* [bug#70569] [PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches.
@ 2024-04-25 15:33 Maxim Cournoyer
2024-04-25 15:54 ` Maxim Cournoyer
2024-04-26 11:12 ` bug#70569: [PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches Maxim Cournoyer
0 siblings, 2 replies; 6+ messages in thread
From: Maxim Cournoyer @ 2024-04-25 15:33 UTC (permalink / raw)
To: 70569; +Cc: Maxim Cournoyer
This series fixes recent security vulnerabilities affecting NSS and thus our
Icecat package, among others. It also handles the presence of multiple
nss-certs packages in an operating system's packages field declaration.
Maxim Cournoyer (3):
gnu: nss-3.98: Streamline source origin via inheritance.
gnu: nss: Graft with version 3.98 [security fixes].
system: Warn when multiple nss-certs packages are used.
gnu/packages/librewolf.scm | 2 +-
gnu/packages/nss.scm | 83 +++++++++++++++++---------------------
gnu/system.scm | 28 ++++++++++++-
3 files changed, 65 insertions(+), 48 deletions(-)
base-commit: e5c130c0f90a7dacc8d223eee494a1b1105dd94a
--
2.41.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug#70569] [PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches.
2024-04-25 15:33 [bug#70569] [PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches Maxim Cournoyer
@ 2024-04-25 15:54 ` Maxim Cournoyer
2024-04-25 15:54 ` [bug#70569] [PATCH 1/3] gnu: nss-3.98: Streamline source origin via inheritance Maxim Cournoyer
` (2 more replies)
2024-04-26 11:12 ` bug#70569: [PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches Maxim Cournoyer
1 sibling, 3 replies; 6+ messages in thread
From: Maxim Cournoyer @ 2024-04-25 15:54 UTC (permalink / raw)
To: 70569; +Cc: john.kehayias, Maxim Cournoyer
This series fixes recent security vulnerabilities affecting NSS and thus our
Icecat package, among others. It also handles the presence of multiple
nss-certs packages in an operating system's packages field declaration.
Maxim Cournoyer (3):
gnu: nss-3.98: Streamline source origin via inheritance.
gnu: nss: Graft with version 3.98 [security fixes].
system: Warn when multiple nss-certs packages are used.
gnu/packages/librewolf.scm | 2 +-
gnu/packages/nss.scm | 83 +++++++++++++++++---------------------
gnu/system.scm | 28 ++++++++++++-
3 files changed, 65 insertions(+), 48 deletions(-)
base-commit: e5c130c0f90a7dacc8d223eee494a1b1105dd94a
--
2.41.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug#70569] [PATCH 1/3] gnu: nss-3.98: Streamline source origin via inheritance.
2024-04-25 15:54 ` Maxim Cournoyer
@ 2024-04-25 15:54 ` Maxim Cournoyer
2024-04-25 15:54 ` [bug#70569] [PATCH 2/3] gnu: nss: Graft with version 3.98 [security fixes] Maxim Cournoyer
2024-04-25 15:54 ` [bug#70569] [PATCH 3/3] system: Warn when multiple nss-certs packages are used Maxim Cournoyer
2 siblings, 0 replies; 6+ messages in thread
From: Maxim Cournoyer @ 2024-04-25 15:54 UTC (permalink / raw)
To: 70569; +Cc: john.kehayias, Maxim Cournoyer
* gnu/packages/nss.scm (nss-3.98): Simplify source via inheritance.
Change-Id: I6c1df497a7ff538162afa128eca676997d76e28f
---
gnu/packages/nss.scm | 16 +++-------------
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 00770f11a9..a2843be17a 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -5,7 +5,7 @@
;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2020, 2021 Marius Bakke <marius@gnu.org>
;;; Copyright © 2020 Jonathan Brielmaier <jonathan.brielmaier@web.de>
-;;; Copyright © 2021, 2022, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2022, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;;
;;; This file is part of GNU Guix.
@@ -253,7 +253,7 @@ (define-public nss-3.98
(inherit nss)
(version "3.98")
(source (origin
- (method url-fetch)
+ (inherit (package-source nss))
(uri (let ((version-with-underscores
(string-join (string-split version #\.) "_")))
(string-append
@@ -262,17 +262,7 @@ (define-public nss-3.98
"nss-" version ".tar.gz")))
(sha256
(base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))
- ;; Create nss.pc and nss-config.
- (patches (search-patches "nss-3.56-pkgconfig.patch"
- "nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
- (modules '((guix build utils)))
- (snippet
- '(begin
- ;; Delete the bundled copy of these libraries.
