GnuTLS security advisories

GnuTLS security advisories

[Leo Famulari]

GNUTLS-SA-2017-1:
https://gnutls.org/security.html#GNUTLS-SA-2017-1

GNUTLS-SA-2017-2:
https://gnutls.org/security.html#GNUTLS-SA-2017-2

[PATCH] gnu: gnutls: Replace with 3.5.8 [fixes GNUTLS-SA-2017-{1, 2}].

[Ludovic Courtès]

* gnu/packages/tls.scm (gnutls-3.5.8): New variable.
(gnutls)[replacement]: New field.
---
 gnu/packages/tls.scm | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index e577421fa..a2136e26a 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
@@ -139,6 +139,7 @@ living in the same process.")
   (package
     (name "gnutls")
     (version "3.5.4")
+    (replacement gnutls-3.5.8)
     (source (origin
              (method url-fetch)
              (uri
@@ -211,6 +212,20 @@ required structures.")
     (properties '((ftp-server . "ftp.gnutls.org")
                   (ftp-directory . "/gcrypt/gnutls")))))
 
+(define-public gnutls-3.5.8                       ;fixes GNUTLS-SA-2017-{1,2}
+  (package
+    (inherit gnutls)
+    (version "3.5.8")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnupg/gnutls/v"
+                                  (version-major+minor version)
+                                  "/gnutls-" version ".tar.xz"))
+              (sha256
+               (base32
+                "1zyl2z63s68hx1dpxqx0lykmlf3rwrzlrf44sq3h7dvjmr1z55qf"))))
+    (replacement #f)))
+
 (define-public openssl
   (package
    (name "openssl")
-- 
2.11.0

Re: [PATCH] gnu: gnutls: Replace with 3.5.8 [fixes GNUTLS-SA-2017-{1,2}].

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 565 bytes --]

On Tue, Jan 10, 2017 at 11:15:32PM +0100, Ludovic Courtès wrote:
> * gnu/packages/tls.scm (gnutls-3.5.8): New variable.
> (gnutls)[replacement]: New field.

> +(define-public gnutls-3.5.8                       ;fixes GNUTLS-SA-2017-{1,2}

Typically these replacements are not exported. The last time I noticed
an exported replacement, I found that it was resolved
non-deterministically (using `guix build -S` in a loop), and we made the
replacement private:

http://git.savannah.gnu.org/cgit/guix.git/commit/?id=69aa6e0995b55a38d5ce174602a107645be726d5

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH] gnu: gnutls: Replace with 3.5.8 [fixes GNUTLS-SA-2017-{1, 2}].

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Tue, Jan 10, 2017 at 11:15:32PM +0100, Ludovic Courtès wrote:
>> * gnu/packages/tls.scm (gnutls-3.5.8): New variable.
>> (gnutls)[replacement]: New field.
>
>> +(define-public gnutls-3.5.8                       ;fixes GNUTLS-SA-2017-{1,2}
>
> Typically these replacements are not exported.

Good catch!  I fixed that and pushed.

> The last time I noticed an exported replacement, I found that it was
> resolved non-deterministically (using `guix build -S` in a loop), and
> we made the replacement private:
>
> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=69aa6e0995b55a38d5ce174602a107645be726d5

I can’t seem to reproduce it here, but it sounds like an interesting
bug.  :-)

Ludo’.

Re: [PATCH] gnu: gnutls: Replace with 3.5.8 [fixes GNUTLS-SA-2017-{1,2}].

[Leo Famulari]

On Tue, Jan 10, 2017 at 11:41:40PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > The last time I noticed an exported replacement, I found that it was
> > resolved non-deterministically (using `guix build -S` in a loop), and
> > we made the replacement private:
> >
> > http://git.savannah.gnu.org/cgit/guix.git/commit/?id=69aa6e0995b55a38d5ce174602a107645be726d5
> 
> I can’t seem to reproduce it here, but it sounds like an interesting
> bug.  :-)

Me neither. IIRC, it would manifest at least 1/10 iterations of the
loop.

Re: [PATCH] gnu: gnutls: Replace with 3.5.8 [fixes GNUTLS-SA-2017-{1,2}].

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 2704 bytes --]

On Tue, Jan 10, 2017 at 06:08:39PM -0500, Leo Famulari wrote:
> On Tue, Jan 10, 2017 at 11:41:40PM +0100, Ludovic Courtès wrote:
> > Leo Famulari <leo@famulari.name> skribis:
> > > The last time I noticed an exported replacement, I found that it was
> > > resolved non-deterministically (using `guix build -S` in a loop), and
> > > we made the replacement private:
> > >
> > > http://git.savannah.gnu.org/cgit/guix.git/commit/?id=69aa6e0995b55a38d5ce174602a107645be726d5
> > 
> > I can’t seem to reproduce it here, but it sounds like an interesting
> > bug.  :-)
> 
> Me neither. IIRC, it would manifest at least 1/10 iterations of the
> loop.

