-September/008152.html --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-gnutls-Replace-with-3.5.4-fixes-GNUTLS-SA-2016-3.patch" Content-Transfer-Encoding: quoted-printable =46rom 2f6a667cfe87d13a878e7ca97e3f760771f22ce1 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Sat, 10 Sep 2016 18:09:20 -0400 Subject: [PATCH] gnu: gnutls: Replace with 3.5.4 [fixes GNUTLS-SA-2016-3]. * gnu/packages/tls.scm (gnutls)[replacement]: New field. (gnutls-3.5.4): New variable. --- gnu/packages/tls.scm | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 4b04cac..ad9dee0 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -137,6 +137,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls") + (replacement gnutls-3.5.4) (version "3.5.2") (source (origin (method url-fetch) @@ -210,6 +211,20 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) =20 +(define gnutls-3.5.4 + (package + (inherit gnutls) + (source + (let ((version "3.5.4")) + (origin + (method url-fetch) + (uri (string-append "mirror://gnupg/gnutls/v" + (version-major+minor version) + "/gnutls-" version ".tar.xz")) + (sha256 + (base32 + "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f"))))))) + (define-public openssl (package (name "openssl") --=20 2.10.0 --lrZ03NoBR/3+SXJZ-- --6sX45UoQRIJXqkqR Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJX1gqOAAoJECZG+jC6yn8IaG4P/jlNSuo5XIOwX1O0CrfJXuXK uYuGnF7fQIxcFYJi190nAeoXSv6DSwCpeR3XZyo44hTSZuLYr2P3w34Q3vB1DkVT oFpwQTB6vGuuUL5w4kyOyzfrHIpV7CEq37ZmAvPRi7+MP2voYLOIRdTScv0WFjz8 WOTlUeXy8YqZUC9KLHgBuPP9qNr+xTpyFISXyvv6xUIh4rlYRNxGOzPDld7yApuh d1wI94pEN8bzUduMl5YIVtWrOSOOG7aGLI6Cp1Y41YUV5siK3e/HYya38LLuv2TE OwXGmOKuTNMvLVi6IDAYbckhaIBg/wonQcz5jGPuj/8IrLwIW8YuA0YFVpE30PmR 8wIPrKMPuFRHDIWvPJbxCFyxw2QCw362A4GcKrrKhZPzPXBzsv0biwZ50sELDqPX S7rUKkSBm4T2Pok9qOU6nea2pOxTC7Wq0L3pzVSYAQo9j10VD37RRzwisnqDsiVP Qaz1KuX9zFpfPmbJlT3YuJbnI9uMn0l9FRaeOCXvGM3+QGvg5k44WV6U3dhx7trV kodjkqWGQfZIdjsGnoWAiPelGChQ424dfaEyLB+uIsANv9CZ0jH/Kv59cQt2fqOu wNBTth85kAFTmXYDlInEdkmQy84pw42OjE6eJz4wX5bdgKy8zjZRnjiTm/lnw7oT pfzXiCpKdFu5zSfQMFym =Zguo -----END PGP SIGNATURE----- --6sX45UoQRIJXqkqR--