From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55196)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dJgvu-0007Ub-PU
	for guix-patches@gnu.org; Sat, 10 Jun 2017 10:00:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dJgvr-0005n4-Nx
	for guix-patches@gnu.org; Sat, 10 Jun 2017 10:00:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:36321)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dJgvr-0005mw-K7
	for guix-patches@gnu.org; Sat, 10 Jun 2017 10:00:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dJgvr-0004m9-9G
	for guix-patches@gnu.org; Sat, 10 Jun 2017 10:00:03 -0400
Subject: bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13.
Resent-Message-ID: <handler.27308.B.149710316318277@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54982)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1dJgut-00070Y-6z
	for guix-patches@gnu.org; Sat, 10 Jun 2017 09:59:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1dJgup-0005VY-Ui
	for guix-patches@gnu.org; Sat, 10 Jun 2017 09:59:03 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:56141)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <mbakke@fastmail.com>) id 1dJgup-0005V4-EQ
	for guix-patches@gnu.org; Sat, 10 Jun 2017 09:58:59 -0400
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 10 Jun 2017 15:58:51 +0200
Message-Id: <20170610135851.6341-1-mbakke@fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: 27308@debbugs.gnu.org

This update addresses the following security advisories:

GNUTLS-SA-2017-3 (aka CVE-2017-7869) and GNUTLS-SA-2017-4.

These links contain more information about the vulnerabilities and releases:

https://gnutls.org/security.html
https://gnutls.org/news.html

* gnu/packages/patches/gnutls-skip-pkgconfig-test.patch,
gnu/packages/patches/gnutls-skip-trust-store-test.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register patches.
* gnu/packages/tls.scm (gnutls)[replacement]: New field.
(gnutls-3.5.13): New variable.
---
 gnu/local.mk                                       |  2 ++
 .../patches/gnutls-skip-pkgconfig-test.patch       | 24 ++++++++++++++++++++++
 .../patches/gnutls-skip-trust-store-test.patch     | 15 ++++++++++++++
 gnu/packages/tls.scm                               | 20 ++++++++++++++++++
 4 files changed, 61 insertions(+)
 create mode 100644 gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
 create mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 686c3c639..70b4a44a1 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -640,6 +640,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/gmp-faulty-test.patch			\
   %D%/packages/patches/gnome-tweak-tool-search-paths.patch	\
   %D%/packages/patches/gnucash-price-quotes-perl.patch		\
+  %D%/packages/patches/gnutls-skip-trust-store-test.patch	\
+  %D%/packages/patches/gnutls-skip-pkgconfig-test.patch		\
   %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
   %D%/packages/patches/gobject-introspection-cc.patch		\
   %D%/packages/patches/gobject-introspection-girepository.patch	\
diff --git a/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch b/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
new file mode 100644
index 000000000..1fad7c14e
--- /dev/null
+++ b/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
@@ -0,0 +1,24 @@
+FIXME: The static test fails with an error such as:
+
+/tmp/guix-build-gnutls-3.5.13.drv-0/ccOnGPmc.o: In function `main':
+c.29617.tmp.c:(.text+0x5): undefined reference to `gnutls_global_init'
+collect2: error: ld returned 1 exit status
+FAIL pkgconfig.sh (exit status: 1)
+
+diff --git a/tests/pkgconfig.sh b/tests/pkgconfig.sh
+index 6bd4e62f9..05aab8278 100755
+--- a/tests/pkgconfig.sh
++++ b/tests/pkgconfig.sh
+@@ -57,11 +57,7 @@ echo "Trying dynamic linking with:"
+ echo "  * flags: $(${PKGCONFIG} --libs gnutls)"
+ echo "  * common: ${COMMON}"
+ echo "  * lib: ${CFLAGS}"
+-cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
+-
+-echo ""
+-echo "Trying static linking with $(${PKGCONFIG} --libs --static gnutls)"
+-cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --static --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
++gcc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
+ 
+ rm -f ${TMPFILE} ${TMPFILE_O}
+ 
diff --git a/gnu/packages/patches/gnutls-skip-trust-store-test.patch b/gnu/packages/patches/gnutls-skip-trust-store-test.patch
new file mode 100644
index 000000000..e0536712a
--- /dev/null
+++ b/gnu/packages/patches/gnutls-skip-trust-store-test.patch
@@ -0,0 +1,15 @@
+Version 3.5.11 added a test to check that the default trust store is readable.
+It does not exist in the build environment, so pretend everything is fine.
+
+diff a/tests/trust-store.c b/tests/trust-store.c
+--- a/tests/trust-store.c
++++ b/tests/trust-store.c
+@@ -61,7 +61,7 @@
+ 	} else if (ret < 0) {
+ 		fail("error loading system trust store: %s\n", gnutls_strerror(ret));
+ 	} else if (ret == 0) {
+-		fail("no certificates were found in system trust store!\n");
++		success("no trust store in the Guix build environment!\n");
+ 	}
+ 
+ 	gnutls_certificate_free_credentials(x509_cred);
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 8964abb2f..69dcb015b 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -8,6 +8,7 @@
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -142,6 +143,7 @@ living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
+    (replacement gnutls-3.5.13)
     (version "3.5.9")
     (source (origin
              (method url-fetch)
@@ -214,6 +216,24 @@ required structures.")
     (properties '((ftp-server . "ftp.gnutls.org")
                   (ftp-directory . "/gcrypt/gnutls")))))
 
+(define gnutls-3.5.13
+  (package
+    (inherit gnutls)
+    (version "3.5.13")
+    (replacement #f)
+    (source (origin
+              (method url-fetch)
+              (uri
+               (string-append "mirror://gnupg/gnutls/v"
+                              (version-major+minor version)
+                              "/gnutls-" version ".tar.xz"))
+              (patches
+               (search-patches "gnutls-skip-trust-store-test.patch"
+                               "gnutls-skip-pkgconfig-test.patch"))
+              (sha256
+               (base32
+                "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))))
+
 (define-public gnutls/guile-2.2
   ;; GnuTLS for Guile 2.2.  This is supported by GnuTLS >= 3.5.5.
   (package
-- 
2.13.1