I can reproduce it by applying the diff below on
88f2dd1ddf8123f628ee0b64406b6fd2a6a9f076 and running:

$ while true; do ./pre-inst-env guix build gnutls -S; done
guix build: warning: ambiguous package specification `gnutls'
guix build: warning: choosing gnutls-3.5.4 from gnu/packages/tls.scm:139:2
/gnu/store/kfjzkvlxjp98mcf356ay027vy5p5lsp3-gnutls-3.5.8.tar.xz
guix build: warning: ambiguous package specification `gnutls'
guix build: warning: choosing gnutls-3.5.4 from gnu/packages/tls.scm:216:2
/gnu/store/kfjzkvlxjp98mcf356ay027vy5p5lsp3-gnutls-3.5.8.tar.xz
guix build: warning: ambiguous package specification `gnutls'
guix build: warning: choosing gnutls-3.5.4 from gnu/packages/tls.scm:216:2
/gnu/store/kfjzkvlxjp98mcf356ay027vy5p5lsp3-gnutls-3.5.8.tar.xz
guix build: warning: ambiguous package specification `gnutls'
guix build: warning: choosing gnutls-3.5.4 from gnu/packages/tls.scm:139:2
/gnu/store/kfjzkvlxjp98mcf356ay027vy5p5lsp3-gnutls-3.5.8.tar.xz

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index e577421fa..19d5049c3 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -138,6 +138,7 @@ living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
+    (replacement gnutls-3.5.8)
     (version "3.5.4")
     (source (origin
              (method url-fetch)
@@ -211,6 +212,20 @@ required structures.")
     (properties '((ftp-server . "ftp.gnutls.org")
                   (ftp-directory . "/gcrypt/gnutls")))))
 
+(define-public gnutls-3.5.8
+  (package
+    (inherit gnutls)
+    (source
+      (let ((version "3.5.8"))
+        (origin
+          (method url-fetch)
+          (uri (string-append "mirror://gnupg/gnutls/v"
+                              (version-major+minor version)
+                              "/gnutls-" version ".tar.xz"))
+          (sha256
+           (base32
+            "1zyl2z63s68hx1dpxqx0lykmlf3rwrzlrf44sq3h7dvjmr1z55qf")))))))
+
 (define-public openssl
   (package
    (name "openssl")

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH] gnu: gnutls: Replace with 3.5.8 [fixes GNUTLS-SA-2017-{1, 2}].

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Tue, Jan 10, 2017 at 06:08:39PM -0500, Leo Famulari wrote:
>> On Tue, Jan 10, 2017 at 11:41:40PM +0100, Ludovic Courtès wrote:
>> > Leo Famulari <leo@famulari.name> skribis:
>> > > The last time I noticed an exported replacement, I found that it was
>> > > resolved non-deterministically (using `guix build -S` in a loop), and
>> > > we made the replacement private:
>> > >
>> > > http://git.savannah.gnu.org/cgit/guix.git/commit/?id=69aa6e0995b55a38d5ce174602a107645be726d5
>> > 
>> > I can’t seem to reproduce it here, but it sounds like an interesting
>> > bug.  :-)
>> 
>> Me neither. IIRC, it would manifest at least 1/10 iterations of the
>> loop.
>
> I can reproduce it by applying the diff below on
> 88f2dd1ddf8123f628ee0b64406b6fd2a6a9f076 and running:
>
> $ while true; do ./pre-inst-env guix build gnutls -S; done
> guix build: warning: ambiguous package specification `gnutls'
> guix build: warning: choosing gnutls-3.5.4 from gnu/packages/tls.scm:139:2
> /gnu/store/kfjzkvlxjp98mcf356ay027vy5p5lsp3-gnutls-3.5.8.tar.xz
> guix build: warning: ambiguous package specification `gnutls'
> guix build: warning: choosing gnutls-3.5.4 from gnu/packages/tls.scm:216:2
> /gnu/store/kfjzkvlxjp98mcf356ay027vy5p5lsp3-gnutls-3.5.8.tar.xz
> guix build: warning: ambiguous package specification `gnutls'
> guix build: warning: choosing gnutls-3.5.4 from gnu/packages/tls.scm:216:2
> /gnu/store/kfjzkvlxjp98mcf356ay027vy5p5lsp3-gnutls-3.5.8.tar.xz
> guix build: warning: ambiguous package specification `gnutls'
> guix build: warning: choosing gnutls-3.5.4 from gnu/packages/tls.scm:139:2
> /gnu/store/kfjzkvlxjp98mcf356ay027vy5p5lsp3-gnutls-3.5.8.tar.xz

Oh, I see.  I can imagine that this has to do with the ordering of
package objects and first-class variables in the various hash tables and
vhashes involved.

I’d say it doesn’t matter much because we shouldn’t be providing two
packages with the exact same name and version in the first place (which
is what this patch does).

Ludo’.