- (delete-file-recursively "nss/lib/zlib")
- (delete-file-recursively "nss/lib/sqlite")))))
+ "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
(arguments
(substitute-keyword-arguments (package-arguments nss)
((#:phases phases)
--
2.41.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [bug#70569] [PATCH 2/3] gnu: nss: Graft with version 3.98 [security fixes].
2024-04-25 15:54 ` Maxim Cournoyer
2024-04-25 15:54 ` [bug#70569] [PATCH 1/3] gnu: nss-3.98: Streamline source origin via inheritance Maxim Cournoyer
@ 2024-04-25 15:54 ` Maxim Cournoyer
2024-04-25 15:54 ` [bug#70569] [PATCH 3/3] system: Warn when multiple nss-certs packages are used Maxim Cournoyer
2 siblings, 0 replies; 6+ messages in thread
From: Maxim Cournoyer @ 2024-04-25 15:54 UTC (permalink / raw)
To: 70569; +Cc: john.kehayias, Maxim Cournoyer
This fixes CVE-2023-5388, CVE-2023-6135 and CVE-2024-0743.
* gnu/packages/nss.scm (nss) [replacement]: New field.
(nss-3.98): Rename variable to...
(nss/fixed): ... this. Make it a hidden package.
* gnu/packages/librewolf.scm (librewolf) [inputs]: Replace nss-3.98 with
nss/fixed.
Change-Id: I8cc667c53a270dfe00738bf731923f1342036624
---
gnu/packages/librewolf.scm | 2 +-
gnu/packages/nss.scm | 71 ++++++++++++++++++++------------------
2 files changed, 38 insertions(+), 35 deletions(-)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 87b76c661f..1717bad0b5 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -581,7 +581,7 @@ (define-public librewolf
mesa
mit-krb5
nspr
- nss-3.98
+ nss/fixed
pango
pciutils
pipewire
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index a2843be17a..8f6ed06e63 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -110,6 +110,7 @@ (define-public nss
;; version and source to avoid a top-level variable reference & module
;; cycle.
(version "3.88.1")
+ (replacement nss/fixed)
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -248,38 +249,40 @@ (define-public nss
security standards.")
(license license:mpl2.0)))
-(define-public nss-3.98
- (package
- (inherit nss)
- (version "3.98")
- (source (origin
- (inherit (package-source nss))
- (uri (let ((version-with-underscores
- (string-join (string-split version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" version ".tar.gz")))
- (sha256
- (base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
- (arguments
- (substitute-keyword-arguments (package-arguments nss)
- ((#:phases phases)
- #~(modify-phases #$phases
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (if tests?
- (begin
- ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
- ;; testing. The latter requires a working DNS or /etc/hosts.
- (setenv "DOMSUF" "localdomain")
- (setenv "USE_IP" "TRUE")
- (setenv "IP_ADDRESS" "127.0.0.1")
+(define-public nss/fixed
+ (let ((actual-version "3.98"))
+ (hidden-package
+ (package
+ (inherit nss)
+ (version (string-append actual-version ".0")) ;for grafts requirements
+ (source (origin
+ (inherit (package-source nss))
+ (uri (let ((version-with-underscores
+ (string-join (string-split actual-version #\.) "_")))
+ (string-append
+ "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+ "releases/NSS_" version-with-underscores "_RTM/src/"
+ "nss-" actual-version ".tar.gz")))
+ (sha256
+ (base32
+ "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments nss)
+ ((#:phases phases)
+ #~(modify-phases #$phases
+ (replace 'check
+ (lambda* (#:key tests? #:allow-other-keys)
+ (if tests?
+ (begin
+ ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
+ ;; testing. The latter requires a working DNS or /etc/hosts.
+ (setenv "DOMSUF" "localdomain")
+ (setenv "USE_IP" "TRUE")
+ (setenv "IP_ADDRESS" "127.0.0.1")
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
- (format #t "test suite not run~%"))))))))))
+ ;; The "PayPalEE.cert" certificate expires every six months,
+ ;; leading to test failures:
+ ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
+ ;; work around that, set the time to roughly the release date.
+ (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
+ (format #t "test suite not run~%"))))))))))))
--
2.41.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [bug#70569] [PATCH 3/3] system: Warn when multiple nss-certs packages are used.
2024-04-25 15:54 ` Maxim Cournoyer
2024-04-25 15:54 ` [bug#70569] [PATCH 1/3] gnu: nss-3.98: Streamline source origin via inheritance Maxim Cournoyer
2024-04-25 15:54 ` [bug#70569] [PATCH 2/3] gnu: nss: Graft with version 3.98 [security fixes] Maxim Cournoyer
@ 2024-04-25 15:54 ` Maxim Cournoyer
2 siblings, 0 replies; 6+ messages in thread
From: Maxim Cournoyer @ 2024-04-25 15:54 UTC (permalink / raw)
To: 70569; +Cc: john.kehayias, Maxim Cournoyer, Ian Eure
This can happen due to users providing 'nss-certs' and adding it to the
%base-packages, which now include 'nss-certs'.
* gnu/system.scm (operating-system-packages): Warn when multiple nss-certs
packages are detected; keep only the latest one.
Change-Id: I6104f134ea1cc155ae9e8e0ae70bb5a38fc05800
Reported-by: Ian Eure <ian@retrospec.tv>
---
gnu/system.scm | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/gnu/system.scm b/gnu/system.scm
index c7f8003ad2..025834328c 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -43,7 +43,8 @@ (define-module (gnu system)
#:use-module (guix deprecation)
#:use-module (guix derivations)
#:use-module (guix profiles)
- #:use-module ((guix utils) #:select (substitute-keyword-arguments))
+ #:use-module ((guix utils) #:select (substitute-keyword-arguments
+ version>?))
#:use-module (guix i18n)
#:use-module (guix diagnostics)
#:use-module (guix ui)
@@ -275,7 +276,7 @@ (define-record-type* <operating-system> operating-system
(issue operating-system-issue ; string
(default %default-issue))
- (packages operating-system-packages ; list of (PACKAGE OUTPUT...)
+ (packages %operating-system-packages ; list of (PACKAGE OUTPUT...)
(default %base-packages)) ; or just PACKAGE
(timezone operating-system-timezone
@@ -316,6 +317,29 @@ (define-deprecated (operating-system-hosts-file os)
hosts-service-type
(%operating-system-hosts-file os))
+;;; XXX: Remove after a new release of Guix no longer suggests to install
+;;; nss-certs.
+(define (operating-system-packages os)
+ "Return the packages of the OS <operating-system> record object."
+ ;; This wrapper is used to warn users that their operating system packages
+ ;; field contains a duplicated nss-certs packages.
+ (let* ((packages (%operating-system-packages os))
+ (nss-certs-packages (sort (filter (lambda (p)
+ (string=? "nss-certs" (package-name p)))
+ packages)
+ (lambda (x y)
+ ;; Sort from newer to older versions.
+ (version>? (package-version x)
+ (package-version y))))))
+ (if (> (length nss-certs-packages) 1)
+ (begin
+ (warning #f
+ (G_ "multiple 'nss-certs' packages found; 'nss-certs' \
+is now included by default in '%base-packages'; ensure it is not explicitly \
+listed in the operating system 'packages' field~%"))
+ (fold delete packages (drop nss-certs-packages 1)))
+ packages)))
+
(define* (operating-system-kernel-arguments
os root-device #:key (version %boot-parameters-version))
"Return all the kernel arguments, including the ones not specified directly
--
2.41.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* bug#70569: [PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches.
2024-04-25 15:33 [bug#70569] [PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches Maxim Cournoyer
2024-04-25 15:54 ` Maxim Cournoyer
@ 2024-04-26 11:12 ` Maxim Cournoyer
1 sibling, 0 replies; 6+ messages in thread
From: Maxim Cournoyer @ 2024-04-26 11:12 UTC (permalink / raw)
To: 70569-done; +Cc: John Kehayias, Ian Eure
Hello,
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
> This series fixes recent security vulnerabilities affecting NSS and thus our
> Icecat package, among others. It also handles the presence of multiple
> nss-certs packages in an operating system's packages field declaration.
>
>
> Maxim Cournoyer (3):
> gnu: nss-3.98: Streamline source origin via inheritance.
> gnu: nss: Graft with version 3.98 [security fixes].
> system: Warn when multiple nss-certs packages are used.
Pushed to master. Closing!
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-04-26 11:13 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-25 15:33 [bug#70569] [PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches Maxim Cournoyer
2024-04-25 15:54 ` Maxim Cournoyer
2024-04-25 15:54 ` [bug#70569] [PATCH 1/3] gnu: nss-3.98: Streamline source origin via inheritance Maxim Cournoyer
2024-04-25 15:54 ` [bug#70569] [PATCH 2/3] gnu: nss: Graft with version 3.98 [security fixes] Maxim Cournoyer
2024-04-25 15:54 ` [bug#70569] [PATCH 3/3] system: Warn when multiple nss-certs packages are used Maxim Cournoyer
2024-04-26 11:12 ` bug#70569: [PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches Maxim Cournoyer
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.